Posts tagged plugins

Best Security Practices for WordPress

Dont look surprised when your wordpress site is hacked, is wordpress security so weak?

No, not really, its just popular and as such there are more vectors to attack its security, still as a heavy wordpress user i can give you some good tips to keep your site secure, ill divide this into setup the site and securing the site, once you should only need to do once, the other its best to be ongoing, im also assuming that you have your server setup correctly and secured as well as your wordpress is up to date and your computer is secure as well, if those are good, then what i say bellow will keep you 99% safe!

Secure on Setup

On wp-config.php when you install on $table_prefix  = ‘whateveryouwant’ put a random string! – This will prevent mysql injections that might target the default wp_ table prefix (if already installed use something like phpadmin to go into the database and change the prefix there and then add it to the wp-config.php file)
On wp-config.php under define(‘WP_DEBUG’, false); put define(‘DISALLOW_FILE_EDIT’, true); – This prevents editing of php files under wordpress, most people dont edit them anyways (i just login with sftp and edit directly), so people trying to exploit will have more difficulty doing so
Use a strong password – I know its silly to say but a strong unique password with lots of letters, numbers and characters is always a good thing.

On First Login

Login with your default admin account, create a new account with admin privileges and then delete the old admin account – This prevents login requests or brute-force that would go directly to account number 1 or admin account
Disable user registration, go the options panel and disable user registration – If you dont intent for other users to post, there is no point in allowing registration.
Install only the Plugins you Need – Even if disabled, only have plugins and themes that you need, they could be used

Security Plugins to Install

BruteProtect or Login LockDown – To Prevent login attempts and brute force attacks (or in alternative find a Two-Step Authentication plugin).
Install a Clean Theme – Make sure you get a nice free theme from WordPress.org or a paid from a good provider and keep it up to date, the more complex the theme the more likely it will have code that might become insecure, so get a good one and keep it updated.
Advance Automatic Updates – Will keep your wordpress install and plugins up to date!
Akismet – It comes with WordPress for a reason, before it, wordpress comments were horrible and plagued with tons of spam.

Extra!

Please pleassseeee make backups, dont trust your webhost, make your own, thats the only true way of being 100% secure, use a plugin for it, i like BackUpWordpress and Keep Backup Daily, but any you like will do!
Use Cloudflare or Incapsula – These give pleanty of extra features, like cdn but they also filter and protect your traffic from a lot of nasty stuff on the web.
Wordfence or Better Wp Security – If you want more heavy security, its totally optional and in my opinion if you are well locked down they dont add anything!
Use htaccess to lock in wp-admin if you are the only user, search for this on Google pleanty of sites explaining.
Use WordPress Jetpack plugin it protect you from some security flaws and it will help on automatic plugin installs, plus a ton of other things
Use Mx Toolbox or Sucuri Site Check to check if your site has been exploited!

The best rule of all is to be prepared for the worst, have backups and check from time to time to see if your site is up to date and everything is running fine, most of these are automated but its best to always keep an eye and if everything breaks just clean everything and put back a backup 🙂

WP Super Cache Vs W3 Total Cache Vs WP Fastest Cache Vs Hyper Cache Vs Quick Cache Vs Wordfence Security

Yes i know plenty of wordpress cache plugins comparisons posts, but i went around checking those and most are just a matter of opinion and taste or had some good data on performance both on the frontend and the backend of wordpress, my sites tend to have some optimisations built in mostly on the server so even with plugin there is some cache going on both on php and mysql as well as using nginx as a reverse proxy for the static files.

So i went ahead and made a basic wordpress site with one of the official themes and some random content, good enough, then checked some of the memory consumption and speed inside wordpress with the P3 Plugin and used Gtmatrix and Google Pagespeed to check the performance on the page, i also checked server side but as far as i can tell all the plugins didn’t use enough resources to be negligible, so what are my findings:

Performance Comparison of WordPress Cache Plugins

Cache Plugin Memory (sec) Speed Size (KB) Requests Pagespeed
No Plugin 0 5.49 965 32 75/100
WP Super Cache 0.084 5.0 962 33 75/100
W3 Total Cache 3.6 11.33 965 33 75/100
WP Fastest Cache 0.083 4.7 757 30 90/100
Hyper Cache 0.008 5.0 961 32 75/100
Hyper Cache + Autoptimize 0.097 6.7 690 24 90/100
Quick Cache 0.04 4.93 961 32 75/100
Quick Cache + Autoptimize 0.1 5.44 696 24 91/100
Wordfence Basic 0.15 6.97 965 33 75/100
Wordfence Falcon Engine 0.14 5.63 762 34 90/100

Notes: I’ve added Autoptimize to the cache plugins that don’t have the ability to combine and minify code, to see if it helped. Also note that all of these results besides pagespeed are averages i did test 3 times to make sure, although gtmatrix does use random servers to check so the speed part can be a bit off, so dont take it literally its more important the size and requests as well as overall pagespeed ranking for true performance, yes i know i could have used a fixed server but i wanted a more normal usage scenario.

No Plugin

Like i said above by default my sites work and cache well enough to rate a standard 75/100 on Pagespeed, also enabling by default gzip and other small wordpress tweaks help too, still its only here as reference point, of course most wordpress sites would rate a bit lower.

WP Super Cache

I’ve used it a lot in the past, still i’ve moved on to other cache plugins because its a bit like W3 Total Cache, it has become with time less user-friendly, from all the plugins it was the most troublesome to turn on and to turn off (leaves a lot of stuff behind) also with default settings it didn’t cache much, also one of the reasons i left was that sometimes updates would kill my sites, its still a standard but i think its not good enough anymore.

W3 Total Cache

This one is WP Super Cache on steroids, im sure its awesome since it has everything and then some, and although a bit easier to setup than it used to be, its kinda one that need a lot, i mean A LOT of pampering, it should only be used on large sites and sites where you control the server side and can enable the caches that W3 will use, also on my test and with default settings on it clearly was the worst plugin of them all, probably cause i should have changed something somewhere.

WP Fastest Cache

Although this plugin kinda broke a part of the wordpress backend (probably a css out of place), it was one of the most complete and simple plugins and you can see that it did a pretty good job and i didn’t even enable all the functions, it incorporates pretty much everything you expect in a small package, however 2 things keep me from using it, first there is no control over the html/js/css minify, and from my experience most my sites would break if i cant tweak this (Autoptimize does give you that control) the second is that the panel tries to ping ipinfo.io i don’t like plugins that do stuff like that.

Hyper Cache

The one I’m currently using on most of my sites, its simple clean and to the point and as you can see it does its job, besides one nagging issue when the plugin or wordpress updates the plugin seems to stop working and you get the “You must save the options since some files must be updated.” still unlike WP Super Cache the site doesn’t stop working, so it a safe and good plugin with very low memory consumption.

Quick Cache

I like this one, its has a nice panel, its simple and it worked just fine, still some of its best features are hidden away for a premium package and well that makes it under perform, i would understand if these features were more high end stuff like using CDN’s or tweaks around server side, but things like minify should be part of the basic feature set and as such this plugin is comparable with Hyper Cache but with more resource usage.

Extras to Consider

Wordfence Security

Its mostly a security/firewall plugin for your site that also has a caching plugin built in, so why not try it out, it has 2 settings so i tried them both, the basic and their so called falcon engine, i did see a improvement and it worked fine, still its of course a much bigger plugin that does a lot of things besides the caching, but if you are looking for both a security plugin and a cache plugin, this might be good for you.

Autoptimize

Its a plugin that minifies html/css/js and combines it, it can do it both on the head or move those scripts to the end of the body to help the page load, its also very flexible and you can skip files or tweak so it doesn’t break your site, some of the other plugins had these features or part of it, but this plugin gives you complete control and as such is a nice combination with other caching plugins.

So what was my choice?

Ill keep using Hyper Cache, it works well, the feature set is good enough and it doesn’t break my site ever, when i need to give a bit more i add Autoptimize or if its on Cloudflare i just tweak the html/css/js from there, it was my choice about a year ago when i move away from WP Super Cache and as far as i can tell it still was the best choice.

Moving away from W3 Total Cache back to WP Super Cache

Yeah more wordpress plugin talk, but since 1/3 of all S2R sites are powered one way or another by wordpress, its kinda something i deal with, so why am i moving away from the caching wonder kid W3 Total Cache to the old school WP Super Cache, well mostly after a few weeks of testing, i found that although both do a excellent job there are some basic strong points and weak points on both of them:

W3 Total Cache

  • Strong Points: Loads of Options, Good Control Panel, Good Performance
  • Weak Points: Doesn’t have a Good Basic Default Setting

WP Super Cache

  • Strong Points: Keeps it Simple, Good Control Panel, Good Performance
  • Weak Points: For this case, none

Soooo, what does this mean, first it means both are really good, but also that even after a lot of tweaking and reading a lot about its settings, its still a difficult process to push W3 Total Cache to use its potential, i have several different servers with different software running (Apache and Nginx, with different plugins and caching addons), and W3 Total Cache kinda feels a bit hit and miss, sometimes its wonderful sometimes it isn’t, while the “Keep it Simple Stupid” approach of WP Super Cache always brings good performance.

Also the fact that i tend to make tweaks and improve the code and performance both of the sites and server, WP Super Cache kinda gives me the best combination of rock solid performance and ease of use, while with W3 Total Cache i have to worry about a lot of different things to have it work properly, so therefore im moving away from W3 Total Cache to WP Super Cache ^_^’

Comparison of WordPress SEO Plugins

I’ve had my fair of problems and gripes with SEO on wordpress, especially with the “All in One SEO Pack” you can check it out Alternative to All in One SEO Pack ^_^

So that was like a year ago, nowadays there are loads of plugins that do what i want or part of what i want, however cause there is no point in testing 20 plugins, im narrowing it down, so for this review im choosing just plugins that have a minimum set of features that i need (like meta tags in the head, canonical urls,…), that have been updated recently (last 3 months), that aren’t on the first version (at least a couple of updates under the belt) and that have a control panel, also i’ve tested all these plugins for obvious misleading or security leaks, at this moment they have none that i can see (actually one has, sorry made this intro before the testing hehehe).

WordPress SEO by Yoast

  • Specs: 98kb zip / Average Rating on WordPress: 5 stars
  • Pros: its enable by default, nice detached admin page, explanations with loads of options, quite a few added features (like authentication for google webmasters or breadcrumbs, both nice but not necessary for SEO), import ability to several other SEO plugins.
  • Cons: inserts the most amount of junk on the site’s header including plugin version number than all the plugins in this list, quite a few irrelevant options/features.
  • Hummmm: Looking good, and it makes “All in One SEO Pack” look like amateur hour, it has almost the same amount of junk and promos but done nicely and cleanly, also its pretty well organized, if it wasn’t for all the junk inserted into your site’s header, it would have been a really high contender.

SEO Ultimate

  • Specs: 490kb zip / Average Rating on WordPress: 4 stars
  • Pros: huge amount of features (19 different modules), modular system (you can activate and deactivate features you want).
  • Cons: its not enable by default, some of these feature modules are just a one option affair, others offer features that are good for SEO research but that are not needed as a wordpress plugin (there are better tools and sites and ways to get that info), some modules seem incomplete, exploit scanner gave 3 severe warnings with SEO ultimate (obscured links and dropping tables).
  • Hummmm: wholy jesus, if gre’s high performance SEO is overkill, then SEO Ultimate is trying to live up to its name, by being ULTIMATE!!!! i would say that it could be a pretty nice companion to another seo plugin (by deactivating the modules with duplicate or irrelevant functions), still its the only one that gave security warnings, so with alternatives, i would stay away.

Greg’s High Performance SEO

  • Specs: 212kb zip / Average Rating on WordPress: 4.5 stars
  • Pros: simple, clear and very instructive admin page, loads of functions and explanations.
  • Cons: pub directly on your admin page (from pluginsponsors.com), complex to setup, and to be 100% efficient needs to be hardwired into the theme, its not enable by default.
  • Hummmm: high performance or not, this is a case of overload, SEO is just a small part of a website performance and its not even the most important by far, a site with no SEO but with high quality content, performance and promotion will always win, this plugin is too much, also tweaking too much of SEO might do more harm than good, this one if for the ubber tinkerers.

Platinum SEO Pack

  • Specs: 137kb zip / Average Rating on WordPress: 4 stars
  • Pros: enabled by default, basically same feature set as “All in one SEO Pack”, clean detached admin page, ability to migrate from “All in one SEO Pack”.
  • Cons: still some junk on the site header including plugin version number (still a bit less than “All in one SEO Pack”).
  • Hummmm: im impressed by not being impressed, platinum seo is basically “All in one SEO Pack” without the shitty stuff, sooo pretty good ^_^

SeoPress

  • Specs: 435kb zip / Average Rating on WordPress: 4 stars (taking from their previously name)
  • Pros: ahhhhh…
  • Cons: not enable by default, huge amount of pages, complicated and confusing as hell, lots of functions are not available, while having lots of links to the pro version.
  • Hummmm: this one is supposed to be good with buddypress and wordpress mu, but in hindsight i rather have no SEO than whatever this is, so no pros, only cons, actually the only SEO plugin in this pack that i would stay away like it was the black plague.

All In One SEO Pack

  • Specs: 176kb zip / Average Rating on WordPress: 4 stars / Most Popular SEO Pack
  • Pros: Loads of features, default selection of options is good.
  • Cons: Its not enabled by default, huge amounts of junk and links and banners on the admin page, weird options, inserts junk on the site’s header including plugin version number.
  • Hummmm: I used to like it, but i think with time “all in one seo pack” as degraded itself, you can promote other stuff and still keep yourself useful and practical, the main fold doesn’t even have any options its just pub and shit, also some of the options and functions are not that useful in SEO or even practical.



Conclusion and What are you going to use?

Hummm this one is a big thought, but i would say the clear winners and real all in one seo alternatives are  WordPress SEO by Yoast and Platinum SEO Pack, but for diferent reasons, if you want a clean, simple SEO option for WordPress i would go with Platinum SEO Pack, it has everything you need, but if you want a bit of an edge and more options and better understanding of the features, then i would go with WordPress SEO by Yoast.

S2R is officially moving all their WordPress Sites from All In One SEO Pack to Platinum SEO Pack, mostly cause i don’t need the extra features that WordPress SEO by Yoast offers and i don’t like the added junk that WordPress SEO by Yoast adds to the site header.

Alternative to All in One SEO Pack

Well we do have a lot of wordpress installs (not only for blogging, wordpress has come a long way and its almost at the point of becoming a full fledged cms like drupal or joomla), so having a good SEO pack to take care of the little tidbits of SEO is almost mandatory, so using the 2nd most popular wordpress plugin “All in One SEO Pack”, seems like a no-brainer, that is… it used to be, now more than ever its a nuisance, and moved from a very simple helpful plugin to a major bloated beast filled with plenty of idiotic choices, and i’ll gladly name a few:

1. Constant Updates, ohhh i’m all for updates, but come on, put it all in a bigger update, instead of pushing the equivalent of nightly builds, unless its a security risk (that i have my doubts, with this kind of plugin), it should be pushed with big updates, i guess they do this because of my second gripe…

2. When Updating they Deactivate the Script, yep, you activate on the plugins page, but you have to always go to the plugin itself to activate, thats just moronic and abusive, pushing ads/promotion/donations, jeez

3. Bloated or Useless Functions, stuff like pushing added keywords on single posts/pages, its not only pretty much useless these days, but its kinda promoting keyword stuffing, using excerpts as descriptions, talk about added bloat…

4. Adding Idiotic Stuff, to the code in the head like…

<– All in One SEO Pack 1.6.7 by Michael Torbert of Semper Fi Web Design –>

e in the head like… not only is it bloat to the code, but it also announces the freaking version, so if there is a security problem… yayyy

So as of now we are moving all of our wordpress installs from using the “All in One SEO Pack” to HeadSpace 2 and Platinum SEO Pack ^_^.oO( to see who performs better)

UPDATE: After a year i’ve done a more through Comparison of WordPress SEO Plugins heheheh and yes we do have a winner ^_^