2. Contact - Social Media
• MitchPopilchak
– Twitter
– Facebook
– LinkedIn
– Instagram
– Google+
– About.me
MitchPopilchak@gmail.com
3. Why?
• Why do you have a site?
• What do you want your visitors to do or
experience on your site?
• What is your call-to-action?
• Are people signing up for your updates?
• What would make your site a success?
4. What affects your ranking? Speed!
• Hosting
• Theme
• Images
• Plugins
• Sliders
• CDN
• DNS
• Registrar
5. Hosting – Premium Wordpress
• WPEngine.com
• Websynthesis.com
• Getflywheel.com
• $30 to $250/month
• GoDaddy – WP only $10/month – 1 site
• Media Temple – WP only $30/month – 3 sites
11. Images
• Size
• Naming
– dsc_1234_03062014.jpg
– glenmore_audi_A8_interior.jpg
– Alt and Name ‘tags’
• WP Smush.It
• Simple Image Sizes
12. My Plugin Selects
• Akismet
• CommentLuv
– Disqus or LiveFyre
• Google Analytics for
Wordpress (Yoast)
• Wordpress SEO (Yoast)
– Use all the settings!
• Optimize Database
after Deleting
Revisions
• Swiftype Search
• Relevanssi
• Gravity Forms
• Contact Form 7
13. My Plugin Selects
• Better WP Security
• Wordfence Security
• Sucuri Security
• Alpine PhotoTile for
Instagram/Pinterest
• Easy Recipe Plus
• Redirection
• Shareaholic
• nRelate
• BackWPup
• W3 Total Cache
• Wp Super Cache
• Minify
14. Install and Remove
• P3
– Plugin Performance Profiler
• Theme-Check
– Tests your theme for vulnerabilities and bad code
• Remove all unused themes and plugins!
• Update your plugins regularly please!
15. How many plugins?
• Too many can slow down your site
• Avoid the shiny plugin syndrome
• Plugins add code – limiting the # of plugins
limits potential security holes
• Shared hosting is not a friendly environment
for a site with lots of plugins
16. Fun for me vs Good for the user?
• Plugins make our lives easier
• So before you add another plugin ask yourself
– Do I need the functionality or ‘want it’?
– Will it help my readers?
– Will my business/site grow by adding it?
• Paid or Free????
17. Sliders – good or bad?
• No one uses them
• They slow down your site, which is bad for SEO
• They create excuses for sparse content and thus, bad SEO
• They create excuses to use Flash (what?!)
• They force users to scroll to find the point of your website
• They look like advertisements so people ignore them
• Moving objects are too hard to focus on
• They ignore a user’s need for control and self-paced reading
• They lessen the importance of what really matters
• They give users too many options, which makes it harder to make a choice
• They lower conversion rates
(https://managewp.com/slider-alternatives)
23. Backups – easy peasy right?
• Install a plugin and you’re good to go!
• WRONG!
• Backing up your dB isn’t enough
• Disaster can strike at any time
• Backup your whole site (files) regularly
• Store the files in the cloud or on a thumbdrive
24. Backup Plugins
• WP Security
– Has manual and auto dB backup built in
• WP DB Backup
– Doesn’t work for me on GoDaddy
• BackWPup
• Wordpress Database Backup (database only)
• Wordpress Backup Plugin (files, images, plugs)
25. Backup
• Most plugins only ‘backup’ your dB.
• What about restoring?
– It can be a nightmare, trust me!
• Premium $$
– blogVault
– BackupBuddy
– VaultPress (real-time)
– SyncSage (local company)
26. Securing WordPress
• Remove the admin account
• Install the basic security plugins
• Remove unused themes and plugins
• Update WP, Plugins, and Themes regularly
• Have an admin user account for maintenance
• Have an editor account for posting
• Never display the “post” author name
28. Securing WordPress
• Connect via FTP? Switch to FTP-SSL or FTPS if
your hosting allows for it. Home or coffee
shop, it’s a good practice.
• When logging in to wp-admin from anywhere
but home/office, use an
editor/author/contributor account. Limits the
risk of interception of an admin account login.
29. Securing WordPress
• File Permissions (via ftp)
– CHMOD all files to 644
– CHMOD all directories/folders to 755
– CHMOD wp-config.php to 750
– CHMOD wp-content/ to 644 (777 for updates)
• Change the dB prefix from wp_ (WP Security)
• Use strong passwords, and not the same as
your gmail, etc.
30. Securing Wordpress (only for pros)
• Move your wp-config.php file
For example:
public_html/wordpress/wp-config.phpCan be moved to:
public_html/wp-config.php
• Move your wp-content directory
Once you have moved your directory you will need to make some adjustments to your wp-config.php
file. Add the following lines:
define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' );
define( 'WP_CONTENT_URL', 'http://example/blog/wp-content');
You may also need to define the new location for your plug-ins here by adding these lines to the file:
define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' );
define( 'WP_PLUGIN_URL', 'http://example/blog/wp-content/plugins');
31. Securing WordPress
• Create an .htaccess file in /wp-admin/
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
32. Securing WordPress wp-config.php
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link
https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-
key service}
* You can change these at any point in time to invalidate all
existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'hr+t*O/I&B&J2nwMU44d');
define('SECURE_AUTH_KEY', 'j9drDhHcQ 2@ FXGXjj=');
define('LOGGED_IN_KEY', 'M)NxB1-IMrMOvzfUg&!m');
define('NONCE_KEY', 'DVHBzX!*IEcyJs wb/$I');
define('AUTH_SALT', '#3CGx3fk0RWgnk5598xt');
define('SECURE_AUTH_SALT', '5jRxpF=yV)@bwgDdWC9_');
define('LOGGED_IN_SALT', 'vTqj1RZ=y=-Nf#wg-aBW');
define('NONCE_SALT', 'hFW_D-R!$O2y)Xr*xm14');
33. Securing WordPress
• Use your google webmaster tools
• Check for keyword significance, crawl
errors, malware reports.
• If your keyword significance reports unusual
pharma, adult or similar spam words your site
likely has been hacked (cloaked).
• Fetch your site as a google bot (tools) and see
if your site is cloaked to appear different to
google bot.
34. Hacked?
1. Take down your site/blog
2. Why? Because most hacks are executed with
scripts that attach to many files in your site.
3. Just put up a maintenance page. Don’t
announce you have been hacked.
4. Run you security plugins? You installed them
right?!
35. Hacked?
5. Change your WordPress, MySQL and
hosting/ftp username and password.
6. Check all your header and footer files for any
suspicious code, JavaScript, links, etc.
7. Happy it all looks ok/clean? Turn it back on.
8. If this fails to work, then it’s time for a clean
install. Got those backup files? Backup dB?
36. Best protection?
• Backup dB
• Backup files, images, plugins
• Install security plugins
• Complex passwords
• Avoid ‘admin’ login from unsecured locations
• Limit number of plugins
• Update plugins and Wordpress
• You will be hacked at some point.