This is a guest post by Rebecca Jones, see her bio at the bottom of this post
Favicon is a small icon that displays bright on the browser URL bar, bookmark list or navigation tab. Favicon (the short form for favorite icon) in all its certainty will bring a drastic modification in your website’s outlook, if created with thorough research on the interests of the visitors to the website.
The pharma hack is one of the most stubborn hack attacks I have to deal with on WordPress sites for my clients, I’ve written more about it here in my post The WordPress Pharma Hack
Once you have fixed the hack, there is the lingering problem of getting Google to update it’s index and remove all reference to viagra, cialis and all the other disco drugs these scum buckets are trying to pedal.
Before you upgrade to WordPress 3.3 watch this video. The update has a lot of changes and I’m seeing a lot of plugins crashing my clients WordPress sites.
A bit of free software is providing a lot of people with a lot of business opportunities.
In this post I want to talk about the business of WP, and where money is being made supporting and developing WordPress for the million of sites built upon open source software.
Have you ever put something out there on your blog and realised it was a mistake. You quickly delete it and think all is well, only to find that the mistaken post has appeared in your Feedburner feed and you cannot get rid of it.
I was working with a client recently who has a lot of traffic to his blog from mobile devices such as iPhones and iPads, he also has a lot of video which was being displayed in a flash player.
The problem – site visitors could not see his videos.
Apple and Adobe agreed to have a battle, said Apple to Adobe you broke my brand new rattle (excerpt from Apple through the looking glass).
Apple and Adobe had a big falling out recently when Abode created a development process where applications could be run in flash on iThings. The problem is, they could circumvent the Apple app store with this process.
Apple protected their platorm/spat the dummy to stop uncontrolled |un monetised apps (delete as applicable) and as a result removed support for flash from their mobile devices. Here is what Apple have to say http://www.apple.com/hotnews/thoughts-on-flash/.
A lot of WordPress video plugins which use flash will not show video on iThings.
You may be thinking meh! I don’t get much traffic from mobile devices, but I think you will find you do, a quick check of my stats in Google Analytics shows that 3% of my traffic is from mobile devices. Not a huge amount, but significant enough to take notice. Some of my clients have mobile traffic at 10-15% now that is worth taking note of.
This will be growing at an alarming rate over the next few years so it is imperative that you make your site mobile ready.
Many of the popular video plugins like WordTube or any of the flowplayer plugins use flash to show the videos on your WordPress site. They take the native format wrap it in a video player then stream that content in flash.
Try to view that on an Apple product and you will get an error.
You need to stream your video in a format iThings play nicely with, this could be a native foramt like mp4 or from a platform the Apple likes.
Here are some of the ways you can get around this
YouTube – embed your videos directly from YouTube rather than using a flash player. Appel devices recognise YouTube content and open it in the YouTube app that comes with the device.
Stream in a format acceptable – You could encode and stream your videos with Apple’s Quicktime format http://wordpress.org/extend/plugins/embed-quicktime/ but this may cause you issues on other browsers without the correct plugin
Find An HTML Video Plugin – A quick search on the plugin repository and you will find plugins like this one http://wordpress.org/extend/plugins/html5-and-flash-video-player/ (caveat I’ve not used this one before, don’t give me grief if it does not work).
HTML5 For The Rescue
The new HTML5 standard has video streaming built in, thsi will solve our problems eventually. many plugin developers are scrambling to to an html5 re-write, but this doesn’t help us right now.
This will be the way forward but the plugins are not here yet.
We swapped out the videos to embed YouTube. I installed and configured the Jetpack plugin and we used the YouTube embed short codes.
He was already using YouTube to host his videos and JW Player to play them, so the chaneg was not that huge just a little tedious to swap over all the code.
Even the most ardent Apple Fan Bois cannot think banning flash is acceptable, it’s a format generally accepted across the net, but when you buy inot a closed eco-system like Apple’s Apps they get to call the shots.
People love their iThings (I’m and iPhone fan) so you are swimming against hte current if you try to make them match your site choices, my suggestion adapt and make your site mobile ready.
I’ll be talking more about making your site mobile ready in the very near future, it’s a huge thing as more and more people consume internet content, why not join my mailing list to keep up to date with my new posts.
In this session I will show you how to migrate your WordPress site between hosting companies.
If you are fed up with poor service, frequent outages or high cost hosting, this course is for you.
In my opinion, Paypal is fast becoming the payment processor of choice for bloggers selling goods and services from their WordPress site. There are a number of ways to integrate Paypal with your blog, I look at a few scenarios here:
Paypal is a credit card payment processor. It acts as a middleman between your clients and you, processing transactions on your behalf. They do the hard work of securing and protecting people’s credit card details, you simple accept money and pay a small fee in return. You don’t have to have a merchant account for Paypal which makes it ideal for small companies or bloggers.
Paypal charges a fee per transaction of dependant upon your transaction value per month. I pay 3.4% + 20 pence per transaction, your fees will vary by location. There are no setup or monthly fees as there are with other payment processors. Full details on transaction fees can be seen at the transaction charge page
If you don’t have an account, you can sign up at Paypal.com.
It goes the other way too, you can send money to people securely, but this post will concentrate on income rather than expenditure. This is a gross simplification of Paypals services, but in a nutshell it allows you to send or receive money securely online. Your credit card details are never sent over the net. People trust paypal and will look for it over other payment processors such as WorldPay.
Now lets integrate paypal with our blog.
There are numerous scenarios where you may want to charge visitors to your site, I list them below with an integration idea:
You may sell a consulting service or sell your time at a fixed rate per hour. If you do, using a paypal button is probably the solution for you. Using this method, you set a small piece of html pointing to paypal which states your account details, the amount you want to charge.
There is a technical manual on configuring your buttons manually, or you can go to the button factory inside of your Paypal account and step through the process from =my account->profile -> my saved buttons. Below is a sample button for $0.01 so you can see the process in action, no refunds will be given 🙂
A popular way of monetising content is to offer your readers the chance to make a donation or leave you a tip. Paypal allows you to create a donation button in the same way you would create a fixed price button. Simply suggest that your readers may like to give you a tip with a big button and see what happens.
If you want to have premium content on your site, you may consider a membership site. Paypal has a subscription facility which allow you to take recurring payments from your customers.
You can create a subscription payment button as mentioned above, and then manually add you members to your site. The subscription service will take regular payments until your customer cancels the payment.
There are a number of membership site plugins which take this to a higher level, the hard work of coding paypal will already be done for you. Simply specify your account details and the rest will be done for you, most importantly the process of cancelling memberships when a subscriptions is cancelled is done automatically and your content is hidden from the non-member.
The membership site plugins I have used are Your Members and Wishlist Member. Both of these are premium plugins.
You may want to sell physical products using a shopping cart system such as Amazon uses.
Paypal has a shopping cart and checkout process, where you would add a button to a page or posts which would add an item to a shopping cart, you also place a checkout button on your site so payment can be collected. This is a little cumbersome as html code needs to be added to each page, do I hear a problem which needs to be solved by a plugin …
I have used one e-commerce plugin which takes the hard work of creating product pages and integrating them with Paypal and it is called WP E-Commerce (the WordPress community is very boring with it’s naming standards I would have called it blog-u-shopper or WordPricer).
I am yet to be convinced that a blog is the best platform to sell stuff, a service such as Shoppify or an e-bay store is probaly better, but hey what do I know, if you are selling physical products successfully from a blog let me know in the comments section.
Y0u may want to charge people to add a post to your system. For example a jobs board where there is a fee to add something to your blog. One of the simplest and best solutions I have found for this is a plugin called EasyPayPal. This also allows the simple creation of members only content so you really should check this one out.
If you are in a position to sell Ad space on your blog, paypal may well be the processor you use.
You can setup an advertising page and setup paypal, buttons to sell ad space. The other option is to check out an ad plugin such as OIO Publisher which allows you to sell ad space and integrate it with your Paypal account to accept payment.
If you have an e-book or webinar to sell, how do you integrate paypal with your site to take payment before your content is made available for download? The problem here is that you want to collect payment and protect your link until payment has been made.
wp-member the membership site solution I mention above does this as does EasyPayPal, but I would recommend you may want to look at e-junkie, this is an offsite payment processor and download fulfillment service. This takes the headache of delivering your info. product to your customers, my mantra is always if someone will take on a headache for me and the cost is okay go with them. The service starts at $5 per month.
There are a number of paypal plugins over and above what I mention, check out the plugin repository http://wordpress.org/extend/plugins/tags/paypal
I hope this have given you some ideas for integrating paypal with your site. I have only touched on the solutions here to give you a feel for what paypal can do for you.
I have been using Paypal to collect payments for my services since I started this site, the trust people have in Paypal increases your likelihood of a conversion. I love the ease I can take payments, pay others and of course give refunds (I have a no fix no fee guarantee). The charges sometimes feel a little high, but removing the hassle of credit card security probably makes up for that.
If you need help integrating your blog with Paypal, I would be happy to give you a quote, please visit my service page and let me know your requirements.
Image by 59937401@N07
WordPress comes with a number of inbuilt user roles to control what registered users can do when they login to your blog. I want to explain the various roles available and what capabilities each type of user will have.
If you are a lone blogger who does all the writing and administration themself then you only need two types of user; readers who do not login and therefore don’t need a role and an administrator. This post is probably not for you, but if this is your scenario, there are a couple of things I recommend:
When you create additional user accounts on your blog, you can then assign a user to a role, there are five roles subscriber, contributor, editor and administrator. Each has an increasing level of permission to perform actions (know as capabilities) on your site.
This post will take you through each role and it’s capabilities. I will start with the least privileged and build up a profile of the additional things each level can achieve.
Feel free to read the whole posts, but I’ve created a video tutorial to show you users and roles in depth.
[leadplayer_vid id=”506431D229224″]
By default all new users created on your blog will be subscribers, an administrator level user then need to edit the user and assign it a new role. This is done from the dashboard -> users -> authors and users -> edit the required user -> from the role drop down, set the user level.
Subscribers have the ability to read your blog posts. This is the same level as unregistered readers and visitors to your blog so why do you need a role for this? The answer is you may not need this level, but some blogs have featured available only to logged in and registers users. Some of those may be:
There are various plugins which require a subscriber role so out of the box the subscriber role may not seem necessary, but each installation is individual.
Moving up the scale contributors are at a level where they can create content on your blog.
The contributor can read posts, create and edit posts from the dashboard. They can also delete their own posts which have not been published.
The point to note about contributors is that they can create draft posts but cannot publish them. A more trusted user level is required to edit and make the post publicly available.
An author is a more trusted level of contributor, they have all of the permissions of a contributor, but they can also publish their own posts, delete their own published posts and also upload files to add to posts e.g. images to include in posts or videos to play within a post.
Authors only have control over their own content, other authors and contributors posts can be read but not edited or amended.
When we reach an editor level we move into site wide permission territory. As the name suggests editors have control over other users content to publish delete and create new posts, but an editor can also created amend and delete pages, have access to, and control over posts marked as private. Check out the visibility of a post it can be public, password protected or private, only editors and above can see private posts and pages.
Editors can create categories, and blog roll link entries, moderate comments and even create and amend new users.
Editors are trusted members of your organisation, they can affect your blog at a fundamental level. What they cannot do is change the look and feel of the site, for that we need an ….
The admin level user is the super user for the site, along with all of the other capabilities discussed above, they can change the theme, upload and install plugins edit users and modify the look and feel of the dashboard.
Control of who is an administrator of your site is crucial for a secure site, harden the password and consider changing the login ID to something other than admin.
If you have multiple people contributing to your site, make use of roles, assign them the minimum permission required to get their job done, you may have scrupulous procedures to safeguard your passwords, but do your contributors? You may trust them but making them an admin level users when all they need to do is upload their post for editing is just creating a security loophole on your site.
http://codex.wordpress.org/Roles_and_Capabilities#Roles
Image by maikelnai
You probably already use anti spam plugins on your site, but sometimes Spam gets through, so how do you tell the difference between Spam (bad comments) and Ham (good comments).
This post shows you the evaluation criteria I use before trashing or spamming a comment.
I have two routes for an unwanted comment, I either trash it or spam it, the differences are quiet important. If I find a comment that is real but I don’t want it to appear on my site (more about why I do this later) I will mark it as trash and bin it, if it is an actual spam comment I mark it as spam, the difference being, trash comments allow further comments, but spam comments potentially put that person or site on the Akismet blacklist.
I would ask you to use the Spam button aggressively to help combat this annoying and sometimes disastrous problem see When Too Many Comments Are Bad.
Everything that is published on my site including comments reflects my site and my brand, if I allow low quality comments to be approved what am I saying to the world, I don’t care what crap is published? As a result I’m pretty picky what I pass through.
Also linking to poor quality sites, even through comments is thought to lower the value of your own site and could affect SEO rankings
So here are my criteria for evaluating suspect comments that have come through the spam filter.
I’m very strict on this one, so sorry if you have attempted to say great post in the comments, but I bin anyone leaving congratulatory remarks and anything that does ont add to the conversation of the post. You can disagree with what I have said, but your comments needs to add to the post.
Bizzare content
When you read the comment, it may look like it is written by a human, but it does not quite sit well with you, it’s too generic, whilst it could match your post, you are not sure.
When in doubt, bin is my motto
Look at the target URL or the site, is it obviously for a spammy site, mark as spam. Look for references to pharmaceutical, or any site selling stuff. Add this to the next point and you have a spam candidate.
This always starts the red flag-a-flapping why would you link to a sub page if you were not trying to harvest links back to your piece of spammy crap. A legitimate comment links back to the root, you may want to link to a particular page in you comment to emphasise your point, but not in your site URL.
If there are any irrelevant links in your comment, you are obviously trying to harvest links back to your site for SEO purposes. You gonna get a spam for that. If anyone links in my comments, it better make sense to the post and comment, I often remove links but approve comments if they add value.
I’m not being xenophobic, but why comment on a site in language X in language Y? What are you trying to hide. I don’t approve any non-English comments on my site.
I’ve written a lot about spam in the past, check out this search result, “Dealing with Trolls” found me on a rant so lets mark the language NSFW.
You wouldn’t let people write on the walls of your house, so why let people write on the e-walls of your site?
Obscure Reference Update: The title “Pass the man ham please” is from To Kill A Mockingbird by Harper Lee
I’ve been working with a client on a performance tuning project, and it looks like this was in fact a hack that is slowing down the site, this is the first time I have seen this hack technique so I thought I would document it for the wider WordPress community.
The hack is in two parts, the first is a php directive in .htaccess the second is a base64 encoded file which holds the payload.
The hacker has added hundreds of white spaces at the bottom of the .htaccess and then buried a directive in there so a casual look at .htaccess won’t show the code up. At the bottom of the file I found:
php_value auto_append_file /var/www/html/{SITEDETALSREMOVED}/wp/Thumbs.db
This directive tells the webserver to append the file Thumbs.db to all php pages it loads up. This means that a little piece of code is added to each web page served up.
Thumbs.db is normally a thumbnail file often included on windows servers, I have uploaded this by accident a number of times, so it looks like an un-needed but safe file. in the case of this site, it has a base64 encoded payload of malware.
CODE DELTED BECAUSE MY MALWARE SCANNER KEEPS THINKING I HAVE BEEN HACKED 🙂
So this malware was being loaded onto each page as an additional footer.
If you are seeing a performance hit, please check your .htaccess for this hack.
This week I’m running a live training event to teach people how to secure their WordPress site.
Would you like to learn more about hardening the security of your site and keeping hackers at bay?
WordPress is NOT inherently insecure, rather it is a victim of it’s own success. There are millions upon millions of WorPress sites, and the hackers are probing the defences of these sites for weaknesses that can be used upon this very large community for their nefarious reasons.
This training will make your site security more robust and less prone to attack.
The session is on Thursday 29th September at the following times
You will learn my WordPress security hardening techniques to make your site much more resilient to hack attacks, including
The training is normally only available to members of my WordPress training and support community, but this week I’m offering a 14 day free trial of the WP Owners Club, so you can test drive the club, join the live security training webinar and see all of the other member benefits.
If you like the club, leave your membership as is, if it’s not for you cancel your Paypal subscription before the 14 days are up and there will be nothing to pay.
To test drive the WP Owners Club and join the security training at no cost, click on the button below. You will be taken to a signup page where you can create a login ID, then go to http://wpownersclub.com/live-events to signup for the live training.
Image byellasdad