Every once in awhile, I'll stumble on an article/rant about how horrible WordPress is. Developers will complain about all facets of the CMS from security, plugin conflicts, performance, and templating. I noticed a common thread with some of these posts, and that was just how unclear people were on how to develop with WordPress effectively. I want to provide my learnings to course correct some of these attitudes. I have developed dozens of sites in WordPress over the years and learned a great deal. I can give some insight on how to make your development experience more pleasant.
This might be the most crucial tip. If you select a template that is hard to use or inflexible, you're not going to be successful. There are hundreds of templates out there, and some provide fully baked styles for you, while others are bare bones. In my option, a barebone template is the way to go, and Sage, by roots.io, is the way to go. A few key features:
- Webpack frontend workflow
- The ability to pick either Bootstrap 4, Foundation, Tachyons, Bulma and Tailwind frameworks
- Laravels Blade templating engine
- Controllers to get a handle your data
- Great documentation
While developing a WordPress site, it's easy to go overboard with plugins; after all, they do add functionality and make things easier. One of the biggest pitfalls is to install too many plugins or plugins that are not well supported. When selecting a plugin, check the following.
- Has it been tested on your current version of WordPress?
- How many downloads has it had? If it has a few thousand downloads, this could indicate a reliable and useful plugin.
- Check the version history. This can provide insight into the direction of the plugin and how quickly the developer addressed bugs.
Plugins are certainly a necessary part of the WordPress development, but it's crucial not overdo it. Too many plugins can cause performance issues and incompatibilities. Ask yourself, do I need this plugin?
The fact is that Wordpress powers 30% of all websites on the internet! That is a staggering number of sites. Unfortunately, this makes WordPress a popular platform for hackers to exploit. But there are a few things you can do to protect yourself.
Download and install WordFence. Utilizing its Web Application Firewall it will protect you from Brute Force attacks and complex attacks while blacklisting those offending IP's. It also keeps an eye on your plugins for updates and vulnerabilities. WordFence provides a host of additional features not mentioned here. I suggest checking out there website for the full rundown of its capabilities.
Protect your site
There are so many ways to do this, but I will cover just some basic things to keep in mind.
Do not use the wp_ prefix for your database. It's a default WordPress setting, changing this could stop attackers selecting tables in your database.
During install, WordPress will provide a default username for an administrator as "Admin." Attackers attempting to break into your site will always try to use "Admin" as the username while guessing the password.
Check your server firewall. Make sure only the necessary ports are open.
Check permissions on your WordPress files. Make sure your files are not owned by root and the correct file permissions are set. For more information on this visit: https://wordpress.org/support/article/hardening-wordpress/
Make sure your version of WordPress and plugins are up to date. WordPress makes it easy to update; you can even make these updates automatic.
Strong passwords! It's just common sense these days. Make sure all user passwords are strong.
There are thousands of plugins out there to choose from it's hard to know which ones to use. Here's a shortlist of the ones I regularly use and have had great success.
- WordFence (As mentioned previously, a must for security)
- Advanced Custom Fields (Easy to use with incredible flexibility)
- WP Migrate (Migates your database)
- Yoast (For all your SEO needs)
- Contact Form 7 (5 million activations for this plugin, a must for contact forms)
- GDPR Cookie Consent (Easy to configure and use if you are worried about GDPR)
- Block Lab (Build custom Gutenberg blocks)
Consider this article just a general guide of best practices and advice for those working with WordPress. There are a multitude of things one could do to increase performance, enhance usability, and bolster security not covered here.
WordPress might not be the sexiest CMS out there, but clients request it because they are familiar with it and find it easy to use. And this is so important. Hopefully, this little post will help others develop more secure and better WordPress sites.