Jesse Friedman, author of the Web Designer's Guide to WordPress, helps us avoid common WordPress mistakes and takes a look at some myths and misgivings to boot
WordPress has made huge strides in the last year or two to become a full fledged CMS. With these changes comes the need to shed old myths about WordPress. As we move to become a ubiquitous CMS available to the masses, misconceptions and preconceived notions of bugs and flaws from the past can cloud our judgement of the future. Hopefully alleviating our thoughts of following 20 mistakes, myths and misgivings we can all realise the full potential of this CMS and work to make it better.
These mistakes can lead to problems in security and slow the development process. Remember to do these steps, so your WordPress sites are faster, better planned and more secure.
1. Using an administrator to post content
It’s important to make sure you’re disguising your WordPress installation as much as possible. Predictability is not your friend and posting content under an administrator account is predictable. Guessing your username isn’t too hard if it’s displayed on your post. Instead reserve your administrator level account for backend work ONLY. Create a contributor account to use as your author. You can still write the content as an author just assign the post to the contributor before you post it live.
2. Keeping “admin” an administrator
This mistake has been made for years and continues to get made. By default WordPress creates the “admin” username and assigns it to a administrator level. This is obviously predictable and one way of making it easier for a hacker to get into your site. If you combine this with creating a poor password you’re asking to be hacked.
3. Keeping “wp_” as the table prefix
Being unpredictable is the best way to avoid being hacked. Are you seeing a trend yet? Since WordPress powers 75 million sites it’s common knowledge that tables by default start with “wp_” which means if you don’t change the table prefix, your Site Options table is “wp_options”. It’s very easy to change your table prefix and can be done during installation either manually in the wp-config.php file or during auto installation in the form fields. Choose something difficult and hard to guess, especially since you won’t have to think about it again in the future.
4. Not replacing salts and keys
If you don’t know about salts and keys, they are in the wp-config.php file and used to authenticate logged in users and their machines. In the past it was easy for a hacker to steal your logged in session cookies and pretend to be you. These passphrases make it nearly impossible for hackers to do this. Think it might be hard to generate those salts? Well, you’d be right except WordPress has a web page that does it for you. Visit this link https://api.wordpress.org/secret-key/1.1/salt/ and copy everything into your wp-config.php file.
5. Not backing up
We’ve covered four mistakes that you can avoid in an effort to be more secure. But no system on earth is totally secure so there if the worst happens and you get hacked make sure you’re ready. There are countless ways to restore. Bluehost now offers full restoration points on a daily, weekly and monthly basis. You can also use VaultPress which backs up everything from your content to your themes and more. VaultPress is not free but it’s the absolute best solution out there. Here’s another great free solution: BackWPup.
6. Too many categories, not enough tags
Site architecture, organisation and planning is so important. It affects everything from SEO to load times and visitor time on site. Whether you’re a designer, developer or blogger you can take the time to evaluate your content and really think out your site organisation. A common misconception is that you can only add categories to the main nav. This isn’t true (go to appearance -> menus -> screen options and turn on posts and tags). In content-heavy sites I’ll use popular tags and even posts in the main nav. Try to limit categories and use tags to bring things together.
7. Forgetting the cache
If you aren’t using caching or don’t know what it is you’re giving up precious seconds of load time, WordPress is a dynamic database driven CMS. Which means visitors to your site prompt the server to request info from your database, then it uses that content to populate your site creating HTML markup. Well caching allows you to save that finalised HTML markup and server that to visitors skipping the need to go to the database every time. This increases efficiency and decreases load time. There are two great free plugins used for caching which are W3 Total Cache and WP Super Cache. If you’re looking for managed hosting and don’t want to worry about all this WP Engine provides the best built in caching I’ve seen and makes your life extremely easy.
8. Ignoring WordPress updates
I get it, it’s hard to remember to update all your sites to the newest version of WordPress. In a bit we are going to talk about managing multiple sites at a time. WordPress core developers and contributors work tirelessly to improve WordPress, its UI, efficiency and speed but when a bug or vulnerability is found it usually gets an update right away. Which means if you’re WordPress version is behind it’s probably vulnerable. It’s so easy to update WordPress with a single click so you shouldn’t worry about the time it takes. I know a common myth is that WordPress will break when you update but it is so backwards compatible it’s not even funny. It’s very unlikely that your site will break on update but you should test to make sure if you’re nervous.
Some things still being said about WordPress just aren’t true. Thousands of developers around the world are working to make WordPress better and bring it into the new web future. So it’s a bit frustrating to build a 20,000 page directory that is secure, fast, reliable and easily editable, then hear a client tell us “Isn’t WordPress just for blogging?”.
9. WordPress isn’t secure
Secure is a relative term, and no system is perfect. Here’s the deal, WordPress is powering 10x more sites than most CMSs combined. If you’re a hacker, are you going to spend your time learning the vulnerabilities of less common CMSs or the one that will reap the most results? This doesn’t mean that WordPress is less secure, just more likely to get attacked. In my experience the absolute #1 reason why a site is able to get hacked is because of poor password creation. WordPress can be the most secure CMS on the planet and if your credentials are admin clientname14 you are still going to get hacked. If you create difficult passwords, take the security measures I stated above and keep WordPress up to date you’re far less likely to ever get hacked. Here are some other resources on securing WordPress:
- Protect your WordPress site with .htaccess
- 15 ways to increase your WordPress’ security
- Secure WordPress advanced
10. WordPress isn't a CMS
The source of this myth comes from that fact that WordPress was and is the #1 choice for hosting blogs. It’s easy to look at WordPress as the kid brother of CMSs that have been long established solutions for hosting big websites. There is a long standing joke between WordPress developers when we get asked by clients or novices “Can WordPress do...” and we answer “Yes” before they finish the question. The reason is because WordPress is so extensible and even before WordPress 2.9 and 3.0 (which brought us the biggest advancements towards becoming a full fledged CMS) we were still doing complex websites, directories, ecommerce stores and more. Jake Goldman from 10up recently gave a talk at WordCamp Boston about Enterprise Level WordPress Solutions. It was a great talk and it hit the nail right on the head. WordPress is fast, reliable, secure and powerful, there is no reason it can’t do what whatever you’re dreaming up.
11. WordPress is ONLY for blogging
We just touched on this a bit but it’s worth mentioning again. WordPress is still commonly known as the blogging platform. I tend to blame WordPress for not moving forward fast enough on this. It was only recently that WordPress.org started referring to WordPress as “web software you can use to create a beautiful website or blog”. However, you still get referrences to WordPress as blogging software as seen in Matt Mulenweg’s bio for WordCamp San Francisco. It’s technically a marketing issue and one that will be fixed overtime. One thing you should realise is that WordPress’ power is only limited by the person developing for it.
12. Big companies and budgets don’t go with WordPress
Another myth built on the premise that WordPress is a blogging platform. This is no longer true. One specific area where we see a huge growth in the use of WordPress is universities. This is fantastic because school websites usually come with complex functionality and a need to manage and organise a great deal of integrated content. You can also check out WordPress VIP for a list of some of the biggest companies in the world using and relying on WordPress every min of every day.
13. WordPress doesn’t provide support
WordPress is open source - how can they provide support? Well, if you’re looking for an 800 number, you’re right, it doesn’t exist. However, the idea that you can’t get support for a problem, bug or issue is just not true. No matter what level user or developer you are, there is a way to get answers to your questions. The forums at WordPress.org are amazing, the codex has fantastic documentation and social networks play an important role too. My favourite place to get support is from the email lists. There are hackers, plugins and other email lists which you can subscribe to. Then when you have an issue, you email the group. Typically I get answers to rather complex problems in minutes. This is also a great way for you to share your knowledge and experience and give back.
14. I can’t support WordPress
Speaking of giving back. Another common myth is that you can’t contribute to making WordPress better. There are so many ways to contribute that I had to dedicate an entire chapter to it in my book, Web Designer's Guide to WordPress. In chapter 20 I cover ways of contributing from donating to your favourite plugin, to writing in the codex, translating the WordPress admin, to building themes and plugins and much more. There are so many ways to give back and the more we do the better WordPress will get.
15. It’s too difficult to manage and maintain all my WordPress installations
If you have a lot of clients using WordPress hosted all over the place, it can be really difficult to manage all the updates from plugins, themes and the WordPress core. There are two solutions to this: one is a WordPress multisite install or network. This allows you to manage and host all of your WordPress websites in one place. This can get a little messy if you don’t take the time to plan everything, not to mention everything has to be on the same server and some of your clients may not want to move. I love WordPress Multisite and make a living off of it. However if that doesn’t work for you, there is a great plugin called ManageWP, which keeps track of all of your WordPress installations and what maintenance they need all in one place.
Ever built a beautiful website that delivers a fantastic user experience and a client says “yeah, that’s all great but why is the logo so small?”. Sometimes we aren’t given the credit we deserve. WordPress for years has been coined the blogging CMS.
Today WordPress is all grown up and has so many tools and an amazing API that makes developing for it fast and scalable that we can’t afford to exclude from being considered for bigger web projects. Let’s give credit where credit is due and do our research on WordPress so we are at least making an intelligent decision about whether or not to use it.
16. WordPress for ecommerce
I totally understand the hesitation to use WordPress as an ecommerce system. WordPress wasn’t made to manage products and stores. Here’s a little secret: the CMSs and systems that were made specifically for creating online stores aren’t very good. It’s true, there is no system that is as good at ecommerce as WordPress is at blogging or websites. That isn’t enough of a reason to go with WordPress and if it were 2010 I’d probably suggest that you don’t use WordPress for an online store unless you were selling a few products or tickets to an event. That being said today, there are several plugins and frameworks that transform WordPress into a reliable and easy to use ecommerce solution. Take a look at Jigoshop or WP e-Commerce, and I think you’ll be pleasently surprised.
17. WordPress can’t be responsive
I’m not even sure I understand this one. I hear all the time that WordPress can’t support advanced web functionality but that literally doesn’t make sense. If you build your theme to be responsive it will be. Themify.me does a great job of developing responsive WordPress themes and there are hundredds more out there. I even developed a plugin that will make it very easy for user admins to manage content and maintain responsive integrity.
18. WordPress can’t do anything out of the box
I’ve said it so many times in so many classrooms, webinars and conferences. WordPress can do and be anything you want it to do and be. Your themes, in the end, output HTML markup. the only thing that is different between WordPress and a static site is that WordPress sites get their content from a database. It’s your job to use WordPress to convert database content into HTML markup. Once it’s markup you can have fun with jQuery, backbone.js or even turn your site into a mobile app. I have a friend, Aaron Ware, who runs Linchpin Agency, which actually made a WordPress powered Flash website. Don’t let misconceptions prevent you from making awesome and powerful websites.
19. WordPress is open source
I get why big companies are nervous about this. However, just because I understand it doesn’t mean I agree. Most enterprise level companies have this feeling that they have to spend money on a system or software in order to use it. “If it’s free, it isn’t good enough or doesn’t provide enough support”. Here’s the thing, the money you’d spend on a propritary system can go to hiring one of the thousands or WordPress developers to support and build your system. One major benefit of open source is that you have a community of people working to improve and fix the product rather than waiting on a team of people to do it. Not to mention you can always do it yourself. In the end these companies can aleviate their itch to spend money on software by contributing to the WordPress Foundation.
20. WordPress plugins aren’t perfect
You should hesitate before putting someone else’s code into your system. The fact is that not all WordPress plugins are created equal. There are bugs, outdated code and flat out problems. You should do your due diligence and make sure what you’re using is well done, supported and highly rated. When you’re in the WordPress Plugin Repository make sure the plugins you’re looking at have a good amount of downloads, have been recently updated, supports your version of WordPress and in the end read through some code to make sure stuff isn’t broken. You can always google for reviews of these plugins as well.
I fear I may have just touched the top of the iceberg with only 20 but this is an opportunity for you to speak up and share your ideas. WordPress is doing just fine and is moving along nicely. We have a great deal of market share and a huge community preparing WordPress for the future. However, it would be nice to see WordPress used to its fullest potential more and more. All too often I say “Why aren’t you just using WordPress for this project?” and I hear back “Umm... I don’t know can WordPress do this?”. Almost instinctively face meets palm but after that I realise that it's on us to help the world understand what you really have here and what WordPress really can be. Let me know your thoughts in the comments below or tweet me @professor.
Don’t forget to grab the Web Designer's Guide to WordPress, a book written, by me, specifically to help you build on your HTML and CSS skills to develop WordPress themes.