SSL (secure sockets layer) is the standard security technology for establishing an encrypted link between a web server (web hosting account) and a browser (your website). This link ensures that all data passed between the web server and browsers remain private and integral. This is particularly important for forms to encrypt the information the site visitor is entering in the form as it passes to the server.

To establish an SSL link, you need to install an SSL certificate on your website and then change all the URLs on your website to use https instead of http. When the SSL certificate is installed correctly and all the URLs use https, users will see a lock icon in their browser URL field indicating that the site is secure.

SSL as a Ranking Factor

Starting October 2017, Chrome (version 62) will show a “NOT SECURE” warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode. According to Search Engine Land, we may see 70% of page one results on the Search Engine Results Page going to sites using https by the end of 2017.

All site owners should prioritize installing SSL on their sites as soon as possible, particularly if they have web forms. The process takes about one hour start to finish, mostly to allow for time to double-check everything, contact your web host if needed, fix insecure content, and make changes in Google Analytics and Google Search Console. It’s definitely a process, and you will want to do this when you have a clear head, a clear plate, and not a lot of traffic going to the site.

How do I install SSL on my WordPress website?

Step 1 – Purchase and install an SSL certificate

Many hosts are now offering free Let’s Encrypt SSL certificates or other options via your web hosting control panel. Login to your web hosting control panel and search for SSL. You should be given several options to choose from. WP Engine, Get Flywheel, Blue Host, and many other web hosts offer free SSL. Host Gator will allow you to install a free Let’s Encrypt SSL certificate but it requires contacting their support and must be renewed manually every three months, so I would opt for their $39 license instead.

Be sure to install the SSL certificate on both the www and non-www versions of your site. This is very important to keep your Google page rank after switching to SSL even if you never used the non-www or www with your site in the past. You’ll want to make sure that all URLs resolve to your primary URL using the https, for example:

Should all redirect to
https://askwpgirl.com
OR
https://askwpgirl.com
Depending on what your preferred domain is.

You should never see your site under two different domains as that will cause a duplicate content penalty from Google.

Also, be aware that if you have older domains or parked domains that you need to redirect to your primary domain, you may want to install SSL on those as well as Google may index the old domain with SSL and the 301 redirect does not take place until AFTER the https check is done.

Domain issues with getting SSL installed:

Here are a few challenges I’ve faced:

1 – I had a client on Blue Host for whom the SSL was not able to be verified by Comodo. I was on the phone with Blue Host a few times amounting to about 2 hours of my time to finally get it all worked out. Blue Host’s SSL process involves adding some CNAME records to your DNS Zone File which allows Comodo to verify that this domain resides at this web host. However, this client’s zone records were never propagating to the web, so Comodo couldn’t verify the domain. Comodo needed to send an email to an address that didn’t exist (webmaster@) to get the domain verified. I set up the email for my client, then Comodo was able to verify ownership when I received that email.

2 – At iPower web hosting, you have to first purchase the SSL certificate, then go back to the SSL area in the control panel and tell iPower which domain to apply the certificate to.

3 – At Host Gator, I had a client who has two domains for which we needed to install the SSL (a current domain and an older domain that was pointing to the new domain). However, according to their support team, “When a new SSL is installed to your server it will remove the SSL for your other domains on your cPanel. Our developers are working on a fix at this time, however in the mean time we will need to manually reinstall all of your SSLs each time you order a new SSL.” I only got to this answer after chatting with their support staff many times over the course of a week.

Another issue with this client is that their primary domain was their old domain. This also added an extra layer of complexity. Ideally, you never want to point a primary domain to other domains. So, we made his new domain name the primary domain name and added the old domain as an addon domain to get the SSL installed properly on it. (See the htaccess rule below I used to make sure the SSL redirects work to point the addon or parked domain to the one site.)

4 – On GoDaddy, a client had their domain forwarding to WP Engine using a domain forwarder at GoDaddy instead of an A Record. This created some difficulty getting the domain’s SSL installed at WP Engine. I removed the forwarder and set the A Record and CNAME at GoDaddy to point to the client’s WP Engine account, then added this domain at WP Engine and got the SSL installed on it.

These are all random examples of issues you can face in getting SSL installed. My general advice is to get your domain situation cleaned up and not have any forwarders placed on domains for which you want to install SSL. You can edit the .htaccess file on the server after the SSL certificates are installed to do whatever redirects you need to do on the domains. WP Engine handles redirects quite well via their client portal, so there is no need to edit the .htaccess file for domain redirects.

Check the status of your SSL installation here: https://www.sslchecker.com/sslchecker

Step 2 – Change your WordPress General Settings to use https

The installation of the SSL certificate can take up to a few hours or days. It typically takes a couple hours or less. You can check the status of the installation in your web host’s control panel or simply visit the site using https. If the site displays fine using https, then your certificate is installed. If the site displays the warning that the certificate is not valid, then the SSL is not yet installed. If the process takes more than a day or two, contact your web host directly to find out what the hold up might be.

Blue Host’s SSL installation is typically very smooth. The smoothest and easiest I’ve encountered so far. When I went to visit the sites, the WordPress General Settings were already set and all the URLs seemed to be using SSL.

At WP Engine, you need to login to your client portal after the SSL is successfully installed and go to the SSL section and set the following:

For all websites regardless of host, you will want to also do/check the following:

1 – Login to your WordPress Dashboard.

2 – Go to Settings > General.

3 – Change the two URLs in the General Settings to use https, like this:

4 – Click Save Changes.

You will be kicked out of the WordPress Dashboard and need to re-login.

If these fields are greyed out, then the URLs are set in the wp-config.php file which you can edit using the File Manager on your web host’s control panel or via FTP. Set both the URLs to use https.

Step 3 – Rewrite URLs using the Better Search and Replace Plugin

Before doing this step, I highly recommend you backup your database just in case you make a mistake. You want to be very mindful in rewriting URLs.

Next, you will want to rewrite your site’s URLs to all use https for your images, media files, and internal hyperlinks. To easily and quickly do this:

1 – Go to Plugins > Add New.

2 – Search for the Better Search and Replace plugin and install and activate it:

3 – After the plugin is activated, go to Tools > Better Search Replace.

4 – Search for your site URL with the http and replace the URL with https. Select the wp_options, wp_postmeta, and wp_posts tables, then run the search and replace. Be sure to uncheck Dry Run so it actually runs.

Step 4 – Check for the green lock icon in the browser.

If all goes well with the above two steps, the site should show a lock icon when you visit it from different browsers:

Step 5 – Resolve Mixed Content issues.

If any pages come up with the lock open (not secure):

1 – Right-click (ctrl+click Mac OS) on any part of the page and choose Inspect from the contextual menu. (This works best in Firefox and Chrome).

2 – Click the Console tab in the Inspector, and scroll through the Console to find any messages about “mixed content” like this:

In the example above, the mixed content is coming from the Revolution Slider slider that the person has on their home page. You may find similar mixed content being delivered via options set for the theme, sliders, visual layout builders, widgets (particularly text widgets), and other plugins. These are often not caught by the Better Search and Replace above.

You will need to manually edit these URLs in the plugin, theme settings, stylesheet, or widget area.

Tip: You can install the Really Simple SSL plugin to handle any sites that are being challenging to get to show the lock icon. In general, I do not like to use force SSL plugins if I can help it, and WP Engine is already doing this for you, so you don’t need to do it. On other hosts that aren’t managing rewrites of http to https for you, the Really Simple SSL plugin is very helpful and can save a lot of aggravation and time in finding and replacing mixed content: https://wordpress.org/plugins/really-simple-ssl/

Step 6 – Clear website, hosting, and browser cache.

To avoid troubleshooting mixed content issues that don’t exist, be sure to completely flush any cache that the web host might provide. For example, at Site Ground and Get Flywheel, you will want to login and flush the cache completely from the control panel. At WP Engine, you can go to your WordPress dashboard’s WP Engine section and flush the object cache.

Also, flush your browser cache and any other caching plugins you might have installed.

Then return to Step 5 to check for mixed content.

How do I inform Google of my change to https?

Step 1 – Change site to use HTTPs in Google Analytics settings.

1 – Login to your Google Analytics account.

2 – Click the Gear icon in the lower-left column.

(Six months from now this may be in the upper-right, lower-right, upper-left corner of the page. As soon as I publish something, Google moves this around. So, just look for the gear icon or some sort of Admin link.)

3 – Click on the Property Settings and change the Default  URL to use https:// as shown below.

Click Save to save this change.

4 – Return to the admin page and click the View Settings and make the same change there and click Save.

This will not impact any previous analytics data but will allow Google Analytics to now track https URLs from this time forward.

Step 2 – Add the site with https to Google Search Console.

You should have already had your site added to Google Search Console using http for the URLs. If not, you will want to add your domain with http both the non-www and www and with https both the non-www and the www to Search Console. For instructions on this process, please see: Submitting Your WordPress Site to Google Search Console.

Step 3 – Submit Domain Name Change to Google.

If you migrate your site from HTTP to HTTPS, Google treats this as a site move with a URL change. This can temporarily affect some of your traffic numbers. See the site move overview page to learn more.

SSL SEO Considerations

Not doing the change to https correctly can greatly effect your SEO. For example, if you fail to install SSL on your www domain while using the non-www, the traffic from the www will not get redirected correctly to the non-www because browsers first check for http status before they do any other Apache redirects.

Be sure to test all the domains that your site can be found under past and present to make sure they redirect correctly to your primary domain.

.htaccess Rules for pointing parked domain to primary domain

If you have a parked domain, you will want to make sure that the http and https for this domain (if Google has indexed the https for it in the past) both point to the primary domain by editing your .htaccess file on the server with these redirects:


RewriteEngine on
RewriteCond %{HTTP_HOST} ^olddomain.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.olddomain.com$
RewriteRule ^(.*)$ https://newdomain.com/$1 [R=301]


Write to me!

Please comment below with any issues are questions you may have on this process. I will improve these instructions as needed to address any common issues people face.

The post How to Install SSL Certificate and HTTPS in WordPress appeared first on Ask WP Girl.

Malware Removal WordPress Plugin

I highly recommend the MalCare plugin by the makers of BlogVault. They have both a free and paid version. If you can access your WordPress Dashboard and install a plugin, this is the most affordable and quick way to remove Malware from your site. The paid version is just $99/year, which is a bargain compared to other similar services. You then get access to the MalCare security expertise. You can use this link for 10% off your first year: https://malcare.com/womeninwp

What I like about the MalCare plugin:

• All scanning takes place on their cloud servers, so there is no impact to the performance of your site.
• There are no configuration options. Install and activate, and it immediately blocks brute-force attacks, sets up a firewall, and copies your site encrypted to their servers for regular scanning.
• One-click malware clean up with ability to restore if something goes wrong.
• Deep scanning of files and database with robust algorithm for finding complex malware.
• Very few if any false positives.

Please try it out and let me know how it works for you in the comments below.

WordPress Malware Removal Services

If you can’t access your WordPress admin due to the hack, I highly recommend using a professional to clean the site. Jim Walker, the Hack Repair Guy, is the person I most often refer people to along with Sucuri, which has a great knowledge base of research on website security, vulnerabilities, vectors, and more. I have referred many people to Jim, and they have all been quite pleased with his thoroughness.

If you are going to attempt to clean the site yourself, here are steps I recommend:

Steps to Remove Malware from WordPress Site

Step 1: Backup the Site Files and Database

• Backup the full site if you can using the web host’s site snapshot feature. This will be the most thorough backup of your entire server. However, it might be quite large, so be prepared for the download to take time.
• Use a WordPress backup plugin if you can login okay. If you can’t log into the site, the hackers may have compromised the database in which case, you may want to use one of the professionals I mentioned above.
• Make a separate, additional backup of the database using these steps.
• If you can login, also use Tools > Export to export an XML file of all your content.

Some sites might be quite large. The uploads file itself could be over 1GB. The wp-content folder is the most important folder on your server as it contains all your uploads. If you can’t run a backup plugin and your web host doesn’t have a “snapshots” feature, then you can use the web host’s File Manager to make a zip archive of your wp-content folder and then download that zip file.

If you have multiple installs of WordPress on the server, you’ll want to back up each one.

Note about .htaccess file: Make a back up of your .htaccess file and download it. This is an invisible file, so you can only see it in the web host’s File Manager if you choose to show invisibles when you launch the File Manager. Rename this file to remove the period at the beginning, so you can see it on your computer, otherwise it will be invisible on your computer as well. Then download it. You may need a back up of the .htaccess file in case it contained content you’ll need to copy back over to your clean site. Some hosts use the .htaccess for determining the PHP version you are using, so the site will not work correctly without that. Some people put 301 SEO redirects in their .htaccess file. Also the .htaccess file could have been hacked, so you’ll want to examine it later.

Step 2: Download and Examine the Backup Files

Once the site is backed up, download the backup to your computer, double-click the zip file to open it. You should see:

• All the WordPress Core files. You can download WordPress from WordPress.org and check out the files in the download and match them to your own. You won’t really need these files, but you may want them for your investigation into the hack later.
• The wp-config.php file. This is important as it contains the name, username, and password to your WordPress database which we will use in the restore process.
• .htaccess file. This will be invisible. The only way to know if you backed this up is to view your backup folder using an FTP program (like FileZilla) or code editing application (like Brackets) that lets you view invisible files (check the Show Hidden Files option) within the application’s interface.
• The wp-content folder. In the wp-content folder, you should see at least three folders: themes, uploads, and plugins. Look in these folders. Do you see your theme, plugins, and uploaded images? If so, then that’s a good sign you have a good backup of your site. This is typically the only mission-critical folder you need to restore your site (in addition to the database).
• The database. You should have an SQL file that is an export of your database. We are not going to delete the database in this process, but it’s good to have a backup.

Step 3: Delete All the Files in the public_html folder

After you have verified you have a good and complete backup of your site, delete all the files in your public_html folder (except the cgi-bin folder and any server related folders that are clearly free of hacked files) using the web host’s File Manager. I recommend the File Manager because it’s a lot faster than deleting files via FTP. If you are comfortable with SSH, then that will be fast as well. Be sure to view invisible files to delete any compromised .htaccess files as well.

If you have other sites that you are hosting on the same account, you can assume they have all been compromised as well. Cross infection is common. You must clean ALL the sites, so back them all up, download the backups, and do the following steps for each one. I know this sounds severe, but, seriously, trying to scan for and find all the hacked files on a server is absolutely onerous. Just make sure each of your backups is complete. And don’t just clean one website and then clean the other leisurely as in the time it takes you to clean one, then other that is still infected can re-infect the one you just cleaned. Treat it like the bubonic plague.

Step 4: Reinstall WordPress

Using the one-click installer in your web hosting control panel, reinstall WordPress in the public_html directory if this was the original location of the WordPress install or in the subdirectory if WordPress was installed in an add-on domain.

Referencing the backup of your site, edit the wp-config.php file on the new install of WordPress to use the database credentials from the your former site. This will connect the new WordPress installation to the old database. I don’t recommend re-uploading your old wp-config.php file as the new one will have new login encryption salts and will definitely be free from any hacked code.

Step 5: Reset Passwords and Permalinks

Login to your site and reset all user names and passwords. If you see any users you don’t recognize, your database has been compromised, and you need to contact a professional to make sure no unwanted code has been left in your database. I do have a Nuke it From Orbit blog post you can read if you want to kill your old database and start fresh. It’s a bit more work but really does ensure you have a clean site.

Go to Settings > Permalinks and click Save Changes. This will restore your .htaccess file, so your site URLs will work again. Be sure when you deleted files on your server that you showed invisible files, so you didn’t leave any hacked .htaccess files behind. .htaccess is an invisible file that controls a lot of things on the server and can be hacked to maliciously redirect people from your site to other sites.

Be sure to rest all FTP and hosting account passwords as well.

Step 6: Reinstall Plugins

Reinstall all your plugins from the WordPress repository or fresh downloads from the premium plugin developer. Do not install old plugins. Do not install plugins that are no longer maintained.

Step 7: Reinstall Themes

Reinstall your theme from a fresh download. If you customized your theme files, reference your back up files and replicate the changes on the fresh copy of the theme. Do not upload your old theme, as you may not recognize which files have been hacked.

Step 8: Upload Your Images from the Backup

Now is the tricky part. You need to get your old image files copied back up to the new wp-content > uploads folder on the server. However, you don’t want to copy any hacked files in the process.You will need to carefully examine each and every year/month folder in your backup and look inside each folder and make sure there are ONLY image files and no PHP files or JavaScript files or anything else you did not upload to your Media Library. This is tedious. Once you have blessed each year/month folder, you can upload these to the server using FTP.

Step 9: Scan Your Computer

Scan your own computer for viruses, trojans, and malware.

Step 10: Install and Run Security Plugins

Install and activate the Shield WordPress Security plugin by iControlWP. Check through all its settings. I’d recommend running the Audit feature for a few months to keep track of all activity on the site.

Run the Anti-Malware Security and Brute-Force Firewall and scan the site thoroughly. Scan the site with Sucuri’s Sitecheck to make sure you didn’t miss anything. You don’t need two firewall plugins running, so de-activate the Anti-Malware plugin after you’ve verified the clean site. Shield will notify you in the future if any core files have changed.

Quick and Dirty Hack Repair to Remove Malware from WordPress Site

Sucuri has a great step-by-step guide for hack removal that includes details on how to use the Sucuri plugin to facilitate the process above. Sucuri’s plugin has some great Post Hack features, including:

• a core file scan
• quick access to error logs
• tool to reset all user passwords
• ability to automatically reinstall all free plugins
• ability to reset encryption salts

If you want to simplify the hack recovery process above, what you could do is:

1. Use the Sucuri plugin to scan core files and replace/delete ones that have been modified or don’t belong.
2. Use the Sucuri plugin Post Hack tab and Site Audit tab to replace all free plugins, reset user passwords, reset encryption salts.
3. Re-upload premium plugins.
4. Review the contents of every folder in the wp-content folder with a fine-tooth comb (except the individual plugin folders which you would have replaced in step 2 above).
5. Evaluate each and every theme file carefully.
6. Delete unused themes and plugins.
7. Comb through your uploads folder carefully.
8. Manually examine your .htaccess file and any other files left in the public_html folder that you didn’t replace.

The purpose of my slash and burn approach is that many people inadvertently leave hacked files behind if they aren’t methodically and consciously choosing what to upload back to the server. However, if you are pretty detailed oriented and very familiar with your WordPress files and what they should look like (e.g. you are familiar with how to customize themes and what theme code should look like), you can clean up a hack using this simplified approach.

Finding the cause of the hack

Finding the cause of a WordPress hack can be tricky if you are not a professional, but it is certainly not beyond your reach if you have an eagle eye. Check out this post by Smashing Magazine on common WordPress hacks. Once you have identified the type of hack you encountered, you can more easily narrow down why it occurred. In many cause the WHY is not as important as the clean up, but can be important if the cause came from your own computer.

I had one client whose site was infected by a browser extension she inadvertently installed on her computer. She essentially hacked her own site by injecting JavaScript into her Visual Editor every time she edited a page on the site! This code was invisible in the Visual Editor (though it was visible in the Text tab), and even if I cleaned it up, she would have hacked herself again. A Google search on some text I found in the injected code led me to an article on Sucuri’s website that helped me figure out why the hack occurred and get the client to an IT professional to fix her computer.

Also, if you reinstall the same plugin or theme that was vulnerable and aren’t aware that this is why your site was hacked, then the site will get re-hacked pretty quickly. So knowing the cause is more about making you aware to not repeat the same mistakes after all the effort you went to to clean things up.

If you want to go deeper into the cause of the hack, do the following:

• Inspect your backup for hacked files. They will have odd names and stand out from the other files in your WordPress install or may have recent modified dates. If you open these files in a code editor like Dreamweaver, TextWrangler, BBEdit, Coda, etc., you may notice quite quickly by way of the color coding of the code or the huge amount of code that something is odd. See screenshots below.
• Do a Google search on specific phrases, included files, or file names. Sometimes it might just be the name of a div class you find in the hacked code as on my client’s hacked site.
• Examine the Raw Access Logs on the hosting cPanel to find out what files the hackers were accessing (look for POST statements in the log files). This will be a clue as to what exactly was compromised and when. You can look up the IP address accessing these files to find out where the hacker was coming from.
• Most hacks are caused by old plugins and themes, so look up the plugins you used on your hacked site and see if maybe the site was compromised due to an older version of Gravity Forms, Revolution Slider, timthumb.php script in a theme or plugin, etc. Many sites are hacked through common, known vulnerabilities. It’s all low hanging fruit for hackers.
• Search the database for hidden admin users and other potential hacked content. Sucuri has a great tips on how to scan your database for hidden malicious code. If you do try to modify your database, back it up like 3x first!

Monitoring your site

Stay on top of Google Search Console notices as well as any error logs you find on the server after your clean up. You can look to your Raw Access Logs on the server to track any users accessing files on the site, particularly POST requests. If this is not turned on, you can turn archiving of Access logs on in your cPanel.

You can use the Shield WordPress Security plugins Audit Trail feature to track any changes to files or access to the site.

The post 10 Steps to Remove Malware from Your WordPress Site appeared first on Ask WP Girl.

An ounce of prevention is worth a pound of cure. This can’t be truer in regards to website hacks. WordPress sites are compromised not by sophisticated hackers but by bots written to exploit known vulnerabilities. These vulnerabilities include weak passwords, outdated plugins and themes, and poor-quality web hosting.

When a site is hacked, the following things can be effected:

• Files can be uploaded to the server containing malicious code or PHP backdoors
• Files already on the server, such as your theme files, can be modified
• Code can be injected into your WordPress database
• Users with administrative privileges can be added to your WordPress database
• Numerous post and pages can be published containing spam code
• Your site can be redirected to malware sites

In other words, having your site hacked can be a BIG mess to fix. It can truly take hours to recover, and your SEO can take a big hit if Google decides to blacklist your site. See: Sites Hosting Malware Get 30 Day Ban from Google.

Luckily, preventing hacks is quite easy, though it does require diligence.

10 Tips for Preventing WordPress Hacks

1 – Use strong passwords

You should get a password tracking tool like 1Password to track all your passwords. You can no longer use the same password on every internet account and get away with it. You can’t use your dog’s name or favorite soft drink or band name. You need unmemorable, long, difficult passwords.

In the past couple weeks, I’ve had two clients call me because their Gmail, Instagram, or AppleID was hacked due to using a weak password. It is very easy to use a password hacking program to discover what your password is. In both cases, my clients used passwords that could be guessed by a password detection tool in under 1 second!

Test the strength of your existing passwords here. and then give some serious thoughts to using 1Password and creating passwords that are long, complex, and obscure and change them frequently. With 1Password, you only have to remember one complex password.

2 – Keep WordPress themes, plugins, and core up to date

It’s not enough to login once a month or less to do updates. Exploits will occur within days on massive numbers of sites as soon as they are published. My forgotten site that I didn’t update was exploited within a couple weeks of the Gravity Forms vulnerability being announced. You must update immediately when there is an update. Read my post on how to update your WordPress themes and plugins safely to avoid breaking your site.

For plugins that don’t have front-facing functionality, you can use the Shield WordPress Security plugin to perform auto updates for you. If you manage more than one site, check out my post on site management plugins.

3 – Keep your server clean

Delete unused versions of WordPress on the server. It’s easy to forget these exist. Unused WordPress files, plugins, themes, etc., even if they are not being used, not active, not even associated with your current install can be exploited. Delete delete delete. Run a tight ship

4 – Check your plugins and themes for continued support

Don’t use plugins and themes that are no longer maintained. If your plugin or theme hasn’t been updated in a year or more, replace it. This can be a huge problem with themes. Many developers are fly by night and don’t stick around more than a couple years to support their theme.

When you shop for a theme or plugin, look for a theme or plugins with current support requests that have been answered in a timely manner, good star ratings, and recent and frequent updates. Not all top-selling themes are the best themes, however, they are more likely to have ongoing support and updates. Read the comments for quality of response and tone. Look for helpfulness, enthusiasm, thoroughness, quick response, good articulation, and positive attitude.

WordPress premium themes often come bundled with third-party plugins. The theme developer may or may not provide timely updates for these bundled plugins. For example, the Revolution Slider, a popular animated slider, comes bundled with hundreds of themes on ThemeForest. The Revolution Slider had a major security vulnerability in 2014. However, theme developers who bundled it with their themes did not necessarily update the plugin when they updated their themes. As a result, many themes on ThemeForest distributed a highly insecure plugin for months after the vulnerability was discovered. This vulnerability lead to tens of thousands of websites being hacked and directing traffic to malicious sites.

The upshot of all this is that if you purchase a premium theme that comes bundled with premium plugins, like Visual Composer, Layer Slider, Revolution Slider, or others, purchase these plugins SEPARATELY, so you can be notified of updates to those plugins specifically and not rely on a theme developer to keep you safe.

5 – Protect your computer and home network

Run virus scans all the time especially if you run Windows. Be careful of the sites you visit. You can inadvertently give your WordPress login away through a keystroke tracking Trojan which will steal your passwords as you type them on your keyboard. Protecting your computer is often about not visiting websites that are distributing malware. But, even known sites, such as friend’s cooking blog, could be hacked. So, you need some protection wherever you go on the web.

For Mac OS:

• Scanning software isn’t usually needed, but I like Avira because it recognizes malware patterns along with malware and trojan signatures.
• Turn on the Firewall in your System Settings (Security & Privacy). In the Firewall Options, check the box to Enable Stealth Mode. This will allow your computer to not be visible on networks.

For PC:

• Avira and Avast! are both good anti-virus applications.
• Be sure Windows Firewall is running.

For your network:

• See these great tips on securing your home network.

6 – Run a WordPress security plugin

I highly recommend the MalCare plugin by the makers of BlogVault. They have both a free and paid version. What I like the most about their plugin is that there are no configuration options which can be super confusing with other security plugins. Also, all the malware scanning takes place on their cloud servers, so there is no impact to the performance of your site. It also runs brute-force protection and a robust firewall.

The paid version is just $99/year, which is a bargain compared to other similar services. You can use this link for 10% off your first year: https://malcare.com/womeninwp

Please try it out and let me know how it works for you in the comments below.

I also like Shield WordPress Security by iControlWP. I have used Wordfence in the past, and it continuously created errors in the error log files on multiple sites. Other popular plugins out there can easily break your site or have you focused on “security” measures that do nothing for security while missing out on important things like login protection.

7 – Don’t login on public WiFi networks

If you login to your WordPress site on a public network, you are essentially giving your login credentials away to anyone else on the network who might be running packet sniffing software. If you don’t have an SSL certificate installed on your site (which encrypts your username and password on the network), then use a Virtual Private Network (VPN) service to encrypt your traffic on the network. Use this even if you do have an SSL certificate on your site as it’s good to stay in a virtual private network on any public networks.

8 – Install an SSL certificate on your site

This encrypts the data you and users to your site transfer via the site, such as when submitting contact forms or using login in pages. Otherwise, data is transferred like a postcard in the mail, meaning anyone who’s looking can read it. Having SSL installed on your site allows you to login security (via https) while traveling. Many hosts offer this for free, and you can use the Really Simple SSL plugin to force your content to use https.

9 – Consider better web hosting

Hosting companies like WP Engine, Site Ground, Kinsta, and Flywheel have your back when it comes to security. They routinely do security scans and will clean your hacked site for free, though I have known people to be hacked on these services, and it can take days to get unhacked (or not at all).  I’d still recommend running the MalCare plugin, because hosts are not malware experts. I have been hosting most of my sites lately with SiteDistrict, because their performance is quite excellent in terms of site speed (right up there with Kinsta), and their support is hands-on and proactive.

10 – Backup your site

While backups are not always all that helpful in recovering from a WordPress hack, they are essential for disaster recovery, especially when it comes to damage to your database which is where all your site content stored. See my post on Backing Up WordPress.

Ongoing monitoring of your site

• It’s important to signup for Google Search Console to be alerted about any issues on your website.
• Monitor error logs on the site via the cPanel File Manager or FTP (SFTP).
• View Raw Access Logs on the server to track any users accessing files on the site, particularly. POST requests. If this is not turned on, you can turn archiving of Access logs on in your cPanel.
• You can use the Shield WordPress Security plugin’s Audit Trail feature to track any changes to files or access to the site.

Summary

WordPress security is not hard. Cleaning up hacks is. Please take a little time to review your site, make a list of things you need to, and check them off one at a time. Start by getting everything updated and get a backup solution set up. Update your plugins and sign up for Google Search Console. Reset your passwords. I’ll be writing another post soon on how to audit your site to look for hacked files, so stay tuned!

The post Preventing WordPress hacks appeared first on Ask WP Girl.

Google just got stricter with its safe browsing policies. It will brand malicious sites as ‘deceptive’ and won’t entertain reviews to ‘unclean sites’ for 30 days!

This is a big deal for the average WordPress website owner who is the victim of hackers. Cleaning a hacked WordPress site is both time consuming and expensive depending on the severity of the hack, and sometimes even the most conscientious malware removal can miss things. When this happens the first time, you can request that Google “review” the site and give you it’s blessing that the site is now “clean” and free of malware and unwanted software. 

If you missed something during your malware cleanup, and the malware returns, your site will be marked as unsafe for 30 days after which point, you can request a new site review. This basically sucks for small business owners who will suffer both loss of web traffic and Google search results ranking for 30 days or more. This also tasks malware removal companies with a great responsibility as many have been more cavalier about their malware removal approaches by offering to clean the site for free if the malware returns. This is no longer good enough. They really need to make sure it is gone and gone for good! Free site cleaning is not going to give you back your 30 days of lost web traffic.

When Google marks your site as unsafe, one of the following things may happen depending on the type of offense Google finds your site guilty of:

1 – On the Search Engine Results page, searchers will see the message “This site may be hacked” beneath the URL. In this case, Google says:

2 – The other message that may show on the Search Engine Results page is: “This site may harm your computer” beneath the URL. In this case, Google says:

You’ll see the message “This site may harm your computer” beneath the site URL when we think the site you’re about to visit might allow programs to install malicious software on your computer.

If this is the case, when clicking the link, the user will see a screen something like this:

The site is blacklisted by Google. To see a full list of types of blacklist status, read What is Google Blacklist at Sucuri.

Who is subject to the 30-day Google Site Review ban?

According to the Google Security Blog, not all hacked sites will be subject to the site review ban:

Please note that websites that are hacked will not be classified as Repeat Offenders; only sites that purposefully post harmful content will be subject to the policy.

How do you know if your site is a repeat offender?

According to the Google Security Blog:

When a site is established as a Repeat Offender, the webmaster will be notified via email to their registered Search Console email address.

To sign up for Google Search Console, see Submitting Your WordPress Site to Google Search Console.

Removing the Google malware message from your site

The “This site may harm your computer” notice won’t be removed until the webmaster of the site takes action. Visit this page for details on now to remove malware notice from your site: https://developers.google.com/webmasters/hacked/ and https://sucuri.net/guides/how-to-remove-google-blacklist-warning.php

These steps include:

1. Register and verify your site in Google’s Search Console. (See my post on how to register with Google Search Console using the Yoast SEO plugin.)
2. Sign in to Search Console and check the “Security Issues” section to see details of sample URLs that might be infected. 
3. Clean the infection from your site (see 10 Steps to Remove Malware from Your WordPress Site).
4. Request a review in the Security Issues section in Search Console when your entire website is clean and secure. After we determine your site is fixed, we’ll remove the “This site may harm your computer” notification.

The post Sites Hosting Malware Get 30 Day Google Ban appeared first on Ask WP Girl.

Q. I’ve installed my website in a subdirectory of our domain, because I didn’t want visitors to see the site until I was finished with our development.

Now I want to have the site show up in the root directory (not in the http://mydomain.com/wordpress directory). How do I do this? I’ve read the information on moving WordPress, and it seems really complicated.

A. The good news is that you DO NOT need to MOVE WordPress in order to have your content display without the subdirectory name. You only need to move 1 file and change one line of code and make one modification to your General Settings, and you’re good to go (see instructions below).

• If you feel a strong need to actually MOVE the WordPress installation from the subdirectory into the public_html folder, I’ve written instructions for moving WordPress from the subdirectory to the root directory here.
• If you installed WordPress in a subdomain (e.g. you can view the site via an address like http://dev.askwpgirl.com instead of https://askwpgirl.com/dev), then please see Moving WordPress from a Subdomain to a Root Directory instructions. They are similar instructions by slightly different.

Installing WordPress in a subdirectory can be a good idea because:

• It keeps your root directory clean and tidy (in case you need to add any other PHP applications to your site).
• It adds a layer of security through obscurity by obscuring the location of your WordPress application files. Ideally, you want to name the subdirectory something not too obvious (ie don’t call it wp or WordPress). I’m not sure how obscure this really makes WordPress, because you can obviously get the subdirectory name from any images uploaded to the site, since they will still read as sitename.com/subdirectory/wp-content/uploads/image.jpg, so I usually install WP in a subdirectory for development purposes or to simply keep the root directory clean in case I install any subdomains or other applications.
• It allows you to develop a new WordPress site while maintaining your current website in the root directory. Once you’re finished with your WordPress development, you can backup and then delete your current site’s files, and use the following instructions to display WordPress from the root directory of the site.

Note: If this is an older site, you will need to create 301 redirects to redirect your old page/post URLs to the new page/post URLs. Also, if you have a lot of internal hyperlinks, you will need to manually update those.

Before attempting to move WordPress

a) Clear ALL pages cached by your caching plugin cache AND then de-activate the caching plugin. Also, de-activate Broken Link Checker and any Redirection plugins;

b) Remove any old site files from the root directory — perhaps copy them to a folder called _backup – this includes an index.html file which will totally make this process not work. You MUST remove all those old site files and folders or move them into another directory, so they don’t interfere with WordPress. Having an index.html and index.php in the same folder causes confusion, and likely, the index.html will be used instead of WordPress’ index.php file;

c) Make sure you don’t have any other folders in the root directory that have the same name as any pages on your WordPress site, for example “blog” unless of course this is the name of your subdirectory install of WordPress in which case you cannot have a page of the same name because the browser will get confused and look for that page in that folder, then things are really confused;

d) Use wp-db-backup to make a backup of your database – http://wordpress.org/plugins/wp-db-backup/;

e) Be sure you have access to your database via phpMyAdmin on your web host’s control panel in case you type the URLs wrong in the next step. Your database username and password are in the wp-config.php file.

Displaying WordPress URLs from root directory when WordPress is installed in a sub directory

1. Login to the WordPress Dashboard. From the Settings -> General tab, set your WordPress address URL to the subdirectory you installed WordPress in (without the trailing slash). Note: This will already be displayed in the WordPress address field, so you don’t have to change it. What you do need to change is the Site address URL. Set this to  your site’s root address (without the trailing slash).

2. Using an FTP application or your web host’s File Manager, DOWNLOAD the index.php file that is in the WordPress application directory (not the one in your theme’s folder or elsewhere) and then UPLOAD the copy you downloaded to the root directory. (By root, I mean the www, htdocs, or httpdocs folder — NOT the root of your hosting account! You simply want to upload the copy of the index.php file and put it in the parent folder of your subdirectory which presumably is the location for the main URL of your website.)

Alternately, you can use your FTP application and MOVE the index.php “to the parent” but then you MUST read and follow step 6 below.

(Note: If you have a site already in the root directory, such as an old static html site, then you should backup and delete those files first.)

3. In a text or HTML editor, open the index.php file that you just copied and/or moved to the root (aka main url) directory and change the location of your wp-blog-header.php to tell WordPress where it can find the WordPress application files in the subdirectory:

Example: if your WordPress installation folder is ‘mywp’, you would change:

require( dirname( __FILE__ ) . '/wp-blog-header.php' );

to

require( dirname( __FILE__ ) . '/mywp/wp-blog-header.php' );

Important: Be sure you type this correctly! A missing / or too many slashes or missing period or apostrophe can make this not work. Believe me, I’ve seen people be totally freaked out things didn’t work and it was because they typed this line wrong.

4. Visit the site and click an interior page to make sure it displays correctly. If it doesn’t, you may need to update your permalinks (Settings -> Permalinks and click Save Changes). If you still cannot access your interior pages, then the .htaccess may need to be moved to the same location as the index.php file (i.e. the root directory). This is not necessary on all web hosts. Be sure to update the permalinks again after you move the .htaccess file.

Remember that your login and registration links will still be http://www.yoursite.com/mywp/wp-login.php.

Now, when people visit your site, they will see all the URLs of all the pages and posts as if you had installed WordPress in the root directory, and you will have a neat WordPress directory behind the scenes.

Note: If the site you are redirecting to the root previously was your live site, and you have a lot of posts whose URLs you do not want to change, then you should change your Permalink structure to INCLUDE the old subdirectory name (e.g. mywp), so none of your post hyperlinks break. For example:

/mywp/%postname%/

The /mywp/ will only be in the URL of the posts, not the pages.

5. Create a “Silence is Golden” index.php file in the WordPress directory.

If you copied the index.php file instead of moved it, this step is optional. Essentially, you don’t “need” this duplicate index.php file in the subdirectory because it doesn’t really do anything other than prevent people from reading the directory contents. However, if you moved the index.php file leaving the WP directory without an index.php file, then you should create a new blank index.php file and put the following code in the file:

[php]<!–?php // Silence is golden. ?–>[/php]

Problems?

If you have any trouble with this process, please visit my Moving WordPress from Subdirectory to Root FAQ.

Success?

If this process was successful, please comment with a thumbs UP below, share on Twitter, follow me on Facebook. Thanks!!!

The post How do I move WordPress from a subdirectory to the root directory? appeared first on Ask WP Girl.

Note: If you installed WordPress in a subdirectory (e.g. http://mysite.com/subdirectory) and not in a subdomain (http://subdomain.mysite.com), then please see How to move WordPress from a subdirectory to the root.

You can “move” WordPress from the subdomain to the root domain using one of the following approaches:

• Back the site up using a backup or migration plugin (such as BackupBuddy, Duplicator, or All-in-One WP Migration). While leaving the subdomain of the site intact, you can restore the backup of the subdomain to the root directory. This is a nice option as it allows you to keep the WordPress install in the subdomain as a perpetual staging environment for testing WordPress updates or trying out new plugins or code.
• If you do not want to maintain two WordPress installs on your hosting account (which is twice the work as maintaining one site and necessary to prevent hacking), you can do one of the following:
  • move the WordPress install to the root directory
  • keep the WordPress install in the subdomain folder, but rewrite the URLs to display them from the root
  • use one of the plugins mentioned above to “migrate” the dev site to the root directory then delete the subdomain.

Below are instructions for how to move or show the site from the root directory without using a migration plugin.

Before moving WordPress from the subdomain to the public_html (aka www or “root”) folder

Note: When I say “root” I mean the domain root NOT the hosting root folder. The domain root folder is typically called html, www, or public_html on most web hosts. Some WordPress installs are pretty gnarly with folders inside of folders inside of folders, and finding the folder that the host considers to be the primary domain root folder can take some digging.

1 – Be sure you have access to your web hosting control panel and File Manager within the control panel as well as access to phpMyAdmin should you need to revert the changes you make to the WordPress General Settings below.

2 – Make a back up of your database using UpdraftPlus or BackWPUp plugin. Download this file and keep it safe.

3 – Remove any old site files from the public_html directory — perhaps copy them to a folder called _backup – this includes an index.html file which will totally make this process not work. You MUST remove all those old site files and folders or move them into another directory, so they don’t interfere with WordPress. Having an index.html and index.php in the same folder causes confusion, and likely, the index.html will be used instead of WordPress’ index.php file. Do not move server related folders in the public_html directory such as cgi-bin. It’s okay for those to stay in place.

4 – Make sure you don’t have any other folders in the root directory that have the same name as any pages on your WordPress site, for example “blog” unless of course this is the name of your subdirectory install of WordPress in which case you cannot have a page of the same name because the browser will get confused and look for that page in that folder, then things are really confused.

5 – If you are using a caching plugin, delete all cached pages and de-activate caching.

Option 1: Move WordPress from subdomain folder to public_html directory

This is the most straight forward process to get WordPress out of the subdomain and into the root directory.

1 – Go to Settings > General and change the URL for both the WordPress Address and Site Address to use the main domain name. Be sure to remove the trailing / . Click Save Changes.

2 – Using FTP or the web host’s File Manager, you will need to MOVE all of the WordPress files from the subdomain’s folder up one level to the public_html aka domain root folder.

To do this with FTP, in the remote server area of the FTP application window, toggle open the subdirectory containing the WordPress installation you wish to move. Select all the files in this directory and drag them out of this directory and into the public_html folder or whatever directory this directory is within.

If you are using the File Manager on the web host’s control panel:

• Double click the subdirectory containing the WordPress files to expand it open.
• Click Select All to select all the files and folders.
• Click the Move File icon.
• In the Move dialog box, remove the subdirectory from the path field, so the path you are moving to is /public_html
• Click Move Files.

(Note: Some hosts might have a different name for this folder or you may have installed WordPress in a subdirectory inside another directory. Just remove the current subdirectory from the path along with the forward slash /, but don’t remove anything more than that.)

The files should now be moved to the public_html.

3 – Login to WordPress in the root directory which should be your domain name plus /wp-admin, e.g. http://mywebsite.com/wp-admin.

4 – Go to Settings > Permalinks and click Save Changes. This will rewrite the .htaccess file that controls the  “pretty” URLs on the site. This likely isn’t going to be an issue when you are using a subdomain install, as the .htaccess contents should be correct.

5 – Install the Velvet Blues Update URLs plugin.

Under Tools > Update URLs, type the subdomain website address in the Old URL field and the main website address in the New URL field.

Be sure to not end the URLs with a forward slash /. If you do end it with a forward slash, end it with a forward slash for both URLs not just one. Consistency is important here.

Be sure to NOT not update all GUIDs. This will result in many theme settings to reset and posts to republish to the RSS feed.

6 – Click the Update URLs button. This should catch most of the URLs on the site. However, if it seems to miss several, you can try repeating this process without the http:// part of the URL, and see if it catches more.

7 – Check for other URLs not caught with the Velvet Blues plugin including:

• Appearance > Menus — check for any custom URLs to the old site URL in any custom menu items, such as the home page link.
• Appearance > Theme Options or your theme’s Theme Options page — check the URLs for any uploaded files such as the logo or favicon and remove the subdirectory from the URLs as needed.
• Sliders — If you use Revolution Slider or other slider plugin may not update the URLs to the slider images with the Velvet Blues plugin. Edit the slider and remove the subdirectory from any image URLs.
• Shortcodes and custom layouts — Some shortcodes for button links or custom theme layouts may contain URLs to the subdirectory which you may need to manually change. If you can find a pattern to these, you can try to run the Velvet Blues plugin again using the URL pattern you find.

8 – Test the site and be sure everything is appearing as expected. If anything is amiss, be sure to clear your browser cache completely or test in a browser you don’t usually use.

9 – Reset the caching and update the .htaccess file per the caching plugin instructions as needed.

Please comment below if you have any issues, as I can write more instructions for troubleshooting as needed. The main issue with this technique is that it’s possible for people to move the WordPress files BEFORE making the URL edits in the General Settings, and that will make the site inaccessible. However, this is quickly remedied by going into phpMyAdmin and accessing the wp_options table and changing the site and home URL as needed.

Option 2: Keep WordPress in the subdomain’s folder but show the URLs from the root

This option is slightly less intimidating because it doesn’t involve moving all the WordPress files. You only need to copy one file and move that to the public_html directory. This process will not allow you to access the WordPress installation via the subdomain any longer. It simply allows you to keep WordPress in the subdirectory (aka subfolder) on the hosting account created for the subdomain but essentially makes the subdomain not usable unless you recreate the subdomain and have it point to a different folder.

The only issue with the process below is if you created a not-so-user-friendly subfolder name for the installation, such as “dev” or “test” or “staging.” This would not be a professional folder name to use on a live site. Even though this process will allow you to show the URLs from the root of the domain, your uploaded images, PDFs, and other media files will reference the subdirectory (subfolder) name.

Changing the WordPress Subdomain/Subfolder Name

If you want to throw complete caution to the wind, you could go ahead and rename the subfolder, and I will tell you below EXACTLY at which point in the process to do so, so you don’t lock yourself out of the site. But, have no fear! If you do mess up the folder name or the URLs, you can always fix this in the database using phpMyAdmin. In fact, trying this process on non-critical websites can build confidence in future migrations. Breaking things is always a great way to learn! Just maybe not on a client’s site.

Keeping WordPress in the subdomain folder but showing URLs from the root

1 – In your web hosting control panel File Manager or FTP application, please take note of the folder name of the subdomain installation. This is typically the same name as the subdomain, e.g. dev, staging, blog, test, etc., but sometimes it is different, so make sure you know what it is before proceeding.

2 – Go to Settings > General. What you will see is something like this:

You need to change the URLs to this where the WordPress Address is the main domain URL with a forward slash followed by the folder name you made note of in step 1 above, and the Site Address is the main domain URL.

Now is the opportunity to CHANGE the folder name but don’t do it in the File Manager or FTP yet. If you want to use a different folder name, enter that in the WordPress Address field, e.g. http://mydomain.com/newfoldername, then we will rename the actual folder in step 4 below.

3 – Click Save Changes. You will be immediately kicked out of the site.

4 – If you changed the folder name in the WordPress Address field, go ahead now and change the folder name in your control panel’s File Manager or FTP application.

5 – While you are in the File Manager of FTP application, download the index.php file in the subdomain’s folder.

6 – In a text or HTML editor, open the index.php file that you just downloaded and change the location of the wp-blog-header.php to tell WordPress where it can find the WordPress application files in the subdirectory:

Example: if your WordPress installation folder is ‘subdomain’, you would change:

require( dirname( __FILE__ ) . '/wp-blog-header.php' );

to

require( dirname( __FILE__ ) . '/subdomain/wp-blog-header.php' );

Important: Be sure you type this correctly! A missing / or too many slashes or missing period or apostrophe can make this not work. Believe me, I’ve seen people be totally freaked out things didn’t work and it was because they typed this line wrong.

Do NOT edit this file in Word or any text editor that uses Rich Text as it will turn the straight quotes curly and will break your site. If you don’t have a code editor application, then upload the file to your hosting account (see Step 7 below) and then edit it using the Editor feature in the File Manager instead.

7 – Upload this edited index.php file to the public_html folder on the hosting account. The file structure will look something like this:

8 – Login to WordPress in the root directory which should be your domain name plus /wp-admin, e.g. http://mywebsite.com/wp-admin.

9 – Go to Settings > Permalinks and click Save Changes. This will rewrite the .htaccess file that controls the  “pretty” URLs on the site. This likely isn’t going to be an issue when you are using a subdomain install, as the .htaccess contents should be correct.

10 – Install the Velvet Blues Update URLs plugin.

Under Tools > Update URLs, update your URLs as follows:

In the New Site Address field enter the URL to the correct folder name for the WordPress install that is in your Settings > General for the WordPress URL.

Be sure to not end the URLs with a forward slash /. If you do end it with a forward slash, end it with a forward slash for both URLs not just one. Consistency is important here.

Be sure to NOT not update all GUIDs. This will result in many theme settings to reset and posts to republish to the RSS feed.

11 – Click the Update URLs button. This should catch most of the URLs on the site. However, if it seems to miss several, you can try repeating this process without the http:// part of the URL, and see if it catches more.

12 – Check for other URLs not caught with the Velvet Blues plugin including:

• Appearance > Menus — check for any custom URLs to the old site URL in any custom menu items, such as the home page link.
• Appearance > Theme Options or your theme’s Theme Options page — check the URLs for any uploaded files such as the logo or favicon.
• Sliders — If you use Revolution Slider or other slider plugin may not update the URLs to the slider images with the Velvet Blues plugin.
• Shortcodes and custom layouts — Some shortcodes for button links or custom theme layouts may contain URLs to the subdirectory which you may need to manually change. If you can find a pattern to these, you can try to run the Velvet Blues plugin again using the URL pattern you find.
• Any manual links to internal pages will need to be edited to point to the domain without the subfolder in the URL.

13 – Test the site and be sure everything is appearing as expected. If anything is amiss, be sure to clear your browser cache completely or test in a browser you don’t usually use.

14 – Reset the caching and update the .htaccess file per the caching plugin instructions as needed.

This process is obviously more steps, and you need to be careful with each step to make sure you type the correct URL and folder names. Otherwise, it’s actually pretty simple. I think the most difficult part here is that you essentially going from a subdomain install to a subdirectory install then taking it one step further to show the URLs from the root domain and in this whole process you may have gone wild and decided to change the folder name while you were at it!

Fixing WordPress URLs in phpMyAdmin

For both of these processes, the main mistake that might be made is to the URL fields. A simple typo can really cause problems. To fix this, log in to your web hosting control panel and go to phpMyAdmin. If you are prompted for a username or password for the database, you can find both of these in the wp-config.php file in your WordPress install. (Tip: In the File Manager, you can view the wp-config.php file and copy the username and password to a text file on your computer for easy reference.)

1 – Once in phpMyAdmin, click on the wp_options table.

2 – Click the Browse tab at the top of the phpMyAdmin to see the contents of the wp_options table.

3 – Look for the two options names: siteurl and home.

4 – Check to make sure these are correct. If you did the process outlined in Option 1 above, both of these should be simply the website URL (e.g. http://mysite.com). If you did the process outlined in Option 2 above, the siteurl should contain the subfolder name. Check the File Manager or FTP application to make sure you have it correctly entered. The home URL should be the main URL for the site.

5 – If you need to edit these, click the pencil icon, make the changes, then click the Go button to save the changes.

Let me know if you get stuck! Write in the comments or contact me directly. I can often provide quick advice. If things are not easy to address via email, I am available for hire. It typically takes me 5-15 minutes to login and figure things out.

I would love if you could Tweet about this if it helped you!

The post Move WordPress from Subdomain to Root appeared first on Ask WP Girl.

Professional WordPress themes are a good choice if you have limited budget or skills for completely customizing your own theme using code (CSS and HTML). Below is a list of premium WordPress themes (linked to my affiliate accounts for each) that are both highly stylized but with lots of options for typography, colors, page templates, header styles, and more.

WP Jump Start – Affordable and Full-Featured WordPress Framework

WP Jump Start is my go-to theme for ALL custom WordPress sites. This professional WordPress theme is based on the very popular Twitter Bootstrap HTML/CSS/Javascript framework and contains FontAwesome icons, sliders, template builder, shortcodes, and more functionality than you can possibly imagine using. Please read my post about using Jump Start to build websites and how to get started. Jump Start 2.0 has full-width backgrounds that can contain images, sliders, parallax scrolling backgrounds, and more! You can view some sample sites using WP Jump Start on Pinterest.

Cost: $65/year for support and updates. Can be used on unlimited sites.

More Info / Download View Demo Get Hosting

Avada Theme – Theme Forest Theme

Avada Theme has more than 100,000 sales on Theme Forest. The support for this premium/professional WordPress theme is good, and the theme will do everything except the dishes. This is a good theme for non-coders but savvy users who can dig into the gazillion options available.

Cost: $59/site with limited support that can be renewed at Theme Forest

More Info / Download View Demo Get Hosting

WooThemes Canvas

WooThemes Canvas is a popular, customizable theme. It doesn’t offer nearly the options that either Jump Start or Avada has, but they have launched  a few nicely styled child themes that work with Canvas if you need a custom-looking site quick! It also integrates nicely with WooCommerce, the popular e-commerce plugin for WordPress.

Cost: $99/year for support and updates. Can be used on unlimited sites.

More Info / Download View Demo Get Hosting

Divi Theme by Elegant Themes

Divi Theme by Elegant Themes is meant to be customized, and many developers are using it for all their development needs. They rest of the Elegant Themes suite are beautiful but can be frustrating to customize. They provide documentation and full PSD files for all of themes. Another great reason to love Elegant Themes is that for one price (currently $89/year), you get access to ALL of their themes (currently 48!!!). Most themes have options for different color schemes and sidebar widgets.

Cost: $89/year for support and updates (and access to their plugins which you will need to take advantage of all the features). Can be used on unlimited sites.

More Info / Download View Demo Get Hosting

Genesis Theme Framework by Studio Press

Genesis Theme Framework is a professional WordPress theme framework that provides many options for the novice and experienced developer to customize a theme. You do need to learn the framework’s “hooks” if you want to do major customization which can be a steep learning curve, but Studio Press provides many online tutorials and documentation. Their highly stylized premium themes are worth investing in if you find a look that matches your need.

More Info / Download View Demo Get Hosting

The post 5 Best Professional WordPress Themes appeared first on Ask WP Girl.

If you visit WordPress.org and click the Plugins link, you’ll come to a page where you can search for free WordPress plugins, the most popular of which are listed in the right sidebar of the page. As of today there are 42,730 plugins having been downloaded 1,166,099,162 times, and counting! It’s hard to choose the best WordPress plugins to use when there are so many to sort through.

The Most Popular plugins are popular for a reason — they are simply good, well-maintained plugins. However, they do have competition. For example, WordPress SEO by Yoast is giving a run for the money to All in One SEO Pack. Is one better than the other? At some points in time, yes, and others perhaps no. A little healthy competition has made both plugins very good over time.

Below is a list of the plugins I used most often or have found to be very helpful on specific websites even if I don’t use them on all websites. I’ve placed a * by the plugins I typically use on every site I create. Please read my post on how to choose WordPress plugins wisely.

I am always adding plugins to my Favorites list at WordPress.org, so please check out what I <3 there:

The post Review of the Best WordPress Plugins appeared first on Ask WP Girl.

As a freelance WordPress developer or owner of multiple WordPress sites, you will become overwhelmed trying to stay on top of all the plugin and theme updates that are released almost daily. Plugin and theme updates have become more frequent over the years and, in many cases, more critical. When a security vulnerability is found in a WordPress theme or plugin, the vulnerability is published in detail on various security websites. These details can be used by hackers to write bots to automatically attack sites with these vulnerable themes and plugins.

As a result of how quickly these new vulnerabilities are found, performing timely updates on your WordPress site is absolutely essential for keeping your website secure. It is the single highest security risk your website faces and the single most important thing you can do to keep your WordPress site from being hacked. However, manually updating 10 or more sites can be onerous. Manually updating 100 or more sites can ruin your entire day. This is where WordPress management plugins and software come in handy. What  WordPress management software will help you do is manage all of your WordPress sites through one central dashboard or control panel. You will be able to update all plugins on all 100 sites you manage with the click of one button. Done and done.

How often do you need to update WordPress plugins and themes?

You typically need to update WordPress themes and plugins (and core) as often as there is an update — which can mean every day or every week. WordPress management businesses who offer to update your site monthly or quarterly are only taken advantage of your naivety. If a security vulnerability is found in a WordPress plugin, your site can be hacked within a number of hours or days. Updating once a week, therefore, is not frequent enough. If the update is less critical, you can plan some time when it is more convenient to test your update before performing it on the live site. Updates that contain security patches and functionality fixes can and should be done as soon as they are available.

Types of WordPress management plugins and software

There are two flavors of WordPress management tools:

• Hosted – You login to WordPress management software website to add and manage your WordPress websites
• Self-hosted – You host the WordPress management software on your own domain or locally on your computer

The hosted solutions are good for people who are less technically savvy or don’t want to have to worry as much about security of the tool itself. Though, some would argue, the self-hosted solutions are more secure since you can install them on your local computer and as a result can’t possibly be accessed by the outside world.

The self-hosted solutions take more responsibility on your part to be sure that you have the software installed and hosted securely as well as updated as needed. They are good for WordPress developers who are savvy with how to address bandwidth issues and security in a hosting environment.

With all the solutions, you will install a plugin on the client’s site that will connect the site to the WordPress management software. Following is a summary of the most popular WordPress management solutions available.

Jetpack Centralized Site Management

Hosted at WordPress.com – login with your WordPress.com credentials

Jetpack’s site management feature allows you to manage your site and other sites from a single Dashboard. You can update multiple plugins on multiple sites at once or set selected plugins and themes to auto update. It’s free and simple to use. Simply install the Jetpack plugin and connect it to your WordPress.com. (Note: multiple users of the site can be connected to Jetpack with their own WordPress.com account.) Activate the Centralized Site Management tool under the Jetpack > Settings or when prompted. Jetpack is entirely FREE, so it’s a great solution for people who want to set auto updates or check all their sites at a glance and not have to a pay a large price.

iControlWP Secure Multiple WordPress Management

Hosted at iControlWP.com – secure, two-factor login authentication

I really love iControlWP’s management tools, including integrated backups with one-click restores, ability to automate updates or lockdown a plugin to prevent it from being updated, security scanning, database optimization, Google Analytics tracking (no need for a plugin!), manage users, configure security from one location, Cloudflare integration, and more! The price is right, too! At about $1/site, it’s a total winner!

iControlWP is a hosted management solution, meaning you don’t have to install any software. There is no set up involved, and you can securely manage your sites from any computer. You simple need to install a plugin on your WordPress site, and enter the unique key into the iControlWP interface. Done! Enabling backups is also very easy and included in the monthly fee. The backups are very reliable. If you don’t want to babysit backups any longer, iControlWP is the most affordable hosted backup solution out there.

InfiniteWP Multiple WordPress Site Management Solution

Self-hosted either on a hosting account or on your local computer

I’ve used InfiniteWP for years and really love the flexibility of its updates and that it is free with optional paid addons for reporting and more! This is a self-hosted solution requiring you to set up the InfiniteWP software on your hosting account or local server. Adding sites to the InfiniteWP interface is quick and easy. Just install the IWP Client plugin and copy and paste the credentials into your InfiniteWP control panel.

InfiniteWP addons range from $50-$100 and include uptime monitoring, security scanning, client reporting, broken link checker, Google page speed, and much more. It’s definitely a nice package, though all the add-ons cost $400 per year.

MainWP Free WordPress Management Plugin

Self-hosted on an installation of WordPress running the MainWP plugin

The MainWP WordPress Management plugin is a free, self-hosted, open-source solution for managing multiple WordPress sites. MainWP is unique in that it is a plugin that runs within a WordPress installation as opposed to Jetpack, iControlWP, and InfiniteWP which all have their own, unique interface. The MainWP addons are also added as plugins, so the interface overall should feel very familiar. One nice thing about MainWP is that they are very open source friendly, therefore they do not charge for the number of sites you use with it. They’ve teamed up with some great partners for their addons, including WooCommerce, BlogVault, UpdraftPlus, Yoast SEO, Rocket, and others to provide valuable add-ons.

MainWP offers the ability to perform bulk settings on sites, set up Rocket caching, manage links, and includes a favorite plugin list. For $400, you get all the addo-ns and lifetime membership! No renewals! So, it’s definitely a winner price-wise over InfiniteWP.

Hosting is a big consideration for MainWP. From Andrea Whitmer’s review:  “If you use shared hosting, you will likely not be able to use MainWP. I can’t see a shared host allowing the type of resource usage I’ve seen in a week of use on my own server. It’s not outrageous, but it does heat things up a little, especially when intensive tasks like backups are running.”

WP Remote

Hosted at WP Remote

This is an entirely free service, and like many free services is not as sustainable as many would like. When a service starts as purely altruistic it rarely lasts more than a few years. There needs to be a money-making business plan behind any WordPress plugin or software to make it enough of a concern among developers to give it the attention it deserves. As of November 2015, the current hosts are looking to give it a new home. WP Remote does allow you to manage multiple sites at once, but it doesn’t have some of the bells and whistles that other sites have such as backup archives, cloning, copying and publishing to multiple sites from one location. It does one thing well and that is allow you to do plugin, theme, and WordPress core updates from a central dashboard all for FREE.

ManageWP – Manage WordPress Sites from One Dashboard

Hosted at ManageWP.com

ManageWP is a hosted solution like Jetpack and iControlWP, so there is no set up time or need to figure out where and how to host the software. It has a monthly fee based on the number of sites you are using it on. Here’s a great review you might want to read about the pros and cons of MainWP versus ManageWP.

ManageWP has tools for monitoring, notifications, backing up, and reporting, though people have reported in the past some issues with backing up as well as the reports not being that great. However, it’s always good to see what’s new. The big comparison now is between iControlWP and ManageWP for hosted solutions, so review them carefully to see which service would best meet your needs in terms of cost and features.

Which WordPress management plugin / softare should you use? InfiniteWP versus MainWP versus iControlWP versus ManageWP versus Jetpack

• Jetpack – You are a solo entrepreneur/blogger/business owner: I would recommend setting up auto updates of trusted plugins with Jetpack and signing up for VaultPress for backups.
• MainWP – You are a hard-core WordPress geek and open-source enthusiast: If you can pay $30+/month indefinitely or $400 one-time to get started, I would go with MainWP. Backups must be set up with one of their extensions and go to a third-party service, like Amazon S3. While that’s another consideration of both time and money and possible babysitting task, you do get to set your own backup schedules. You need to consider the cost of self-hosting MainWP each month and what kind of bandwidth it is going to take up. You can run MainWP locally using MAMP or XAMPP or WAMP. Here are instructions for setting up MainWP to run on DesktopServer.
• iControlWP – You are a WordPress website builder or entrepreneur with many sites to manage and absolutely hate dealing with backup issues: For about $1/site each month, you get all the site management features plus 30 days’ of free backups on a remote server with ZERO plugin setup. Since iControlWP does not rely on PHP interaction for backups, they don’t time out or fail, and you don’t have to do anything other than provide FTP credentials.
• InfiniteWP – You are a web developer with a Zen frame of mind and don’t mind managing things yourself: InfiniteWP is by far the cleanest, fastest, simplest interface. It is free, but you are responsible for hosting. The full addon package is $400 for the first year and $200 subsequent years. While you can use it for backups, you need to set those up and monitor them.

I love InfiniteWP for its quick and simple interface, but I am moving toward iControlWP because I am just tired of monitoring and managing backups. While my backups might be more limited (30 days), I don’t have to worry about them not running on the myriad of shared web hosts my clients come with. I would probably consider MainWP as an excellent choice, but, again, I don’t want to even give a second thought to backups. I just want to set and leave it. Many of my VIP clients are on WP Engine and Flywheel, so I don’t have to worry about backups with them either. I certainly prefer the InfiniteWP interface over all others.

More WordPress Management Plugin Reviews

• http://wplift.com/manage-multiple-wordpress
• https://www.nutsandboltsmedia.com/mainwp-vs-managewp-the-showdown/

The post WordPress Management Plugins appeared first on Ask WP Girl.

However, you may not want to use the subdirectory any longer and instead really do want to migrate WordPress from the subdirectory to the root directory. Below are steps to accomplish this.

(Tip: Instead of the process below, you can use the Duplicator plugin to create an archive zip of the entire site and restore the archive in the root directory. The benefit of using the Duplicator plugin is that the restore script will automatically rewrite all the URLs for you. However, duplicating a very large site might be a bit onerous and the archive process might not work well on some web hosts that have potential to time out when creating large archives.)

Before migrating WordPress from subdirectory to root directory

1 – Be sure you have access to your web hosting control panel and File Manager within the control panel as well as access to phpMyAdmin should you need to revert the changes you make to the WordPress General Settings below.

2 – Make a back up of your database using UpdraftPlus or BackWPUp plugin. Download this file and keep it safe.

3 – Remove any old site files from the root directory — perhaps copy them to a folder called _backup – this includes an index.html file which will totally make this process not work. You MUST remove all those old site files and folders or move them into another directory, so they don’t interfere with WordPress. Having an index.html and index.php in the same folder causes confusion, and likely, the index.html will be used instead of WordPress’ index.php file;

4 – Make sure you don’t have any other folders in the root directory that have the same name as any pages on your WordPress site, for example “blog” unless of course this is the name of your subdirectory install of WordPress in which case you cannot have a page of the same name because the browser will get confused and look for that page in that folder, then things are really confused.

5 – If you are using a caching plugin, delete all cached pages and de-activate caching.

Moving WordPress installation from subdirectory to public_html directory

1 – Go to Settings > General and remove the subdirectory from the URL for both the WordPress Address and Site Address. Be sure to remove the trailing / . Both addresses should simply end with .com or .org or whatever the domain type is. Click Save Changes.

2 – Using FTP or the web host’s File Manager, you will need to MOVE all of the WordPress files from the subdirectory up one level to the root.

To do this with FTP, in the remote server area, toggle open the subdirectory containing the WordPress installation you wish to move. Select all the files in this directory and drag them out of this directory and into the public_html folder or whatever directory this directory is within.

If you are using the File Manager on the web host’s control panel:

– Double click the subdirectory containing the WordPress files.

– Click Select All to select all the files.

– Click Move File.

– In the Move dialog box, remove the subdirectory from the path field, so the path you are moving to is /public_html

(Note: Some hosts might have a different name for this folder or you may have installed WordPress in a subdirectory inside another directory. Just remove the current subdirectory from the path along with the forward slash /, but don’t remove anything more than that.)

– Click Move Files.

The files should now be moved to the public_html.

3 – Login to WordPress in the root directory which should be your domain name plus /wp-admin, e.g. http://mywebsite.com/wp-admin.

4 – Go to Settings > Permalinks and click Save Changes. This will rewrite your .htaccess file to remove the subdirectory from the page URLs.

5 – Install the Velvet Blues Update URLs plugin.

Under Tools > Update URLs, type the website address containing the subdirectory in the Old URL field and the website without the subdirectory in the New URL field.

Be sure to not end the URLs with a forward slash /. If you do end it with a forward slash, end it with a forward slash for both URLs not just one. Consistency is important here.

Be sure to NOT not update all GUIDs. This will result in many theme settings to reset and posts to republish to the RSS feed.

6 – Click the Update URLs button. This should catch most of the URLs on the site. However, if it seems to miss several, you can try repeating this process without the http:// part of the URL, and see if it catches more.

7 – Check for other URLs not caught with the Velvet Blues plugin including:

– Appearance > Menus — check for any custom URLs to the old site URL in any custom menu items, such as the home page link.

– Appearance > Theme Options or your theme’s Theme Options page — check the URLs for any uploaded files such as the logo or favicon and remove the subdirectory from the URLs as needed.

– Sliders — If you use Revolution Slider or other slider plugin may not update the URLs to the slider images with the Velvet Blues plugin. Edit the slider and remove the subdirectory from any image URLs.

– Shortcodes and custom layouts — Some shortcodes for button links or custom theme layouts may contain URLs to the subdirectory which you may need to manually change. If you can find a pattern to these, you can try to run the Velvet Blues plugin again using the URL pattern you find.

8 – Test the site and be sure everything is appearing as expected.

9 – Reset the caching and update the .htaccess file per the caching plugin instructions as needed. Test the site again in a different browser to be sure the pages are caching correctly.

10 – Finally, to keep from losing all your SEO credit on the old site, you will want to implement a wild card redirect from the old URL to the new one. To do this, add the following bit of code to the top of your .htaccess file using the File Manager or FTP application substituting YOUR domain name and subdirectory name. (Note: .htaccess is an invisible file. You must select in the File Manager or FTP client to show invisibles in order to see this file.)

RewriteEngine On
RewriteCond %{HTTP_HOST} ^mydomain.com/subdirectory$ [OR]
RewriteCond %{HTTP_HOST} ^www.mydomain.com/subdirectory$
RewriteRule (.*)$ http://www.mydomain.com/$1 [R=301,L]

On the RewriteRule line use www or don’t use www according to what you have in your Settings > General. For example, if you don’t have www in your URL in the General Settings, do not include the www in the RewriteRule line.

Pro tip: To start, set this rule to 302 instead of 301 and test it to make sure it is working by entering one of your URLs with the subdirectory in it and make sure it rewrites to the same URL without the subdirectory. When you are sure it is working, change the 302 to 301. 302 is considered temporary and is not used for SEO and is not cached by browsers. 301 is considered a permanent change and is considered by Google to transfer the SEO credit of a page from one URL to another and is cached by browsers.

The post Moving WordPress from Sub-Directory to Root Directory appeared first on Ask WP Girl.