There has been a lot of noise made recently about the state of security in WordPress plugins and how they will destroy your site in an instant. I want to set the record straight about this right now.
It’s all true! and the sky is falling!
Ok. Perhaps not Chicken Little.
First of all, let’s get some facts out there.
Myth: 7/10 plugins have security holes
Fact: It’s entirely possible. I can’t survey all 25,000 plugins in the WordPress repository but I’ve looked at several of them over the years and I can say that many do not follow basic sanitization/validation of input and output (some of my work is included in this). This leads to scary vulnerabilities like XSS attacks, SQL injection and other frightening terms. You should be wary.
Myth: Too many plugins will slow my site down
Fact: True – ish. The more code your server has to slog through the longer it takes to display a single page and that’s bad. But this “too many” could be a single plugin that does something crazy and takes a long time, or it could be the 50 plugins you’re tinkering with. It depends on the plugin(s) and your server. Host A might be able to handle your 50 plugins, but your buddy running on Host Q can’t run the same setup. The core issue here is two-fold, in my opinion. What work is the plugin doing when it runs?, and secondly how well is the plugin written? Both issues will seriously impact your site in terms of time to load, stability and security.
Myth: I need plugin X to get feature Y
Fact: Maybe, maybe not. One of my pet peeves with this is things like Google Analytics or other plugins that do basically 1 thing. I love me some Google Analytics, let’s start with that. But do you need a plugin to include it? Probably not. Your GA code (or similar trackers) would be installed on every single page of your site, so it could be included directly into your theme files or use the feature built into your (good) theme or SEO plugin to accomplish it rather than added another plugin. Putting it into the theme makes the most sense to me, but there may be extenuating circumstances.
Myth: WordPress is insecure!
Fact: Yep, it’s possible. Since it’s designed and coded by people (Great people who really know their work btw) it probably has some security issues. Worse, it let’s ANYONE with an iota of coding skill add to it – Looking at you plugin and theme “developers”. Does this make WordPress insecure? Is it the fault of WordPress.org that your site got hacked? Not entirely no. WordPress includes many tools and methods that developers (from novice to pro) can take advantage of to help mediate the risk. Usually when security holes are found the coder hadn’t followed good programming practices – either from WordPress or the coding community at large.
So – now what?
I’m going to tell you the same thing everyone else does. There’s no magic bullet or secret voodoo involved here. It’s simple common sense.
- Back it up! Keep a current copy of your site and database. How often you do this depends on your site. If it changes often, back it up more often to minimize loss. How do you back it up? I don’t know what’s right for you. Your host probably has a backup service. There’s plugins that do it and there are 3rd party paid services that do it. Or you could learn how to do it yourself. After you learn, it’ll probably take about 10 minutes per backup.
- Update WordPress! There’s tons of debate on this but I fall on the “do the update” side. WordPress updates for 2 reasons. Major releases (3.4, 3.5, 3.6) are usually about features – with security rolled in. Minor releases (3.5.1, 3.5.2) are usually bug fixes and/or security related. Just about every release includes some security fixes or tweaks. Thus – update WordPress.
- Update plugins! Good plugin developers work like the WordPress core devs. They fix security issues and bugs as they become aware of them. Reviewing code, listening to customers and watching the internet for reports. Good plugin developers issue releases when they fix those bugs and include them along with other features. Now, plugin developers don’t have the testing and quality control all the time and sometimes their updates introduce MORE issues. So I advocate a short delay on plugin updates but it depends on the plugin (could you live without it for a couple of days) and what the details of the update are.
- Clean it up! All those inactive plugins and themes you played with and then deactivated? They don’t affect your site much. WordPress looks at them when you display the list of installed plugins, but even that is cached. They might provide a vector for a security attack. If you’re not using them, delete them. You can always re-install.
- Lock it up (down?)! Do some research on permissions. Leaving all files set to 777 means that any user who gets access to your machine could manipulate or run or compromise a file. Find out the difference between 777 and 644 and when to use each – and the others. Learn how to secure your wp-admin with .htaccess or at least get someone to do it for you. If it’s necessary. Not sure… Good, go look it up!
- Scan it! There’s a number of security plugins (some not so great) and services that will scan or monitor your site for changes and intrusions. Have a look at a couple and decide if it’s necessary. Sucuri is a great company leading the charge to protect the internet. Even their free scan is worth having a look at and running once in a while. This is an added plugin I do recommend you install: Sucuri Security.
You don’t have to be an expert – I’m not, and you don’t have to go all bunker-in-the-desert-crazy on securing your website, but since you put all this time and effort into it, don’t you think you should do the basics?Read More
Since version 1.6, a year ago, GT-Vouchers has gone through some big changes and currently sits at version 1.8.9 with 1.9 in testing. As always, many security and stability updates have been made over all, and in response to requests and suggestions from users, a number of new features have been implemented as well.
From oldest to newest, the new features include:
- Hide the CSV download link from listing owners
- Custom widget to list the most recent vouchers in 1 or more categories or 1 city
- Custom widget to show the most popular vouchers
- Default text color for all vouchers
- Custom text color per voucher
- Require a Facebook Like before downloading a voucher
- Voucher lists now link directly to the voucher on the page, instead of just the top
- Customizable call to action for the Facebook Like
- Limit the number of vouchers per price package
- Disconnected vouchers from Special Offers – they now work 100% independently
- Hide “Require Email” and “Require Facebook” option when users are creating vouchers
- Set a custom from name and email for all GT-Vouchers emails
- Voucher availability indicator on search results and archive (category) pages
- Replaced GeoTheme widgets for Latest Places Grid & List views to show “Voucher available” indicator
- Significant speed increase
- Customizable “Download this voucher” text
- Use a custom image instead of a template
- Show a preview image of the real voucher on the listing
- Cache preview images to keep server load low
- Download or print an image instead of a PDF
- Alert admin when new vouchers are created
- Addition of a some custom hooks & actions for “add-on” development
- WordPress 3.5 compatibility for uploader and color picker
- Send users to a custom Thank You page after registering for a voucher
- Introduce a “Voucher available” banner on some widgets – like the “Featured” banner in GeoTheme
- New widget to show total number of voucher downloads
- Pre-fill the name and email of registered site users when they register for a voucher
- Update dynamic widgets to be compatibile with WP Super Cache but not interfere when it’s not used.
- New system of updating the plugin and our own store (public site coming soon)
All that GT-Vouchers is and will be is entirely due to the people who have supported it and prodded me to keep at it.
What’s next for GT-Vouchers?
Work has already begun on GT-Vouchers 2.0 which is a complete 100% re-write of the plugin. No, I don’t have an ETA yet.
Some of the features will include:
- Focus on mobile compatibility & usability
- Better WordPress integration
- More types of vouchers (Daily deals, timed countdowns)
- Tracking for end merchants and site owners
- Flexible integration with more sites
- Better, more accessible documentation
Those are some of the broad topics and certainly not the only priorities. If you’re a current or prospective buyer, please get in touch and let me know what you are looking for in a voucher/coupon system.Read More
I’ve just released version 1.6 of GT-Vouchers over on Theme Tailors. There are several changes in this version but it primarily fixes a bug reported by users where the plugin would cause a site to hang – and eventually crash. That’s pretty bad.
As far as I can tell, this was caused by the original code performing unnecessary installation checks when actions where taken, and one of my features put this into a loop.
The new feature added is the option to show a countdown of the number of vouchers available just above the download button.
Nothing major, but it’s now sold a few copies and I expect more feedback to keep coming in.
Thanks to everyone who has supported this project.Read More
InstalledForYou.com now has 3 plugins available on ThemeTailors for GeoTheme and a fourth about to hit as I write this.
Previously I introduced you to GT-Dashboard which was upgraded recently to include a couple of more stats and an auto-updating feature.
Next up, IFY GeoTheme Exporter does what it says, it allows users to export from GeoTheme – specifically the emails and addresses of events & listings. Simple enough.
Third one out is the big one. GT-Vouchers is a fork of the existing VoucherPress plugin, but completely customized for GeoTheme users. It includes tight integration with price packages, places and events – giving the site owner good control over the use of vouchers and allowing them to set their pricing accordingly.
- Full GeoTheme integration
- Business owner can create/edit vouchers from the front end (or back if they have access)
- Site owner can create/edit vouchers
- Tied to your GeoTheme price package / Special Offers
- Create a voucher list page for ALL and/or By Category
- Customizable text for messages & email
- Customizable css for border around vouchers on listings
- Allow only logged in users to download vouchers – optional custom message when not logged in
- Optionally hide vouchers after maximum downloads are reached
- Business owners can download the email list for their vouchers
- Dozens of bug fixes and optimizations
The GeoTheme community has become very active lately as the theme gains popularity. Some of the examples in the showcase are quite well designed and show some real inspiration.Read More
In some ways it’s considered “bad” to go too far into a niche market, but lately I’ve begun to explore a pretty small market with custom plugins (while working on my major plugin projects).
GeoTheme is a new theme based on the GeoPlaces theme. GeoTheme was spawned when the purchases of the original theme became seriously disillusioned with the theme they bought. Lack of support, no updates etc drove them to basically make their own by branching the original.
My first plugin for this theme is the GT-Dashboard. It’s pretty simple and offers stats specific to your installation of GeoTheme. You can tell at a glance how many places & events you have, and how many reviews have been posted or are pending. I am planning to add some more reporting including financial information. It’s currently for sale over at ThemeTailors.com for just $5, including all future updates.
Next up, I’m working on a “deals” plugin – mostly re-purposing the Special Offers in GeoTheme, but likely expanding outside of this as well. There seems to be a high demand, so I need to get that done quickly.Read More
RosterPress is a WordPress plugin to help manage talent/model/sport agent websites and more.
Featuring custom talent profiles, an appointment calendar and notifications, RosterPress lets anyone who manages people quickly and easily build a website presence.
Fully customizable profiles let you display physical characteristics for models, actors & similar talent, or simply use the personal contact section for internal use.
The appointment calendar is a simple and slick drag-and-drop system letting you move appointments around with easy, see who’s attached and any other details with a simple click.
Hook all that up to email and optional SMS notifications, and RosterPress really is a business-in-a-box.
The plugin is currently in beta trials with a limited number of copies available for testing. Check it out over at RosterPress.comRead More
As I mentioned in my last post, Ralph helped me out with the Drafts Scheduler plugin. He helped find a bug and get it fixed, which was just awesome. In return, Ralph asked if I’d take a look at building another plugin for him.
His website at DrHouseMusic.com is all about House music and the people on the site link and embed from music sites all over the web. Apparently LetsMix.com is a popular one, but there was no plugin available to make it easy to embed their codes. Sure, LetsMix give out a nice embed code, but you have to do a bit of work. Ralph wanted something simpler for his users.
So, out of that was born the Let’s Mix Shortcode plugin. It was a fun project, that took about 8 hours over the course about a week. Due to Ralph being in Holland and me in Vancouver, we were on opposite time zones, which slowed things down.
In the end, the plugin turned out really really well, and I learned a few things along the way. Please check it out if you’re a music fan needing to embed into WordPress.Read More