Have you been blocked by the firewall? All our servers run smart firewalls, which lock people off if they keep on trying to guess your password or if they look like they are hacking into your website. This block locks out only yourself at your current location (via IP address), that is, it really […]
In order to be cautious, cPanel does not turn this compression on automatically as there is a small chance that some websites will break with it on. However, if your site does break you can always turn it off really easily and then turn it on later for only some file types.
To turn on the compression, follow these steps:
- Log into cPanel
- Go to the Software tab (halfway down) and click on “Optimize Website”
- Click on “Compress All Content” and then the “Update Settings” button at bottom
- Test that your site still works on a desktop (PC/Mac) and mobile (iDevice/Android)
- You’re done!
This does speed up some websites enormously, particularly when you’re on slow internet connections, yet other websites don’t notice it as much. Nevertheless, we do recommend you turn it on for your site so long as it works. When you do turn it on, we strongly suggest you test on a desktop browser and on a mobile device just to make sure everything does work. Viewing the key pages on your site is really important. The good news is that nearly all modern sites benefit and work with it.
Just so you have some idea of whether it helped much or not it’s quite a good idea to run a test at www.webpagetest.org before and after and compare. (We recommend logging in to webpagetest so your page speed history is retained).
One of the hardest issues to solve with broken WordPress sites is finding out what broke the website. To find the answer to this, we need to find out what was changed that broke the site. Being able to find out what changed easily and can quickly shorten a difficult investigative process – which is hard even for seasoned site administrators and developers – to minutes rather than hours.
In the past, there’s been few ways to do this and developers have been restricted to searching a website for recently changed files; which sometimes provides clues but more often doesn’t. Sometimes it’s been possible to use the WordFence security plugin to find where files may have been changed or corrupted from the originals, but more often that fails as the problem can come from an official update (thus Wordfence assumes nothing changed).
We’ve recently found a new plugin called WP Security Audit Log. This plugin allows you to check a list of what changes have been made on the site, including WordPress updates and plugin updates, and is a very useful tool in tracking down problems and solving site problems (or even just eliminating site changes as a cause of a breakage). It’s particularly important to have something like this on your site as a medium-sized WordPress site can easily have over 7,000 files in it spread through core, themes and the various plugins you might have installed.
Obviously, this plugin is a life saver, but it’s rather like a life insurance policy – you have to have it there and running already for it to be able to help you. We’re in the process of installing it on many of our sites and it hasn’t caused any problems so far; it also has a good number of reviews, has been updated recently, and has 4.7 stars on wordpress.org (See https://wordpress.org/plugins/wp-security-audit-log/ for more information).
If you have a large site, this plugin is particularly important as more than one developer or admin may be working and it’s very easy for one person to make a change and not remember what they changed.
So, we rather suggest you take 2 or 3 minutes and install this plugin on any sites that are important to you as soon as you can so it’s there when you need it. (The plugin does have some commercial options available, but they’re not essential). We look forward to you saving hours on support issues!
Here’s a short video from the plugin documentation that explains what it does:
This is a simple tip that will save you a lot of pain down the track – don’t publish your email address!
What do I mean by that? I mean, don’t put your email address in clear text anywhere on the web. Not on your web pages, not on someone else’s and never in any long term resource. The reason for this is simply that, if you do, the spambots will harvest it into their evil spam databases and over time you’ll see more and more spam coming in, until the email address becomes unusable because of a torrent of spam. While anti-spam systems will help, a heavily spammed account will still receive so much email that even highly effective filtering systems such as Google Apps will not sufficiently protect you.
Tim, a long term user (not his real name!) came to us recently. He was receiving literally hundreds of spam emails per day and it was becoming exhausting, and this was despite good filtering being available. We were able to work out some solutions for him, but it served only to reduce the spam to a manageable amount (5 a day at the time) rather than totally eliminate it.
“But I need to put my email address up so people can email me!”, I hear you saying.
There are several solutions you can use to keep your email address from getting destroyed.
Publish an alias or forwarder, not your main email address
This is simple – instead of publishing your email@example.com email address, publish one like firstname.lastname@example.org. Then when it starts receiving a lot of spam, delete it and replace it with email@example.com. These can be easily set up in cPanel’s Email Forwarder menu.
If you use Google Apps for your email, you don’t need to setup anything as you can already use syntax like firstname.lastname@example.org. If it starts getting a lot of spam, you can delete it.
Please note that while this method works nicely, you may not want to make it too obvious to guess the “real” email address behind it. The Google Apps method above does suffer from this, as it’s easy to guess the main email account name.
Use a contact form
Contact forms are the “gold standard” recommendation. Most contact form systems allow the use of dropdowns to select various departments, which then can be routed through to particular email addresses without exposing those email addresses in clear text.
This solution is the best possible, as it exposes nothing and will always be secure. You may though, want to include a “human” test on the form so you don’t get spam from it, and all the good contact form solutions do include these.
The two leading WordPress contact form solutions are Gravity Forms and Contact Form 7 and if you’re a do-it-yourselfer there are many good video tutorials. One important factor here is to choose a well-supported contact form system – look for good reviews, number of reviews, good documentation, and some reasonable ongoing program of releases.
Email address obfuscators
Obfuscation (in this case) means to alter your email address so it isn’t recognizable to a spambot, but still works when you click on it in a web browser. There are a number of methods used:
- Converting the email address letters into encoded characters (ie &37; etc)
- Using PHP code to generate the email mailto: link
While all of these methods appear to “work” at this point, they rely on spammers not having caught onto them. Surprisingly, as money is involved, spammers can be quite switched on and while you may be safe in the short term they will eventually catch up and grab your email address, and once they’ve grabbed it, you’ll start getting increasing amounts of spam.
The best and simplest summary here is that we recommend the use of contact forms rather than the other solutions. While the use of temporary email addresses is reliable, it does require changeover and contact forms will just keep working.
Oh – and by the way, our spam filtering does work – it’s just that nothing can cope in the long term with huge amounts of spam involved in this situation.
Website speed (or “performance” as we like to call it) can be a tough and complex area and can be very difficult to get right without experience. However, there are some basic techniques that give big returns and in this article we’d like to share some things that normally give quick wins when your website is slow. Using these tricks alone we’ve seen many websites go from display times of 30 seconds to 3 or 4 seconds, just to give you an idea of the results possible for really slow pages.
This article is written mainly as a management overview of performance, and it also contains some quick pointers for technical people.
- Website download time
- Website “first byte” time
[code language=”php”]#Start Gzip
[code language=”php”]#Start expire
ExpiresDefault “access plus 1 week”
- WP Supercache – an easy to install plugin
- WP-Rocket – probably the easiest caching plugin, very simple to install
- W3 Total Cache – the most complex of the performance plugins, it also provides good CDN integration. Be warned, it’s complex!
As this is an overview article we won’t go into these plugins in depth other than to say that very detailed instructions are available on how to install them if you do some quick searching.
- Use a different webserver stack – we prefer LEMP for speed, Apache degenerates badly under load
- LEMP/Nginx can deliver static files 10x faster due to use of kernel optimization hooks
- PHP accelerator – retains compiled code in memory, approx 2x benefit depending on site
- Use a CDN to move the work for static files onto a fast-dumb architecture
- Use the above techniques – File compression, Expiry etc
- Consider Google optimize – can work well, but can increase CPU load
- We tend to use a faster database than MySQL – this can give a 2-3x benefit
- Avoid needless database queries, and make sure any queries you do are not slower when the database gets bigger. (See next point!)
- Use performance profiling plugins to help reveal any problems with SQL queries or plugins you may be using on a site (eg NewRelic)
- Use the available WordPress debugging plugins to make life easier for yourself
- Try to cache slow operations and only re-run them occasionally. eg: Don’t re-run complex queries every time the home page loads!
- Always use a cache when you develop a site (so you can fix problems as they arise)
- In Australia, avoid the Google Hosted Library versions of things like jQuery as the lack of AU-based POP can add a whole second to your site load time (per file!)
Of course, there are many other things that you should be aware of and we highly recommend a visit to the webpagetest.org performance measuring tool as you develop your code. It’s too late to test right at the end as it’s much easier to fix problems as you go; and progressive checks will help you improve your website optimization skills quickly.