August 31

How to Update WordPress with Automation

The Ultimate WordPress Update Checklist

When it comes to placing the “blame” for this overabundance of WordPress security breaches, it’s not fair to point to developers who built or now maintain WordPress or its third-party integrations. In fact, most WordPress breaches can be traced back to user error.

Did you know that over 70% of WordPress installs currently do not run on the most current and secure version of the platform? These WordPress updates are released for a reason–WordPress now even automates minor security upgrades in order to ensure that users’ sites are safe from those known vulnerabilities.

Then there’s the matter of plugins and themes. 54% of all WordPress vulnerabilities can be traced back to plugins and 14% to themes. Unless there is a serious security issue detected within one of these, WordPress will not force an automatic update for all users. They’ll instead rely on developers to create a patch and send out an update notification.

Ultimately, it comes down to you remaining cognizant over your WordPress website, monitoring for updates as soon as they become available, and then implementing them right away. This is the only way to keep WordPress as safe as possible.

How to Update WordPress with Automation

In 2013, WordPress was kind enough to gift us with automated updates. These are not universally applied, however, and will only occur with minor releases and the infrequent plugin or theme update that urgently needs pushing out. All major releases and other plugin and theme updates still need to be processed by you.

If you’d like to spare yourself the responsibility of doing that–without compromising your site’s safety–you can automate these updates. Here’s what you’ll need to do:

1. Schedule Backups

Even if you’re not manually processing each update, it’s still important to have regular backups of your site saved. You can do this by using a backup and restore plugin. This will ensure that you have something to roll back to in case something goes wrong during one of those automated updates.

2. Automate with a Plugin

While you could log into WordPress each day and watch for the little notification at the top of the dashboard that says you have updates waiting, you can instead use a plugin to handle the work for you. Easy Updates Manager is a free plugin that you can use either on a single WordPress website or for a full Multisite network.

Easy Updates Manager

Once you have the plugin installed, you’ll need to configure the settings for it.

The dashboard (pictured above) will give you easy toggle on/off access to automating core, plugin, and theme updates for your site.

Pay special attention to the General Settings tab as well. While the top part of the page gives you the ability to set universal controls over what is automated and what’s not, the bottom part (Notifications and Miscellaneous) you might find particularly useful as well.

And don’t forget to look at Advanced Settings before you save and close up the configuration page. If you have multiple users who have access to your site, but you don’t want them to have control over these settings, you can adjust access levels there.

3. Or Automate Your Workflow

Rather than rely on one plugin to handle backups and one plugin to handle updates, why not use one tool that consolidates all that automation into one? ManageWP is a fantastic option for this as it enables you to:

ManageWP also comes chock full of security features to help you better maintain the overall health and safety of your website without breaking a sweat.

As a WordPress maintenance service provider, we’ve found ManageWP’s solution to be incredibly valuable to our operations and workflow. With the enhanced visibility, convenience, and control we now have into all our websites’ performance, security, and pending updates, we’ve been able to focus on growing our business (by 39%, in fact) rather than on trying to keep track of everything we have to do for each of our current clients.

August 31

15 Easy Ways To Speed Up WordPress

speedup banner

 

Why WordPress Site Speed Matters

When a person lands on your site for the first time, you only have a few seconds to capture their attention to convince them to hang around.

Get ready to lose sleep at night: according to a report by the Microsoft Bing search team, a 2-second longer delay in page responsiveness reduced user satisfaction by 3.8%, increased lost revenue per user by 4.3%, and a reduced clicks by 4.3%.

If your site takes too long to load, most people are gone, lost before you even had a chance.

Not only that, but Google now includes site speed in it’s ranking algorithm. That means that your site’s speed effects SEO, so if your site is slow, you’re now losing visitors from impatience and reduced rankings in search engines. Yikes.

Let’s fix that.

How To Speed Up WordPress

As a side note, these are not ordered by importance or any criteria, I’ve just gathered everything I’ve learned around how to speed up WordPress page loads and listed them all here.

I guarantee that using even a few will help speed up your site.

1. Choose a good host

When starting out, a shared host might seem like a bargain (“Unlimited page views!”). It comes at another cost: incredibly slow site speed and frequent down time during high traffic periods.

If you plan on publishing popular stuff, you’re killing yourself by running your WordPress site on shared hosting.

The stress of your site going down after getting a big feature is enough to create a few early gray hairs: don’t be a victim, invest in proper hosting.

The only WordPress host I continually recommend is:

✓ WP Engine managed WordPress hosting

💡 Note: Above is my personal referral link which provides a small discount (and a small commission to me) if you use it. I only recommend products I personally use and companies I support.

My sites are always amazingly fast, never have downtime when I get huge mentions (like when I was featured on the Discovery Channel website), and the back-end is very easy to use.

Last but not least, their customer support is top notch, which is a must when it comes to hosting. Take it from someone who’s learned that the hard way. The staff is friendly, patient, and well-versed on the ins and outs of WordPress. They’ll be your safety net for any problem that may arise.

2. Start with a solid framework/theme

You might be surprised to here this, but the Twenty Fifteen “framework” (aka the default WP theme) is lightweight and quite speedy.

That’s because they keep the “guts” simple; compare that to bloated frameworks which have tons of features that you will never use, slowing your site to a crawl.

From my experience, the fastest loading premium framework is definitely the Thesis Theme Framework. It surpasses the basic WordPress themes by being far easier to customize.

It’s an incredibly solid framework that won’t slow you down with excess plugins or custom edits. Make the changes right from the theme and avoid bloat, hoorah!

3. Use an effective caching plugin

WordPress plugins are obviously quite useful, but some of the best fall under the caching category, as they drastically improve page loads time, and best of all, all of them on WordPress.org are free and easy to use.

By far my favorite, bar none, is W3 Total Cache, I wouldn’t recommend or use any other caching plugin, it has all of the features you need and is extremely easy to install and use.

Simply install and activate, and what your page load faster as elements are cached.

4. Use a content delivery network (CDN)

All of your favorite big blogs are making use of this, and if you are into online marketing using WordPress (as I’m sure many of my readers are) you won’t be surprised to here that some of your favorite blogs like Copyblogger are making use of CDN’s.

Essentially, a CDN, or content delivery network, takes all your static files you’ve got on your site (CSS, Javascript and images etc) and lets visitors download them as fast as possible by serving the files on servers as close to them as possible.

I personally use the Max CDN Content Delivery Network on my WordPress sites, as I’ve found that they have the most reasonable prices and their dashboard is very simple to use (and comes with video tutorials for setting it up, takes only a few minutes).

There is a plugin called Free-CDN that promises to do the same, although I haven’t tested it.

5. Optimize images (automatically)

Yahoo! has an image optimizer called Smush.it that will drastically reduce the file size of an image, while not reducing quality.

However, if you are like me, doing this to every image would be beyond a pain, and incredibly time consuming.

Fortunately, there is an amazing, free plugin called WP-SmushIt which will do this process to all of your images automatically, as you are uploading them. No reason not to install this one.

6. Optimize your homepage to load quickly

This isn’t one thing but really a few easy things that you can do to ensure that your homepage loads quickly, which probably is the most important part of your site because people will be landing there the most often.

Things that you can do include:

  • Show excerpts instead of full posts
  • Reduce the number of posts on the page (I like showing between 5-7)
  • Remove unnecessary sharing widgets from the home page (include them only in posts)
  • Remove inactive plugins and widgets that you don’t need
  • Keep in minimal! Readers are here for content, not 8,000 widgets on the homepage

Overall, a clean and focused homepage design will help your page not only look good, but load quicker as well.

7. Optimize your WordPress database

I’m certainly getting a lot of use out of the word “optimize” in this post!

This can be done the very tedious, extremly boring manual fashion, or…

You can simply use the WP-Optimize plugin, which I run on all of my sites.

This plugin lets you do just one simple task: optimize the your database (spam, post revisions, drafts, tables, etc.) to reduce their overhead.

I would also recommend the WP-DB Manager plugin, which can schedule dates for database optimization.

8. Disable hotlinking and leeching of your content

Hotlinking is a form of bandwidth “theft.” It occurs when other sites direct link to the images on your site from their articles making your server load increasingly high.

This can add up as more and more people “scrape” your posts or your site (and especially images) become more popular, as must do if you create custom images for your site on a regular basis.

Place this code in your root .htaccess file:

disable hotlinking of images with forbidden or custom image option
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?sparringmind.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?feeds2.feedburner.com/sparringmind [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

You’ll notice I included my feed (from FeedBurner), you’ll need to replace it with your feed’s name, otherwise your images won’t appear correctly there.

9. Add an expires header to static resources

An Expires header is a way to specify a time far enough in the future so that the clients (browsers) don’t have to re-fetch any static content (such as css file, javascript, images etc).

This way can cut your load time significantly for your regular users.

You need to copy and paste the following code in your root .htaccess file:

ExpiresActive On
ExpiresByType image/gif A2592000
ExpiresByType image/png A2592000
ExpiresByType image/jpg A2592000
ExpiresByType image/jpeg A2592000

The above numbers are set for a month (in seconds), you can change them as you wish.

10. Adjust Gravatar images

You’ll notice on this site that the default Gravatar image is set to… well, nothing.

This is not an aesthetic choice, I did it because it improves page loads by simply having nothing where there would normally be a goofy looking Gravatar logo or some other nonsense.

Some blogs go as far to disable them throughout the site, and for everyone.

You can do either, just know that it will at least benefit your site speed if you set the default image (found in “Discussion”, under the settings tab in the WordPress dashboard) to a blank space rather than a default image.

11. Add LazyLoad to your images

LazyLoad is the process of having only only the images above the fold load (i.e. only the images visible in the visitor’s browser window), then, when reader scrolls down, the other images begin to load, just before they come into view.

This will not only speed you page loads, it can also save bandwidth by loading less data for users who don’t scroll all the way down on your pages.

To do this automatically, install the jQuery Image Lazy Load plugin.

12. Control the amount of post revisions stored

I saved this post to draft about 8 times.

WordPress, left to its own devices, would store every single one of these drafts, indefinitely.

Now, when this post is done and published, why would I need all of those drafts stored?

That’s why I use the Revision Control plugin to make sure I keep post revisions to a minimum, set it to 2 or 3 so you have something to fall back on in case you make a mistake, but not too high that you clutter your backend with unnecessary amounts of drafted posts.

13. Turn off pingbacks and trackbacks

By default, WordPress interacts with other blogs that are equipped with pingbacks and trackbacks.

Every time another blog mentions you, it notifies your site, which in turn updates data on the post. Turning this off will not destroy the backlinks to your site, just the setting that generates a lot of work for your site.

For more detail, read this explanation of WordPress Pingbacks, Trackbacks and Linkbacks.

14. Replace PHP with static HTML, when necessary

This one is a little bit advanced, but can drastically cut down your load time if you are desperate to include page load speeds, so I included it.

I’d be doing this great post injustice if I didn’t link to it for this topic, as it taught me how to easily do this myself, in a few minutes.

So go there and check it out, it wrote it out in plainer terms than I ever could!

15. Use CloudFlare

This is similar to the section above on using CDN’s, but I’ve become so fond of CloudFlare since I discussed it in my best web analytics post that I’ve decided to include it separately here.

To put it bluntly, CloudFlare, along with the W3 Total Cache plugin discussed above, are a really potent combination (they integrate with each other) that will greatly improve not only the speed, but the security of your site.

Both are free!

August 31

How to Properly Move WordPress from HTTP to HTTPS (Beginner’s Guide)

Setting up WordPress to Use SSL and HTTPs

After you have enabled SSL certificate on your domain name, you will need to set up WordPress to use SSL and HTTPs protocols on your website.

We will show you two methods to do that, and you can choose one that best fits your need.

Method 1: Setup SSL/HTTPS in WordPress Using a Plugin

This method is easier and is recommended for beginners.

First, you need to install and activate the Really Simple SSL plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, you need to visit Settings » SSL page. The plugin will automatically detect your SSL certificate, and it will set up your WordPress site to use HTTPs.

SSL enabled on a WordPress website

The plugin will take care of everything including the mixed content errors. Here’s what the plugin does behind the scenes:

  • Check SSL certificate
  • Set WordPress to use https in URLs
  • Set up redirects from HTTP to HTTPs
  • Look for URLs in your content still loading from insecure HTTP sources and attempt to fix them.

Note: The plugin attempts to fix mixed content errors by using output buffering technique. It can have a negative performance impact because it’s replacing content on the site as the page is being loaded. This impact is only seen on first-page load, and it should be minimal if you are using a caching plugin.

While the plugin says you can keep SSL and safely deactivate the plugin, it’s not 100% true. You will have to leave the plugin active at all times because deactivating the plugin will bring back mixed content errors.

Method 2: Setup SSL/HTTPS in WordPress Manually

This method requires you to troubleshoot issues manually and edit WordPress files. However this is a permanent and more performance optimized solution. This is what we’re using on WPBeginner.

If you find this method difficult, then you can hire a WordPress developer or use the first method instead.

As part of this method, you may need to edit WordPress theme and code files. If you haven’t done this before, then see our guide on how to copy and paste code snippets in WordPress.

First, you need to visit Settings » General page. From here you need to update your WordPress and site URL address fields by replacing http with https.

Update WordPress URLs

Don’t forget to click on the ‘Save changes’ button to store your settings.

Once the settings are saved, WordPress will log you out, and you will be asked to re-login.

Next, you need to set up WordPress redirects from HTTP to HTTPS by adding the following code to your .htaccess file.

1
2
3
4
5
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

If you are on nginx servers (most users are not), then you would need to add the following code to redirect from HTTP to HTTPS in your configuration file:

1
2
3
4
5
server {
listen 80;
server_name example.com www.example.com;
return 301 https://example.com$request_uri;
}

Don’t forget to replace example.com with your own domain name.

By following these steps, you will avoid the WordPress HTTPS not working error because WordPress will now load your entire website using https.

If you want to force SSL and HTTPS on your WordPress admin area or login pages, then you need to configure SSL in the wp-config.php file.

Simply add the following code above the “That’s all, stop editing!” line in your wp-config.php file:

1
define('FORCE_SSL_ADMIN', true);

This line allows WordPress to force SSL / HTTPs in WordPress admin area. It also works on WordPress multisite networks.

Once you do this, your website is now fully setup to use SSL / HTTPS, but you will still encounter mixed content errors.

These errors are caused by sources (images, scripts, or stylesheets) that are still loading using the insecure HTTP protocol in the URLs. If that is the case, then you will not be able to see a secure padlock icon in your website’s address bar.

Not secure

Many modern browsers will automatically block unsafe scripts and resources. You may see a padlock icon but with a notification about it in your browser’s address bar.

Insecure content blocked

You can find out which content is served through insecure protocol by using the Inspect tool. The mixed content error will be displayed as a warning in the console with details for each mixed content item.

Mixed content errors displayed in browser console

You will notice that most URLs are images, iframes, and image galleries while some are scripts and stylesheets loaded by your WordPress plugins and themes.

Fixing Mixed Content in WordPress Database

Majority of the incorrect URLs will be images, files, embeds, and other data stored in your WordPress database. Let’s fix them first.

All what you need to do is find all mentions of your old website URL in the database that started with http and replace it with your new website URL that starts with https.

You can easily do this by installing and activating the Better Search Replaceplugin.

Upon activation, you need to visit Tools » Better Search Replace page. Under the ‘Search’ field, you need to add your website URL with http. After that, add your website URL with https under the ‘Replace’ field.

Search and replace

Below that, you will see all your WordPress database tables. You need to select all of them to run a thorough check.

Lastly, you need to uncheck the box next to ‘Run as dry run?’ option, and then click on ‘Run Search/Replace’ button.

The plugin will now search your WordPress database for URLs starting with http and will replace them with secure https URLs. It may take a while depending on your WordPress database size.

Fixing Mixed Content Errors in WordPress Theme

Another common culprit causing mixed content error is your WordPress theme. Any decent WordPress theme following WordPress coding standards will not cause this issue.

First, you will need to use your browser’s Inspect tool to find the resources and where they are loading from.

Using inspect tool to find mixed content error

After that, you will need to find them in your WordPress theme and replace them with https. This will be a little difficult for most beginners, as you will not be able to see which theme files contain these URLs.

Fixing Mixed Content Errors Caused by Plugins

Some mixed content resources will be loaded by WordPress plugins. Any WordPress plugin following WordPress coding standards will not cause mixed content errors.

We don’t recommend editing WordPress plugin files. Instead, you need to reach out to the plugin author and let them know. If they do not respond or are unable to fix it, then you need to find a suitable alternate.

Note: If for some reason, you’re still encountering mixed content error, then we recommend using the Really Simple SSL plugin temporarily, so your users are not impacted while you fix the issue on a staging website or hire a developer.

Submit Your HTTPS Site to Google Search Console

Search engines like Google consider https and http as two different websites. This means you will need to let Google know that your website has moved to avoid any SEO issues.

To do that, you just need to go to your Google Search Console account and click on ‘Add a Property’ button.

Add https site as a new property in Google Search Console

This will bring up a popup where you need to add your website’s new https address.

Add your https URL

After that, Google will ask you to verify ownership of your website. There are several ways to do that, select any method and you will instructions to verify your site.

Verify your website

Once your site is verified, Google will start showing your search console reports here.

You also need to make sure that both the https and http versions are added in your Search Console.

Once you have both versions, you need to go to the http version in your Google Search Console and click on the Settings Menu. From there, you need to select “Change of Site Address” option.

Google Search Console Change of Site Address

Google will automatically select your new site in the field below, but if it doesn’t, then you need to select the https version of your website and then submit the change of address request.

This tells Google that you want the https version of your website to be treated as the primary version. Combined with the 301 redirects that you setup earlier, Google will transfer your search rankings to the https version of your website, and you will most likely see improvements in your search rankings.

We know that we did when switched our websites from http to https.

We hope this article helped you add HTTPS and SSL in WordPress.