Obviously, we don’t like to do all this work ourselves (and you’re here so we guess you don’t either!) so we have a plugin today that will do it all for you!  W3 Total Cache has CDN support built right into it, we use it with Amazon S3, but the list of services you can use it with is large.

So what does it do?

A CDN is designed to help your site deliver the dynamic parts of your site quickly i.e., the content (posts, pages, menus) whilst getting someone else’s server to deliver the rest of the static content (theme files, images, videos).  This helps you save bandwidth from your server and gives the majority of the work to servers that can take the load, for instance Amazon’s S3 servers.  The CDN is designed to deliver these types of files and they are served up to your site visitor very quickly.  This means both parts of your site are sent at once from two URL’s; and as we know, a browser can stream multiple downloads in parallel meaning rapid delivery of your sites content.

Configuration

Using W3 Total Cache can be a convoluted affair so we have tried to give you the basics here.  By doing this your static content will be exported to Amazon’s S3 and W3 Total Cache will change the URLs of the appropriate files to serve them up from the CDN instead of your local hosting, giving you a huge performance boost for your site.  So we have found and use these steps for configuration to upload to S3;

-    Make sure that “Amazon Simple Storage Service (Amazon S3)” is the selected “CDN type” on the “General Settings” tab, then save the changes.
-    Now on the “Content Delivery Network Settings” tab enter your “Access key,” “Secret key” and enter a name (avoid special characters and spaces) for your bucket in the “Create a bucket” field by clicking the button of the same name.
-    If using an existing bucket simply specify the bucket name in the “Bucket” field. Click the “Test S3 Upload” button and make sure that the test is successful, if not check your settings and try again. Save your settings.

On talkingwordpress.com we export Host attachments, the wp-includes/files, Host theme files and Host custom files which are the default settings and send them to Amazon S3.  This static content is then served very quickly and our hosts only have to serve up the dynamic content such as post and pages.

You will no doubt note the huge number of other settings available in W3 Total Cache, of which we aren’t going to discuss here as they are many and can be quite complicated, we suggest you refer to the user guide for settings beyond using the CDN.  But this is a quick way to get some added ‘oomph’ out of your site if it is running a bit slow.

So how good is it?

Slow sites are a huge turn off for visitors to your site, and you don’t want to turn off your visitors, you want them to come back and buy things and have a generally fab time.  We think that using is a CDN is a good idea and we think that using W3 Total Cache is the best way to do this.

It is a big plugin that covers a lot of things which makes it cumbersome for just CDN setup, but we think you’ll like the other stuff too when you are confident enough to get them working properly.

We like the simplicity of getting it to work with Amazon’s S3 and you can see the results really quickly, no pun intended.  Much!

Talking WordPress Rating

We like it, although it could be overwhelming for the absolute beginner.  Maybe leave the whole CDN thing alone until you are up and running with a site that really needs it.  Crucially though, Google thinks that site load time is really important, and going forward it could affect how your site ranks with Google for SEO.  So we say;

8/10 – not for the beginner but invaluable for up and coming sites who need the boost.

Be sure to pop over and check out the post in full, however we have replicated the list here just for you.  Enjoy!

So what does it do?

Good question; lots of things.  You initialise the plugin by logging in with your WordPress username and password and then the Jetpack dashboard is displayed, showing you what you can do with the plugin.  In brief it has options to configure the following;

• Simple site stats – the main thing we use this plugin for.  A helpful tool that gives a summary of visitors, search terms and pages with the highest counts.
• Social sharing buttons in posts and pages – we don’t like these so much so we use other methods.
• Spelling and grammar checker – if you have the patience to deal with it, use it.  We don’t!
• Subscriptions – add a quick subscribe button for visitors to add their e-mail to.  Helpful if you aren’t using more sophisticated methods.
• Vaultpress – a way to monetise Jetpack.  Very overpriced backup system for your site.  For the lazy and rich!
• Gravatar Hovercards – Show a pop-up business card of your users’ gravatar profiles in comments.  If you want to?
• WP.me Shortlinks – stop using bit.ly
• Shortcode Embeds – for adding video easily.
• Beautiful Math – we have no idea why we would want to add equations to our site but if you do, go right ahead!
• Extra Sidebar Widgets – for adding Twitter Feeds, RSS and Images if you don’t already have the tools to do this.
• Enhanced Distribution – for sending your stuff to search engines.

All looks very promising doesn’t it, lots of goodies all wrapped up in one plugin written by the Grand-Daddy of WordPress himself (or his company at least).  Not so fast there cowboy…

Configuration

Most of the options for this plugin are pretty much an enable or disable affair, turn it on or off if you want it or don’t.  We haven’t used the Vaultpress option but it promises to be a user friendly experience as you shouldn’t need to configure Amazon S3 access or anything else too complex.  However, this is a costly piece of kit and we wouldn’t recommend it as we have already reviewed free options that do the same thing.

The sharing buttons are easily configured using a drag and drop interface if your browser supports this, with some extra tick and text boxes that even the newest of you to WordPress should be able to fathom.  Beyond that decide what you want and use it.

So how good is it?

It’s Ok for some stuff, too expensive for others and just plain redundant for us with the rest of what it offers.  The only really useful part of this plugin for us are the simple site stats that you can see in the dashboard of WordPress when you login.  It provides a quick snapshot for you to take a look at without the hassle of google analytics.  We like it because it’s simple and takes no configuring, unlike Google Analytics which is a pig until you know what you’re doing.  We use the subscriptions widget every now and then but beyond that have no real use or have better alternatives for the rest.

The problem with this plugin for us is that the ways in which Jetpack does these things are not necessarily the best way to do them.  However, for the most part they are the free and easy option when you start out until you have had a chance to replace the functionality with other plugins.

Talking WordPress Rating

We aren’t here to bash peoples work and totally respect the efforts that go into creating these plugins so that we can get on with what we need to be getting on with and not be worrying about how to code and new widget.  We just feel that this plugin is a little lacking in nearly everything it does, the social buttons aren’t aligned nicely, the grammar checker is frustrating, and we don’t see a great need for most of the others.  It’s all packed up in a very pretty package but the really useful service, the backup, is overpriced even if there weren’t free alternatives.  For these reason’s we are giving Jetpack;

5/10 – A bundle of stuff that we have better alternatives for.  But we do like the stats.

So what does it do?

If you aren’t already logged in, go to the bottom of this page and check out the right most box just above the footer, you’ll see a box that has lots of easy ways for people to register on this site quickly and easily using a wide range of their social media profiles.  The plugin gets their names, e-mail address and some other bits depending on how you configure it and uses this info to create an account on your wordpress site for them.  Then you can send them e-mails when you need to and keep them informed about what is going on now and in the future.

Configuration

Setting up the plugin in WordPress is easy, the control panel provided gives you nice easy options with tickboxes and radio buttons, however configuring each social network isn’t so straightforward.  This issue is due to the varying nature of requirements by the social networks, however Oneall, the creators of the plugin provide some really good walkthroughs for all of the social media sites making the whole process easier than it otherwise would be.  So if you want to set this plugin up on your site you should set aside at least an hour to be on the safe side.

So how good is it?

It works really well, test it out for yourself below to see!  It does what you’d expect it to and makes it easier for your users to join your site as a registered user.  Once the hard work is done and you’ve set up each individual social networking site (for which you will need a user account for by the way) through their development API thingy it pretty much looks after itself.

Talking WordPress rating

There are various paid plans, however we use the free version which has Oneall branding on it and we think it works and looks just fine.  The subscription pricing is a bit off the mark but we don’t need it yet.  However, we love what it does and think it is worth:

8/10 – Simple, effective and free if you don’t mind the backlink.

So why more security after all of the stuff we did yesterday?  Because it is the single most important thing you can do for your site before you write a single word.  Yes, it’s boring, yes it’s labour intensive but once you have done your first site using these tips and tricks you should be able to clone it making future installs a breeze, something that we will cover here in future posts.

Updates

The first thing we will cover is an easy one, UPDATE WORDPRESS people!  We can never understand why people don’t do this and hear things like ‘Oh, so and so plugin doesn’t work on 3.1.1 so we haven’t upgraded.  Hello…  GET ANOTHER PLUGIN RETARD.  If you site gets hacked because you couldn’t be bothered to press the annoying button at the top of the dashboard then quite frankly, hahahahahahahahahahahahahahahaha!

Backup and Restore

Next up, backup and restore.  We have covered one backup utility in a previous post, Automatic WordPress Backup, and we love it.  However, if you don’t want to use that another alternative is BackWPup, at the time of writing it has had over 180,000 downloads and has the options of backing up to various cloud based storage facilities such as Amazon S3 etc.  It’s very user friendly and has a huge version history showing it is well supported and updated.

Whichever backup product you use, or if you do it manually, it is important to make sure that both the backup and restore functions work for you and your site.  The only way to check this is to use the restore facility, test it, make sure you know how it works and be confident that if the worst should happen you can restore your site quickly and fully.  Depending on how often you write to your site depends on how often you should back it up, but make sure you take the cautious approach.

General Plugin Maintenance

Over the course of a year or so you will no doubt find and install a thousand different plugins that do weird and wonderful things.  Some will work, some won’t and some will confound you with user interfaces that make you want to cry.  It is important that you keep an eye on your plugins and make sure that you are confident that they are being well supported with updates and bug or security fixes, that they work with the latest release of WordPress before you update and that they are doing what they are supposed to be doing.  Only you as the administrator of your site can make sure they are updated as and when new releases are pushed through the repository.  WordPress does it’s best to make it easy for you, but you need to take the action.  A few simple rules here can keep you out of trouble;

1. Keep your plugins upto date.
2. Remove unused plugins, even if they are deactivated.  You can always reinstall later if you need them again.
3. Only install plugins that you have taken the time to research, look at the ratings, the author, the previous versions, update cycles.  You wouldn’t take a person into your home from the street without getting to know them, don’t let strange plugins into your site without doing the same if you want to keep it secure.
4. This is not always possible, but where a plugin is available through the ‘search plugin’ facility, use it.  Much safer from the repository than some site you don’t really know about.
5. Most importantly, USE YOUR COMMON SENSE!  If something looks to good to be true, it probably is so research it all the more.

Theme Security

One of the great things about WordPress is the way in which you can slip into a new theme without any real work, google ‘free wordpress themes’ find one you like, download and install it.  Great!  No, not so great.  Hackers everywhere caught onto this a long time ago and there are more free themes out there with added code than authentic free themes.  You need to be careful.  We generally think that buying themes is good way to circumvent this practice, just use the same approach to choosing your plugins, research who makes them, read reviews and use your common sense before you buy.  However, we understand that not everyone has money to drop on new themes as their site is still young, so what can you do?

Use the TAC plugin.  TAC stands for Theme Authenticity Checker and will scan your themes for any encoded or hidden scripts that could open up your site.  It is built by builtBackwards and this is what they have to say about the plugin;

TAC got its start when we repeatedly found obfuscated malicious code in free WordPress themes available throughout the web. A quick way to scan a theme for undesirable code was needed, so we put together this plugin.

After Googling and exploring on our own we came upon the article by Derek from 5thiryOne regarding this very subject. The deal is that many 3rd party websites are providing free WordPress themes with encoded script slipped in – some even going as far as to claim that decoding the gibberish constitutes breaking copyright law. The encoded script may contain a variety of undesirable payloads, such as promoting third party sites or even hijack attempts.

TAC will find the code for you, but you still have to do your research and find out if it is unwanted code etc., but it is awesome for helping you to decide whether or not to ditch a theme.  There are various online tools that you can submit themes to also and you can find these by just Googling them, whichever method you choose to use, make sure you do use one.

Suggested Free Plugins

This list isn’t exhaustive and we don’t suggest that they are the best available by any means.  What we do say is these are the ones we use and we seem to be doing Ok.  If you have any others that you choose to use and that you think deserve a mention then by all means, drop us a message or comment below and we’ll do our best to review and add them to this post.

WP Firewall 2 by Matthew Pavkov

We have reviewed this plugin already, it’s ace and easy to configure.

Akismet

It comes preinstalled with WordPress, get a key and enable it, why wouldn’t you?

Log in Lock by Mark Edwards / WPSecurity.net

Another great plugin who’s default install set up should be fine.  Stop repeat attempts to login by banning IP’s at 5 failed attempts.  Ban for a set time and some other nice features.  Should stop brute force scripts from repeatedly trying different username/password combo’s.

WSD Security by WebsiteDefender

A nice plugin that checks for common security issues and displays any on its own dashboard.  Once signed up to the online facility WSD Security monitor your site for changes, malicious code and other issues then e-mail you with the findings.  Good stuff.

WordPress File Monitor by Matt Walters

Install it, default settings seem to work nicely, it checks your site at set intervals for any changes to files.  You’ll get false positives which you can ignore such as cache changes or SEO logs but when you see a malicious change you’ll know it and will be able to take action before it’s too late.

ThreeWP Activity Monitor by Edward Mindreantre

A nice little tool to see what your users have been doing on your site, logging on/off, changing posts/pages, it logs times, IP’s and other data so you know who defaced your site with naughty pictures.  More of an internal tool than for hacking but worth having none the less.

Exploit Scanner by Donncha O Caoimh

This is a bit of a last resort for us as it can prove to be a bit labour intensive, however, it can also be a lifesaver when the proverbial hits the fan.  Install and run it and then be prepared to trawl through lots of false positives as it picks up lots of stuff in all your other plugins and such.  It looks for things like Base64 encoding which will have been dropped into otherwise legit files, you may know this has happened because of odd text in your pages and posts or links to other sites etc.  Hopefully you’ll never need it but if you do, it’s here.

©Feed by Frank Bültge

Not a security plugin but if you are tired of writing genuinely original copy for your website and having it stolen by idiot blogs using copy stealing software then this is worth a look.  Assign your site a unique key and from then on all of your content is bundled with that key.  All you need do then is Google your unique key and hey presto you’ll see all the sites using your work.  You can then ban their IP to stop it happening again.  Yey!

Conclusion

We have given you a lot of food for thought over the last couple of days and would hope that we have highlighted the importance of securing your wordpress site.  You don’t have to do it, but you will regret not doing it at some point.  The first time we got hacked we were hosting 12 sites on the same VPS, every site was hacked and the index of each was replaced with a picture of the Mad Hatter and a short message, all because one site was hacked and the hacker knew our other sites would be as easy to crack.  It took us weeks to recover, mainly because one or two of the backups we created didn’t work.  We soon realised that being lazy created more work and resolved to be better, since then we have remained unscathed although we know another attack is around the corner and no security is bullet proof.

So hopefully you now have the knowledge to protect yourself on this world wide web if you are using WordPress and remember, even the big boys get hacked sometimes!

Securing Your WordPress Install – Tips and tricks Volume One

Having spent countless hours setting up and writing your blog or site the last thing you want is to have it hacked by some idiot with nothing better to do.  To best prevent this you should take any and all measures to secure your site against the most common attacks.  In this article we look at the ways in which we have found best achieve this outcome at no cost, although we still think the investment in OSE Security Suite is a wise one too.

We have broken down this topic into 2 posts, todays covers hosting, installation and the .htaccess file, tomorrow’s will cover free plugins that you can install to further protect your site and how to backup and reinstall if the worst should happen.

Hosting

This is a massive subject in and of itself and something that we don’t want to get into too much detail over as we aren’t in a position to discuss what is best and what isn’t as we haven’t tested everything that we could have.  In our opinion, and we must stress that it is in OUR OPINION and not written here as fact, we think that the following guidelines make for a good WordPress experience.

1. Don’t be pulled in by adverts of easy one press installs of WordPress such as Fantastico.  These are not secure installs and you will need to do a lot of remedial work to fix what they get wrong.
2. Don’t scrimp on your hosting, you get what you pay for and if you are serious about your blog or web site then it needs a nice place to live.  Cheap hosting will be on a shared server with lots of other sites fighting for bandwidth and processor time.  We would suggest you get yourself a Virtual Private Server at the least so that way you can make sure that all your server software is up to date and secure.
3. Google terms like ‘wordpress hosting reviews’ or ‘review hosting providers’ to get a feel for what people are saying, don’t go for the first host you find.
4. Take a package that suits your needs now, but that will be easy to upgrade if your site takes off.  Can you upgrade to a dedicated server easily?
5. We think that WordPress is best hosted in a Linux environment with access to cPanel to administer the server and your site, but this is just us.

Once you have found your hosting soul mate then it’s on to the good stuff, get WordPress installed.  At this point it is our recommendation that you don’t do this until you have your site on a test platform in its first completed draft ready for export to your live site.

Pre Install

Firstly, and we shouldn’t need to say this, please only download the WordPress install package from wordpress.org.  You don’t know what has been done to any other package coming from anywhere else.  Extract the files locally on your machine and then upload them to your root directory.

However you create databases and assign users, we use cPanel, create your database and a user for it assigning a very strong password for the user, you’ll only use it once on the install screen of WordPress.  You must create a database and a user then assign that user to the database, WordPress will ask for a Database Name, a Username and a User Password.

Install

You then go to www.yourdomain.com and the install screen will appear.  Change the username from Admin to anything else, having the Admin name is an easy attack vector for the use of brute force entry for scripts.  NB.  If you are already installed and have a user called Admin, just add a new admin account with a different name and delete the existing Admin account.

Again – use a strong password.

Then make sure you change the database table prefix from ‘wp_’ to ‘wp_whateveryoulike_’ where ‘whateveryoulike’ can be anything you choose, keeping the underscore after it.  This helps you see the actual table names should you need to access the tables via phpMyadmin or something else.

That’s as much as you can do at install to secure your site so once installed the clever stuff starts.  You’ll need to use whatever ftp software you use to access the WordPress file structure or use the cPanel File Manager to get access to your files for some maintenance work.

Post Install – the .htaccess Elephant in the Room

Most people get scared when they are told that securing their site will involve adding lines of code into various .htaccess files in their sites folders, you shouldn’t.  All of the information shown on this page has been gleaned from a myriad of sources across the web which we have double checked against each other and in the codex.  There is no real knowledge needed to secure your site, just use the right things in the right places and you’ll not go wrong.  If things stop working when you’ve implemented them (and you should always do rigorous testing after changing your .htaccess file) then simply remove the code and find something else.  If you don’t already have an .htaccess file in place where we tell you to look, create one and add the lines of code to it.  Again, test, test,test after you do so.  So here goes.

Secure the install.php file

Firstly you will need to secure the install.php file by adding these lines to the .htaccess file within the wp-admin directory.  If you don’t have a file named .htaccess (the dot is necessary) in the wp-admin folder then create one and add these lines;

# PROTECT install.php
<Files install.php>
Order Allow,Deny
Deny from all
Satisfy all
</Files>

Save the changes by uploading or pressing Save in the file manager.  Another way to secure this is to just delete the install.php file but this is not a great way to do it as updates may reinstall it.

Secure the WP-Admin folder

Then you need to protect your administration area which is where all the WordPress magic happens.  The best way to do this is to restrict access to it by IP Address or Addresses.  To do this you need to add the following code to your .htaccess file, again in the wp-admin folder;

# SECURE WP-ADMIN
<FilesMatch “.*”>
Order Deny,Allow
Deny from all
Allow from 123.456.789
</FilesMatch>

Where the IP Address after ‘Allow from’ is your IP Address, add more lines for adding multiple addresses.  This ensures that only you from your IP Address can access the dashboard of your site.  To find your IP Address google ‘Find my IP’, remembering that if you are a home user you may not have a fixed IP Address and may not be able to use this method.

If you are unable to do this as you access from many places or do not have a fixed IP Address you can always password protect the directory using cPanel or whichever server admin tool you use.  This adds a layer of passwords over the WordPress login and helps prevent brute force attacks.

Protect your wp-config.php file

Next protect your wp-config.php file, it’s the heart and soul of your WordPress install and has all of your important stuff in there.  If it gets compromised say goodbye to your install.  To protect it add these lines of code to your .htaccess file IN THE ROOT of your WordPress install, NOT the wp-admin section, again if you don’t have one already create one and add;

# PROTECT WP-CONFIG
<Files wp-config.php>
Order Allow,Deny
Deny from all
</Files>

Whilst your there you should add a line above everything else in the .htaccess file at the root of the site to stop people listing any directories on your site.  This happens because you have folders that do not have an ‘index’ file in them, the line to add at the top is;

Options –Indexes

Capitalisation is important.  If you do not want to do this you could add a blank index file or an index file with some text in saying something like ‘stop trying to access my directory’ in it.

File and Folder Access Permissions

We then need to look at access permissions for files and folders, starting with wp-config.php.  This should be set to 644.  Either CHMOD it with your ftp software or use cPanel to change it.

Also note that file and folder permissions in the core of WordPress should be set to 755 for folders and 644 for files.  This is how WordPress is set to operate, any extra permissions to files or folders represent a security risk.

Other .htaccess security measures

Block hotlinking to your files by adding these lines of code to your .htaccess file in your sites root directory;

# HOTLINK PROTECTION
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_FILENAME} –f
RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?example\. [NC]
RewriteRule \.(gif|jpe?g?|png)$ – [F,NC,L]
</IfModule>

Where example in line 7 becomes the main section of your domain name, so for talkingwordpress.com we would change ‘example’ to ‘talkingwordpress’

You can add restrictions to other file extensions by adding them t line 6.  Just add ‘|doc|docx|pdf’ to block Word documents and pdf’s from hotlinking.

5G Firewall

Add the 5G Firewall code to your .htaccess in your sites root directory, which can be found here;

http://perishablepress.com/5g-blacklist-2012/

Once installed test your site to make sure it is working properly, if it isn’t try deleting parts of the 5G code to see what aspects of it are causing issues.  This is a great piece of code to secure your site from lots of bad things including bots and spammers.

That’s a lot of information to take in all at once so make some time to look at it all in a logical fashion and do some research on the web at the codex and other tech blogs to make sure you are happy with what we suggest.  This is how we protect our sites including this one along with OSE’s Security Suite (which is probably way over the top but hey, rather be over protected than under!) and the ideas here should help you comfortably protect your site from the main forms of attack.

Keep an eye out for the next security instalment where we will cover security plugins and how you can use these to better protect your site on top of this.

So what does it do?

The plugin is designed to investigate web requests (via the url) checking for WordPress specific hacks to identify and stop some of the better known vulnerabilities.  There are a few powerful, generic modules that you can download that already do this but they’re not always installed on web servers, and are usually difficult to configure.  It intelligently whitelists and blacklists dangerous looking phrases by looking at known exploit attempts to let bloggers sleep better at night.  In laymen’s terms it’ll help protect your site while you’re doing other stuff.

Configuration

Upload the plugin by searching for it in the plugin installer and activate it.  Make sure it has the right e-mail address to send information on hack attempts to and that you add any IP Address you intend to access the admin dashboard from and voila, you’re good to go.  We didn’t even need to change a thing, everything was automatically picked up for us.  Easy as pie.

So how good is it?

It covers the majority of hack attempts that script kiddies will attempt on your site but it shouldn’t be the only form of defence that you employ.  Have a security programme that you employ on all of your sites that includes this and other techniques and you can’t go wrong.

Talking WordPress Rating

This is a great piece of coding that goes a nice way to helping you secure your site with absolutely no technical knowledge what-so-ever but you shouldn’t rely on this alone.  We’ll be posting some nice stuff on securing your site very soon so keep an eye out.  We rate this plugin:

8/10 – use it now, but don’t forget to implement the other stuff too.

We don’t use it so much now as we have taught ourselves how to code the HTML needed to circumvent a lot of what Simple TinyMCE does but for those of you who want to add a table into your posts, use Google Fonts without the hassle or god forbid, align something centrally then this is the plugin for you.  Think of it as mini Microsoft Word menu for WordPress.

So what does it do?

It’s a great way to do things that should be easy in the editor of WordPress that for some reason aren’t.  Adding a table to a post can be sooooooo frustrating for someone who is using WordPress because they have no web development experience and when we started it was much the same.  Cue lots of googling for ways to do it that involve <tr> tags and what not.  We think WordPress should come with a quick disclaimer pointing new users in the direction of this plugin to help lower blood pressure around the globe.  It makes adding a table as simple as it is in Micorsoft Word dealing with all the HTML for you.

There are some more sophisticated uses of Simple TinyMCE such as the ability to alter your CSS styles through a menu type interface which is a simple way to make changes for those that can’t or don’t want to hack their CSS stylesheets and the ability to add events and popup screens from links, all of which are probably a little advanced if you are here looking for a way to add a table to your WordPress post.

There are also some additional emoticon type images you can use but to be honest we aren’t 12 and haven’t used an emoticon since we had our old Nokia nk502 mobile phones back in 1998, but if that’s your bag fill your boots!

Configuration

Simple TinyMCE is nice and easy to configure, you can choose which ‘buttons’ you would like to see in your editor by simply ticking a check box in the admin panel of the plugin.  They show up in rows 3 and 4 of the editor, after the first two rows which are the standard toolbars for WordPress.

So how good is it?

So let’s not get carried away here, Simple TinyMCE isn’t going to save the world, although it may save a few computers from being thrown out of the window.  It’s great for making some things easy in WordPress if you don’t have the know how to do it manually, it’s also a great way to add google web fonts to your site without needing to know the ins and outs of how to do it.  However, this plugin shouldn’t be used as an excuse not to learn how to do these things manually, they are all easy skills to pick up and will help you further down the line with more complex things that you will want your site to do, be warned.

Talking WordPress Rating

Great for new users of WordPress but don’t become lazy because of it.

7/10 – But don’t forget to replace it with learning stuff!

Now usually we wouldn’t review three items in one post, but it’s Friday, we’re tired and lets face it, contact forms aren’t exactly exciting are they?  We have cut the list down to three plugins that we think cover all the bases from free, to reasonable, to wowsers, but that cover most of the things that we feel could ever be needed in a form.  So with no further hindrance let us introduce the three contenders (In no particular order):

1. Contact Form 7
2. Formidable Forms
3. Gravity Forms

So what do they do?

They allow a website owner to put a contact form on any page or post of thier site as they please.  These forms can be as simple as a ‘Contact Us’ form as per our site or massive surveys such as you would create with Survey Monkey or forms to upload files and information, the permutations are endless!  What is important is that it allows end users of your site to contact you with the information they need you to have.

All 3 plugins do the simple stuff, which we believe is probably more than adequate for most, however the more advanced stuff comes at a price.

Contact Form 7

This is a free plugin that displays a form for your users to fill in and sends you an e-mail when they hit submit.  The data isn’t stored anywhere apart from in your e-mail.  It doesn’t have any fancy drag and drop interface for creating the forms and it is little clunky for those who are totally uncomfortable doing any sort of coding, however a little common sense should see you through.  You create fields for your form by choosing what type of field you want from a drop down box and completing the extra fields this creates.  Once you have configured the field as you need it (is it a required field, do you want to annotate it?) you copy the code created below to the box on the left.  It uses simple <p> tags for labels and shortcodes for the field themselves.  Pretty simple and very effective for non complex forms.

Contact Form 7 has no native reCaptcha function so you will need to install Really Simple Captcha seperately.  This is easy enough and you add the short codes for this as you would any other field so if you coped with adding a field to the form you can do this too.  It is a simple captcha form but it works as you would expect.

The only other configuration options are for the e-mail that the form sends, what goes in it and where does it go.  Save the form, add the shortcode to a page and voila, you have a nice looking contact form out of the box that you can customise with your own css if you have the balls.

All in all we think that Contact Form 7 is a great bit of kit if all you need is a contact form or something equally as simple.  It doesn’t claim to be anything it isn’t and we like that, for free it is an utter bargain.

But you need fancy stuff don’t you?  Then let’s take a look at:

Formidable Forms (and Pro)

This plugin comes in two flavours, the free and pro version.  Both versions work in exactly the same way, with a nice drag and drop facility to set up your forms and are easy to configure via a simple drop down box. Both versions store all data collected in a database but this feature is only useful for those of you who buy the pro version, as you cannot download the data to a csv file with the free version.  Formidable also integrates with reCaptcha with no effort, just requiring an API Key to be entered which can be generated on the reCaptcha site.

You can see on the image to the right which fields are available on the free version and which with pro, the free version is probably comparable to Contact Form 7 but we would say it is slightly easier to use due to the drag and drop nature of the plugin.  If you want your e-mail addresses checked and verified, to be able to put forms across a number of pages and lots of other impressive stuff you’ll need to buy a pro copy.  A single site license will set you back $37 and an unlimited license will cost $97.  That might put you off but it shouldn’t, the licenses are for a lifetime and include all future upgrades of the product, help desk support and for unlimited customers priority support; we think that is pretty generous.

The big hitter in Formidable’s arsenal though is conditional logic.  ‘What?’ we hear you ask.  In easy terms you can hide a field from view if the previous answer is ‘Yes’ and show it if it’s ‘No’.  This means you can customise the form to users as they enter their answers.  A pretty powerful tool which we keep finding uses for, even if it’s just for our amusement.  And as if that wasn’t enough pro users get free access to the following addons; PayPal Integration, Mailchimp Integration, registration forms, Twilio Integration and a bunch of other stuff.  However, be warned the use of these isn’t for the faint hearted.

We like Formidable and use it alot.  It offers about all the functionality we need in a reasonably cheap package.  If you don’t need the bells and whistles go for the free version, it’s slightly easier to use than Contact Form 7 and if down the line you need something more advanced you can just upgrade without having to run 2 plugins for the same job or redo all the forms you already have in a new plugin, yes – we learnt the hard way!

So what is there beyond that, that’s pretty comprehensive?  Ladies and gents, we give you Gravity Forms…

Gravity Forms

This is the Armani of form plugins for WordPress, but it comes with relavent price tag; Personal $39, Business $99 and Developer $199 all for 1 year of upgrades and support.  It does everything Formidable does, only a little easier for the more complex stuff like PayPal Integration.  That being said you only get the ‘advanced’ addons with a developers license so expect to pay for the priveledge.

We cannot fault Gravity Forms for functionality or ease of use, but for us the cost is little steep.  We don’t need anything that fancy and like the one off cost of the previous plugin.  However, you may see a business case for forms as complex as this, we just don’t know why your reading this if you do?

Talking WordPress Ratings

We had to judge these plugins independantly and in competition with each other which made it a little complicated.  We wanted to be fair to each but try and point you in the direction of the one we think is best and hence, use on this site.  We truly do love Contact Form 7 but for an absolute beginner (who we are pitching this site at) it is a little too technical for us to champion.  We also like what Gravity Forms can do, it’s pretty, works very well and is usable, it’s just the price.  We understand they need to cover costs, but so do we and don’t charge a premium for our stuff.  So in our mind, of the three Formidable sits nicely in between the other two, cheap and easy to use for the stuff we think you’ll use.  For them reasons we are rating the plugins:

Contact Form 7: 6/10 – a cracking free plugin for the simple stuff that can be confusing to beginners

Formidable Forms: 8/10 – easy to use to a point and well priced one off payment

Gravity Forms: 6/10 – a great, complex plugin, just too rich for our blood

***  Do you have a preferred option that you would like us to cover, let us know in the comments and we can add it to the post.  ***

We have learnt alot along the way about security and over the next few weeks we will post some ideas and best practices that you should follow to keep your site secure.  However, early on in our WordPress careers we didn’t really have the first clue.  So we did what all nubes do and hit up the forums.  Good luck there people!  When you get bored trying to work it all out we suggest to you check out the software that Open Source Security are putting out.

Their OSE Security Suite crossed our paths about 2 years ago when it was still at version 1.  We decided to give it a try and wow, are we glad we did?  The software is based around Joomla!, a content management system which can be used as an alternative to WordPress and is installed as a piece of software in the root directory of your website.  There it can keep an eye on what people are doing on all of your sites and directories that are built in PHP.  So, if you use PHP Bulletin Board, Joomla!, WordPress or any other PHP based software to run any part of your site, OSE Security Suite will watch over it for you.

So what does it do?

OSE Security Suite is like a security guard that watches over sites looking for untoward activity such as SQL Injections and other stuff we have no clue about.  All we know is, when we first installed it we were getting hundreds of e-mails a week telling us it had stopped x, y and z detailing IP Addresses and lots of other useful info.  It blacklists those IP’s by default allowing you to whitelist them if they are yours or your clients.  Over time we saw a dramatic decrease in the attempts on our sites and since it’s install none of our sites have been hacked.  Can’t ask for more than that.

The suite also has a built in virus checker to scan your sites for any malicious code such as BASE 64 nastiness and does a good job of letting you know what looks dangerous and what looks Ok.  If you are unsure the support team are always quick to turn around any questions you may have and many reviews of the software testify to the fact that the creators are happy to install and configure the software for you if you are happy to hand over access of your system to them for a short while.

Configuration

Setting up OSE Security Suite isn’t a breeze, but there are detailed and accurate installation instructions on the OSE Wiki.  Should you need help the support request system has always been very quick and helpful and has resolved more than one issue for us.

The system requires that you install it as you would Joomla! or WordPress; create a database, ftp the extracted files to your server, go the URL of the site and follow the web based wizard to install.  Once installed you will need to add some code to your php.ini file in your root directory and make sure your php settings are configured correctly, we got our hosts to change them for us. Don’t be put off by this though, the online Wiki talks you through this reasonably well if you are remotely tech oriented and the support is good.  Once up and running you test the system by entering a string supplied by OSE to see how your defences are working.  Then you sit back and relax while the e-mails roll in telling you the next script kiddy has been banned.

So how good is it?

We haven’t had one hacked site since we installed it and have done practically zero maintenance of the system since we installed Version 2 a few months ago.  It costs £89 for one years subscription, £159 for 2 years and £225 for 3 years.  Not an insignificant amount but if your site makes you money then it is worth 10 times this in our opinion.  You are free to install it on as many servers as you like to cover as many websites as you like and it keeps working once your subscription ends, you just lose access to downoads and support.

Talking WordPress Rating

We know that the cost is prohibitive but until you have your site hacked you’ll never know how valuable this software is.  The proof is most certainly in the pudding for us and as long as this site stands it is most definately due to the stirling defence put up by OSE Security Suite.  It is a little difficult to install so we will be giving it

8/10 – costly, but do you want to find out how much it is really worth?