WordPress – Before you begin creating your website
Some of what I’m about to tell you in this post, you might not like very much (just to forewarn you).The reason I’m telling you this now, is so that you can decide if WordPress is what you want to use to make your site.
“But I can change later, right?”
Well, yes you can, but you’d have to completely remake your site if you did. Why? If you make a site using WordPress, then decide to use a different content management system, you can’t then use that new content management system to edit the site you’ve already made with WordPress.
Switching CMS dictates the need to completely recreate your site using the new content management system you’ve decided to use. This isn’t something that’s specific to WordPress, this is generally universal when switching between content management systems.
It’s best to start as you mean to go on. This avoids a lot of time and effort associated with remaking or recreating your site when switching content management systems.
WordPress isn’t to everyone’s liking. Reading the rest of this article might give you an idea if you’ll be comfortable using WordPress to make your site. You could also install WordPress and try it out before you get started with putting all your content together and doing all the other things you’re going to need to if you do decide to use WordPress.
Yes, there’s more to WordPress than just making your site’s content. If reading that sentence alone has unnerved you, keep reading, then maybe try it before putting a lot of effort in. That effort will be wasted if you decide you don’t like using WordPress and then want to switch to a different content management system.
A breif history of wordpress
WordPress was created in 2003 by Matt Mullenweg and Mike Little. Matt and Mike had been using blogging software called b2/cafelog, but the development of b2/cafelog had been discontinued. They decided to create a new piece of blogging software that would be more user-friendly and customisable. WordPress was the blogging software that they created.
The first version of WordPress was released on May 27, 2003. It was a simple blogging software, but it allowed users to customise their blogs with themes and plugins. Anyone could use PHP to write plugins and themes that could be integrated with WordPress. WordPress quickly gained popularity, and by 2005, it was the most popular blogging software in the world.
Yes, that’s right, WordPress started off as blogging software. Not website creation software, blogging software.
The customisable aspect of WordPress which allowed anyone to be able to make plugins and themes that could be used within WordPress gave it a great deal of flexibility. This in turn allowed people using WordPress to adapt it in to presenting a site, rather than presenting a blog.
It’s both good and bad at the same time.
“What? How? What do you mean? That’s an oxymoron.”
You’re right, bear with me though, I’ll try and explain.
As I’ve mentioned above, WordPress allows anyone to make plugins and themes to customise WordPress.
The theme is effectively an overall site template that gives your site a consistent look and feel, which is good. You have to install the theme, though, it’s not just there waiting to be selected. Different themes have different functionality according to how they were created. This means you might have to try out a few themes before you find one that does what you want it to. This also means that if you switch themes to change the look and feel of your site, you might find that some options that were in the old theme aren’t present in the new theme. Then again, you might find the new theme provides options that the old one didn’t.
Plugins provide functionality. By this I mean that you install plugins to make your site do things. Take, for example a contact form. You have to install a plugin to be able to set up a contact form (unless your theme has one built in). That’s not just the only thing though, as you make your site, you’ll want more features that do different things, so you’ll need to add plugins as you go.
WordPress’ built in page builder isn’t something that a lot of people find easily usable at the first attempt. Due to this a lot of people install a page builder plugin to make creating and editing pages easier. It’s not great that this is the situation at hand, but it is great that there are plugins available to make editing and creating website content easier.
Now bear in mind, that there’s no single author of plugins or themes. They’re all made by different people. Different people making different things, means code bases controlled by different parties. All these different code bases working nicely together? Well, they should, just like everyone should get on in the pub. Then again, I’ve seen a few punch ups in pubs.
This site has 2 themes (one parent, one child) and 16 plugins, all running in WordPress. That’s 19 different codebases in total, just to run this site. All of these come from different authors. Do they speak to each other? I doubt it. Then again, the plugins and themes that are available are part of what gives WordPress it’s flexibility and versatility, and if I decide that I want to start running a fantasy football league on a page, I daresay there’s a plugin for that. Oh yeah, there is.
Because of how WordPress has evolved, and because anyone can make plugins or themes the interface isn’t the most friendly to use. It’s not very intuitive. It’s also very variable (according to what plugins and themes are installed) with regard to what you’d click on to perform a specific function.
There is no universal “you do this to make this happen”.
If you’re new to WordPress and have an idea of something specific you want to achieve on your site, it’s not always immediately obvious what you click on or do in WordPress to do this. You may also have to install a plugin to achieve what you want to carry out. That plugin’s options or configuration might appear in WordPress’ menu, or it might appear within an option that’s already in the menu.
There can be a lot of poking around looking for things in WordPress due to these factors.
Whilst there is a lot of flexibility available, that comes with an element of working things out as you go.
If you’re making a site for personal use or for a club that club members visit, then optimisation isn’t too much of a factor as you’re not really looking to use your site as a mechanism to promote something, such as a business or a product.
Then again, if you’re wanting to use the site you’re making to promote a business or product, and to be found online, then you’re going to have to take steps to make your site appear more favourable to the likes of Google. Whilst some of this is specific to content and keywords and what you present on your site there’s another aspect that Google take in to account which is how your site performs. Improving performance is generally termed as optimisation.
WordPress optimisation isn’t the easiest thing to do, especially if you’re not that computer orientated. I’ve written a whole post giving an overview of WordPress optimisation which you might consider taking a look at (go straight to the summary at the bottom for a “quick glance”. Alternatively, if you felt brave, you could take a look at this blog’s entire WordPress optimisation category here.
This might seem daunting, but if you’re going to be concerned about things like page ranking in search results, you’re going to need to be able to optimise your WordPress site, and if you’ve spent hours making a site you love, it could be quite disappointing to find out that you then need to do something you can’t. The reason I made both this page and the one linked to above is essentially to help you avoid that disappointment and possibly wasting a lot of time and effort. I’ve also written a post covering how to save yourself the hassle with WordPress optimisation, which is aimed at helping you find things out that you’d only otherwise find out with time and effort and a bit of trial and error.
One of the good things about using WordPress in your own hosting account is that you ARE able to optimise it to improve Google’s page speed audits of your site. If you decided to use an easy website builder type company like Weebly or Wix you wouldn’t be able to undertake any page speed optimisation at all, as you wouldn’t have access, and you’d be subject to a code base that they alone provide you with.
There’s quite a lot of reading in this section. If you can’t be bothered with it, here’s the important points:
- Apply available updates
- Know what you’re running (version of WordPress, plugins, theme)
- Subscribe to security bulletins
- Periodically check to see if you’re running anything vulnerable
- Remove anything known to be vulnerable if it’s unpatched (i.e. no security update available)
What you have running in your WordPress combines to make a web based application. A program that runs in the internet.
The internet isn’t a nice place. Trust me on this.
If you run a program in the internet, that’s full of security holes, it’s probably just going to be a matter of time before someone nasty puts something in it that shouldn’t be there. This might sound daunting, but I’ll cover this aspect shortly after we get to installing WordPress, because you will need to take some security measures immediately after installing WordPress.
There are some very basic standard security measures that you can take to cover a lot of the security aspects of WordPress, but you do need to keep your eye on things to make sure that your WordPress is kept secured.
Yes, that’s right, there’s an ongoing effort. Unfortunately it’s not really the case that you can get your site up and running, then go, “right, that’s that done, I’ll just leave that as it is forever”.
Why? New vulnerabilities are discovered all the time. Not just in WordPress, but in all kinds of pieces of software. When someone writes some software, they generally do so to perform a specific task. While security is most likely on developers minds, covering absolutely every aspect of what might happen is quite a hard thing to to.
Very generally speaking, a piece of software could contain a vulnerability that remains undiscovered for some time. It’s when the vulnerability is discovered things start to become a problem, because malicious parties (hackers) will try and exploit the vulnerability. The people that made the software then, most likely, develop a patch to fix or mitigate the vulnerability to prevent their software being hacked. People using the software apply patches (usually in the form of updates) to secure the software and prevent the hacking.
Remember what I said about there being lots of code bases involved a WordPress installation? The paragraph above applies to all of them. That means there’s lots of different code bases that could be vulnerable, and lots of different people involved in providing updates to secure them. This also means you’re going to need to keep your WordPress installation updated, essentially to keep it secured.
To give you an idea of numbers, iThemes (who provide a both free and paid versions of a security plugin) send out a monthly vulnerability report. You can see archives of these on their blog. At the time of writing this the most recent report details 1 WordPress Core Vulnerability, 82 Plugin Vulnerabilities (some of which are still unpatched), and 3 Theme Vulnerabilities. It seems like a lot, but given there are roughly 9,000 themes and over 50,000 plugins available, it’s proportionately not that many.
That said, malicious parties will “look” for these vulnerabilities, and if they find them, they’ll try and exploit them. I say “look” because they aren’t actually looking. They’re writing programs to go and check sites for them. These are called crawlers or bots. Now if someone can write a program to go and check sites for vulnerabilities, they can probably also write a program to then exploit a site to compromise it. They could even write a program to do something to a compromised site.
The good news is that there are plugins you can use to cover a lot of the above such as:
- Security plugins (iThemes security, or Wordfence)
- Update managers (Easy Updates Manager or Auto Updates)
- Vulnerability checkers (WP Scan or Security Ninja)
It started off as a blog, remember?
This follows on from the security section above.
There are things that blogs need to do, to have subscribers and to allow them to comment on blog posts, for example. If you’re not running a blog then you’re probably not going to want these things, so you’ll need to turn them off.
“Can I just leave them?”
You could, but that might be a bit like leaving your front door unlocked at night. You might get away with it, but then again, you might not. Your “front door” also faces out on to the whole world, and there’s a lot of people looking for unlocked front doors in an automatic, hundreds of glances per second kind of way.
Take subscriber registration for example. You’d want this on a blog so that subscribers receive update notifications and are able to leave comments on blog posts. If you’re running a site, rather than a blog, you’re unlikely to need this, though. If you don’t need this, turn it off. Turning off what you’re not going to use will mean there are less ways to abuse your website.
Just for example’s sake, let’s say you’re accidentally running a plugin with a user privilege escalation vulnerability (being able to turn a subscriber in to an administrator). If you turn off user registration, nasty people can’t register as users, and therefore can’t make use of the privilege escalation vulnerability that would allow them to take over your website.
Prevention is better than cure.
WordPress, plugins and themes have all had quite a history of vulnerabilities. I’ve seen a lot of sites get hacked, not just WordPress sites, lots of different sites. WordPress sites do attract more of this malicious activity, though, quite simply due to the mixed code bases and the history of vulnerabilities. You will to take some security measures simply just because you’re using WordPress. I’ll cover this in a later post. It’s not as bad as it sounds.
Why do people hack websites?
This has changed over time.
When I first started working in web hosting, hacking mostly consisted of defacing sites to gain kudos.
A year or so later, the hackers objective was to be able to send spam to people. The spam would vary. Sometimes it would look like a legitimate email with a button in it that linked to a virus download. Sometimes it would be confidence trick based spam. Sometimes it would just be a list of links.
At the same time as the spam situation I was reading McMafia: A Journey Through the Global Criminal Underworld by Misha Glenny. This book had a very interesting chapter about hacking and how a lot of it was overseen by criminal gangs in an effort to make money. The gangs would take advantage of a countries with good educational systems, but poor job markets to recruit computer science graduates and then pay them to hack. The hackers would then make money, usually for an employer. There’s also the fact that some countries have no laws about hacking (so hacking, within one of these countries, isn’t actually illegal). Is it legal for people in those countries to hack your site? There’s no law in their country that says it isn’t.
As time went on things changed. With the increase in popularity of digital currencies, we’d see hacked sites having bitcoin miners injected in to them. We’d also see sites getting hacked to insert backlinks to other sites to give them a better SEO score and improve their ranking with search engines. There was also a rise in the availability of “security testing” tools, although these were really hacking tools that had been given a semi legitimate label. My favourite one of these was a tool designed to hack a particular type of hosting platform, and the site advertising it was hosted on the type of hosting platform the tool was designed to hack. I couldn’t work out if it was some kind of ironic hacker joke or not.
Very generally speaking, hackers aren’t having a go at you. It’s not personal, there’s no ego involved. They’re just making use of an open mechanism to be able to use some server side resource to carry something out that’s ultimately going to result in them making money.
If your site does get hacked…
Firstly, well done for spotting it. The best hacks go undetected. Give yourself a pat on the back to mitigate some of the butt clenching fear you may be engulfed in.
I’ll cut to the chase though. Delete your site, then make it again as though it had never existed in the first place. I know that’s probably going to sound like a lot of work, but it’s really the only way to know that you’re running clean code. As Ripley said in Aliens “I say we take off and nuke the entire site from orbit. It’s the only way to be sure.”
A lot of people won’t want to do this and efforts will be made to clean and secure their site. The problem is, that once a site’s been hacked, you don’t really know what’s been done to it. A lot of hackers will insert backdoors in to sites so that they can maintain access even if a site is secured post hack.
I’ve seen a lot of people stuck in a cycle of repeatedly cleaning and securing sites and then getting hacked again. I’ve seen this go on for months in some cases. Some people get on top of things, some people don’t. Personally, I’d go with investing time and effort in to a complete remake in the first instance, and save on the clean up and secure effort.
Hackers are generally very clever people. If you and I were as clever as them we’d be writing our own site code, rather than using WordPress to generate it for us.
I hope I haven’t put you off with all this. That said, if you read the above started crying and hammering the keyboard thinking “I just want to make a website!!!”, you might want to have a look at what else is available to be able to make a website.
Although this blog has taken priority I hope to have a walkthrough that uses something that’s has a lesser effort overhead than WordPress in the not too distant future. Keep you posted.
Part of the purpose of this WordPress orientated blog is so that you can gain what I had to find out. I’ll try and make it as straight forward for you as I can. Although there’s a lot of reading here, it’s going to take you less time to read this, than it is to find things out for yourself.
There is also the option of paying someone to do the leg work for you.
There’s nothing out there that does everything you might want it to, can be made to look how you’d like it to, that has an intuitive easy to use interface, and is run by a bunch of people unifying a code base to make it all work properly, and be totally secure. Everything available has some kind of shortcoming.
WordPress, although it might need a security cuddle, some update’s to feed on, a bit of getting used to and some work to get it doing what you want it to, is one of the more versatile and flexible content management systems available, for free, to anyone that wants it. That’s why about 40% of the sites on the internet are made using WordPress.
It takes a certain sort, I’ll have to admit.
If you struggle with computers or find them frustrating, then WordPress might make your brain melt. I’ve got a friend who’s a programmer who tried using WordPress to make his wife a website. His take on WordPress was :
“WordPress? What’s that all about? It’s virtually unusable out of the box.”
I must admit, my sentiments were similar the first time I used WordPress. Then I started tinkering, reading, trying things out, and applying what I know about the underlying stack, and slowly but surely things started to fall in to place.
If you have an inquisitive nature, like solving problems and maybe doing experiments to see what happens, then you’ll get there with WordPress, it just might take a bit of time.
Working with WordPress does also require a lot of patience, and a tolerant nature. Sometimes you’ll find out that something isn’t great or needs changing after you’ve put a lot of work in to something. There might be a time when something like an update causes an undesirable situation, and you’ll need to work out how to address it. There can be a lot of working things out, when using WordPress.
The more you use Wordpres the easier it will become.
Nobody rode a bicycle perfectly the first time. Nobody jumps into a pool and instantly butterfly strokes to the other end (and looks good doing it) on the first try.
I didn’t appear on this earth knowing how to use WordPress. I had to work it out. Really, why I’m writing all this is to help you work it out too, but nobody can completely do that for you, a lot of this is going to be down to you.
I’m just trying to help reduce some of that time overhead with what I’m writing here.