You might be a WordPress developer, WordPress plugin developer or WordPress theme developer. You may have worked with WordPress for over a decade. But have you ever wondered what it’s like to purchase a website without any knowledge of WordPress or whatever other CMS? Still, that’s probably true for the vast majority of all WordPress users.
The discussion was triggered a couple of weeks ago in this brilliant post by Morten Rand-Hendriksen about the average WordPress user. You know, when WordPress pushed an automatic update of our WordPress SEO plugin to cover an unfortunate security issue.
This post is about making everyday website optimization super easy for your customer. And yourself.
Everyday Website Optimization
WordPress is the Word-like tool a website owner can use to update text and images on the website. That is basically it. The rest, so will your customers assume, is taken care of. Plugins? Post Types? They don’t know and don’t care about these. They just want to change the content. That’s their everyday website optimization. So what are the things you should or could take care of?
Logging in and security
It’s already hard to remember that login URL for your customer, to be honest.
/wp-admin/ you say? What does that stand for? Can’t that just be
/login/? And that customer hasn’t even logged in yet. You might want to create a 301 redirect from a simpler URL. Don’t just add that WordPress meta widget in the footer – don’t you think that looks lame as well? It’s just not that professional.
Luckily, you have already changed the default admin username to a client specific one. Note that I’ve seen my share of Brute Force attacks over the last few weeks that target my exact first name instead of the admin user. Perhaps that has something to do with my login name being the same as my first name… I could have done that differently. I did just update the password again, something I do on a frequent basis.
Of course you have also installed the Sucuri plugin and configured that for your customer. They don’t even need to know it’s in there. Your main job towards your customer is to inform him that trustno1 isn’t a password. Make it CLU: Complex, Long, Unique.
Tony Perez is one of the Co-Founders and CEO at Sucuri, a globally recognized website security company focused on providing security services to website owners. Sucuri is known for their ability effectively clean hacked websites, and protect them from malicious actors.
Writing and editing
Now that the user is able to log in, he or she just wants to write posts or pages and add images. Posts or pages. Explain the difference. If the client doesn’t want to add news articles (posts), explain that dynamic content really helps the website’s rankings in Google. Besides that, regular posting will also make sure the client visits the website itself on a frequent basis. That will help keeping the website up to date, of course. Your job in this is to make sure there is a news or blog page that will display the blog posts in WordPress › Settings › Reading:
“My customer still doesn’t want a news section on his website.” Consider it a service to set this up anyway. It’s a minute’s work. I have seen agencies charge hundreds of dollars to create a news section that is just two templates in WordPress. Especially when you’re creating a child theme, this is a no-brainer to me.
Just to be sure: there is a catch. If you do this, the blog page will probably display entire posts and that means duplicate content: a post is available via the blog page (in the list of posts) and on the actual page of the article itself. Just a few weeks ago, I took Easy Custom Auto Excerpt (plugin) for a spin. Found some room for improvement for a personal project I was working on, and the guys at Tonjoo fixed these within a few days. Try it for yourself.
Do I have to go there with you, frequent visitor? Probably not. But you should tell your client about our free Page Analysis (in WordPress SEO). It’s the easiest way to optimize a page and at least give some guidance to your client. Just a few things you really have to mention:
- Use one focus keyword; the exact focus keyword is used for the analysis;
- use headings in your texts for better scanning and overall user experience;
- writing a meta description also helps to determine whether the goal of your post is clear;
- add images and optimize these.
- the temptation of the green bullet;
Perhaps most important, as mentioned on our blog earlier this week, that you should develop an Holistic SEO approach. Our blog helps you fill in the blank, and I think most articles are written in a way that even the less tech-savvy (WordPress) user will understand how to optimize his website.
We’ve been discussing internal linking a lot. Internal links help your visitor navigate the site and search engine to find valuable connections between pages. These links are almost always relevant. Besides related posts, you should also focus on adding internal links in your texts itself.
There are a number of plugins that automatically link certain words in articles and pages, but at Yoast, we prefer a less automated approach. If you feel a topic needs background information, add an internal link.
You can use the internal link creator in WordPress (Add link > ‘Or link to existing content’), but that one tend to flood you with suggestions and the most relevant ones are not always at the top. We have been testing Better Internal Link Search:
The most basic feature limits results to posts and pages that contain your search term in the title, rather than returning every post that contains the term in the title or content field — this greatly reduces the number of results on sites with a lot of content and should improve accuracy.
Simple features make this plugin really nice, like the option to just type ‘home’ to quickly link the homepage. You should give it a try, as this will really help your client to create valuable internal links.
A common question is if a website should be responsive by default or if a web developer can charge extra for that. Tough question, but from a website optimization point of view not really relevant. That’s up to you and your customers budget. The least you can do is point them to WP Touch, just to have that covered. Be sure to tell him mobile friendliness is an important factor for Google these days.
I’ve seen more than one responsive website that breaks on images. A couple of weeks ago I attended WordCamp London and visited an awesome talk by Bruce Lawson about responsive images and the use of the
picture attribute. He also brought this plugin to our attention as an alternative: RICG Responsive Images For WordPress. The plugin adds the
srcset attribute to your images, making it possible to serve a different image per screen width. This already improves the mobile user experience a lot.
Back in the days (4-5 years ago) when I was building (WordPress) websites myself, most clients did not care much about social media. Only the larger ones did. Nowadays, everybody seems to understand the ease and importance of social marketing. There are two things to consider:
- Social sharing: What platforms is the target audience using and is the client already on this platform?
- Subscriptions: What platforms is the client on, and which of these are easy to maintain for him.
Social sharing is nice, but too often the client wants to be on all social platforms, where only a few are appropriate for his business. If the social sharing options below an article or post are for more than say three or four platforms, chances are that the reader will only use one or two of these. For us, Facebook and Twitter work best. That is why we decided to cut down social sharing options to just these two.
Subscription options also vary per website and per website owner. One thing I really dislike when reviewing the use of social media in our site reviews, is adding social buttons to a site that link to a Facebook page that has not been updated since 2010. Just don’t link that Facebook page, see what IFTTT can do for you and only add that link back when you are adding content to your Facebook page on a regular basis. Replace ‘Facebook’ with any other social platform in the previous sentences.
Bottom line is that your social effort should make that subscription valuable. It’s not just about linking that social website.
Next to that, make sure to leverage a newsletter. Newsletters are great for both return traffic and bringing current events, breaking news and other interesting stuff to the attention of an interested visitor. Double opt-ins will make sure the subscriber really wants your news in his or her inbox. We send ours using Mailchimp.
The cherry on the icing on the website and SEO cake is of course speed. Speed is really important these days, both for Google and visitors. Although this is a really technical subject, WordPress plugins make it really easy to optimize the larger part of your site’s speed.
A rather new, but promising kid on the block is WP Rocket. After meeting Julio Potier of WP Rocket, we had the pleasure of testing the plugin and the simplicity of it is really appealing. Just by clicking some simple checkboxes, this happened in Google PageSpeed:
That a lot, right… Took me about 5 minutes to configure WP Rocket to achieve that result.
Now speed optimization isn’t just about optimizing it once, but you really want to do that on an ongoing basis. Clients adding images of multiple MBs in size in a blog post happens every day, right? A plugin like EWWW can help. If you have a steady relationship with your customer, you could check, or have him check this on a monthly frequency, for instance. That way you can easily monitor if anything has a negative effect on the site’s speed.
That pretty much rounds it up for your everyday website optimization. There’s just one more thing regarding your WordPress website that you should do everyday: update your WordPress install and all plugins whenever there is an update available. It’s helps a lot in keeping your website secure. But we have written quite a lot on that subject this week already! Managed WordPress hosting could be a solution to this issue.
If you have any additions to the tips above, feel free to share these in the comments!
This release is mostly a security release. After last months security update we decided to have Sucuri do another in-depth review of the plugin, we found another issue ourselves that was common in many plugins and we were informed of another issue by Jouko. For that reason, you should update immediately. The release contains a few more improvements, which I’ll highlight below.
Use the WP Settings API
When we re-built the Google Analytics plugin end of last year we left one bit of the old code intact: the way it stored settings. We’ve now fully migrated the plugin to use the WordPress Settings API. This makes sure we won’t suffer security issues in our own code as we’re relying on the core code to handle options saving.
More accessible forms
A pull request by Steve Repsher added
for attributes to our labels, making them correspond with their form fields. A good accessibility change for which we’re thankful!
Universal is the default
Now that Google Analytics’ Universal rollout has completed, we’ve made Universal the default for all new installs.
Fixed an annoying bug: scripts everywhere
We also fixed an annoying bug in this release. Our plugin was loading its scripts on every page, instead of on just its own pages. This lead to slow loads and annoying interaction problems, those should now all be solved.
As we don’t want to drown these release notes in the bigger security news, we’ve made it into a separate post. WordPress SEO 2.1 (both free and premium have the same version number now) contains a series of bugfixes but also some enhancements I’d like to highlight in this post.
These changes come on top of the (arguably bigger) changes I mentioned in my post last Friday, be sure to read that if you haven’t yet.
WordPress 4.2 ready
This release makes sure that WordPress SEO behaves well with WordPress 4.2, of which the release is imminent. Most importantly it makes sure the taxonomy metadata is carried over well.
Twitter cards enabled by default
Recently, Twitter removed the need to validate your site before Twitter cards worked. This made it possible for us to enable Twitter cards by default, which we’ve done in this release. Now, if you’re installing WordPress SEO on a new site, you’ll get Twitter Cards as soon as you’ve activated the plugin.
We’ve also removed the use of the
twitter:url meta tag, as Twitter no longer uses it and uses the canonical instead.
Update the Facebook API to its latest version
Changes like these are the kind of under the hood changes that nobody notices but are important nonetheless: Facebook has updated its API to a new version and is deprecating the old one. This leads to us being required to update the code in our plugin. You’ll notice some minor interface changes, but most of the stuff is under the hood.
Plugin conflict notices
Some plugins don’t really work together. For instance if two plugins add Facebook OpenGraph code to a page, Facebooks output becomes uncontrollable. For this reason we’re showing conflict notices when you install a plugin that does something our plugin does too. You can ignore them if you want to, but it should help prevent the “huh why isn’t this working” type issues.
Validation messages everywhere!
If you’re using a featured image for your social meta data, and that image is too small to work with Facebook, we’ll now show you an error. Also, if you’re editing title and description templates on the SEO → Titles & Metas page and you use a variable that isn’t available for that template, we’ll give you a helpful warning.
In this post, we’re announcing a security update to both our SEO plugin and our Google Analytics plugin. Chances are, a few of the other plugins you use are affected too. Read on below if you’re interested in the how and why, but make sure you go into your WordPress admin and update. Don’t just update our plugins, update all of them!!
There are several issues fixed in these releases, so we’ve got individual release posts for WP SEO and for our GA plugin. The main issue we’re fixing with this release is the wrong usage of
remove_query_arg we had in both our WordPress SEO plugin and our Google Analytics by Yoast plugin.
This issue was responsibly disclosed to us by Johannes Schmitt of Scrutinizer CI (thank you!!), who found it in our SEO plugin. We discussed it with our partners at Sucuri. At first we thought it wasn’t exploitable, later on we found it allowed for XSS. In our case, you needed to be logged in as an admin to be XSS’ed, but still this was an issue to fix.
I, Joost, created the particular problem myself and was wondering how that had gotten by me, when I figured out that both the Codex and the developer documentation on WordPress.org for these functions were missing the fact that you had to escape their output. In fact, the examples in them when copied would create exploitable code straight away. I spoke to Samuel, mostly known in the WordPress community as Otto42, and he fixed the codex. A day later, the developer docs were amended as well.
We were ready to do a security release last Wednesday. I was hesitant as I was guessing that more people had made the same mistake, because of the documentation. I talked to Dion Hulse, one of the people on the WordPress.org plugins team, and started doing a search, together with the team at Sucuri. We quickly found we were far from the only one.
A coordinated security release
As we researched, we quickly identified a few dozen affected plugins, lots of them major; the affected plugins include Gravity Forms, Easy Digital Downloads, Jetpack, WP e-Commerce, All In One SEO pack and that’s just some of the big ones. Based on this info Daniel Cid at Sucuri and myself started reaching out to those plugin developers and coordinating a big security update between all of us. WordPress Slack proved to be very helpful for this kind of coordination.
Some of these plugins had XSS issues on the frontend. We did not, so when the core team offered to do an automatic update, we opted out. The last time we did an automatic update (this is an update your WordPress installs automatically without your intervention), our WordPress SEO plugin got disabled on hundreds of sites and we didn’t want that to happen. Choices like these are tough to make: some sites might have a minor security issue now, but for many sites not having our SEO plugin enabled might actually be worse.
I must say I’m quite proud of the community getting together like this and coordinating a release in such a fluent way. There are in total 44 people in the Slack group coordinating this release, and everyone is being very professional in dealing with it. After all, we’re updating dozens of plugins, and most of them had only 3 to 4 days notice, including a weekend. All these WordPress plugin developer working together with the WordPress core security team, makes me proud to be a part of this community!
For users: I don’t see the update yet!
If you don’t see the update yet, go to your
wp-admin/update-core.php page, under Dashboard → Updates, this will clear the cache for all updates and should then show you the updates for our plugins.
Going to this page will also make sure any automatic updates are done a few seconds later too. Be sure to check your plugins page a minute or so later to see if all the needed plugins are still active.
For developers: how to fix the issue
The short version for developers of how to fix this issue: if you’re using either
remove_query_arg without passing in the URL, it bases the URL it creates off of
$_SERVER['REQUEST_URI']. In that process, it URL decodes the parameter names in the request URI, allowing for XSS. The solution is to simply wrap the output in
esc_url and you’re done. Not a hard fix, but it has to be done.
If you think your plugin or theme is vulnerable and want to find out, feel free to reach out to me on WordPress Slack (I’m @joostdevalk there) and I’ll show you how to exploit it. As there are still bound to be vulnerable plugins and themes out there, I’m not going to explain that here.
This post first appeared as Security updates for our GA and SEO plugins & many others on Yoast. Whoopity Doo!
We’re proud to announce the availability of WordPress SEO 2.0. This release adds new features for Google’s Knowledge Graph and improves the design, layout & usability of the WordPress SEO plugins admin screens in many ways.
Google Knowledge Graph
Google recently introduced new features for their knowledge graph, allowing you to highlight yourself in the search results as either a company or a person. This includes you or your company’s name, if your site is for a company, the logo:
And it includes your social profiles (this is the list of social networks Google supports in their social markup):
If Google has picked this all up and shows a Knowledge Graph block for you or your company (note that we can’t force it to do that), it would look like this:
Simplified the admin menus
We’ve decided to move several admin pages under one “Advanced” page, and several tools to a new “Tools” page. This makes our entire admin structure a lot cleaner (note the screenshots are for WordPress SEO premium), compare the old (left) versus the new (right):
While this might seem mostly a superficial change, it’s very important in how we think you should perceive our plugin. The most important thing you can do in SEO is write good content; the most important section of the plugin is thus the metabox on the edit post / pages. While the features hidden under the Advanced menu are very useful, they’re not going to make your ranking go from poor to awesome. By moving them all to one advanced page, we hope to make that emphasis more obvious.
WordPress SEO Premium changes
Not a feature, but a very welcome change: we’ve made WordPress SEO Premium much, much faster in this release. You’ll notice this in the admin of your site almost immediately.
Because we’ve changed all the admin screens, all the videos had to be redone, so in WordPress SEO Premium 2.0 you’ll find a completely new set of 13 videos made by Shawn Hesketh of WP101. This is the first of these 13 videos you’ll get with WordPress SEO Premium:
Version number changes
With this release we’ve also made the version number of WordPress SEO and WordPress SEO premium the same. They’re both called 2.0. We will keep them the same throughout future releases, so we only have to communicate one version number.
Go update your WordPress SEO and let us know what you think!
It’s been quite the week here at Yoast. Our release of a security update to WordPress SEO was followed by several other major plugins uncovering similar issues and a renewed interest among security researchers into big WordPress plugins. Turns out we had another issue to patch, so today we released an update to our Google Analytics plugin (both free and premium) too.
How serious are these issues?
One of the things we should have probably communicated better is the severity of the issues at hand. Some of the news outlets made it seem as though someone could walk straight into your site because of these issues, which is not even close to true. Our partners at Sucuri did a post this week on how to understand WordPress plugin vulnerabilities that’s a good read.
If you’ve read that post you’ll learn about the DREAD score, both the WordPress SEO issue and todays Google Analytics by Yoast issue were assigned a DREAD score of 5. That’s “Low”, but unfortunately, it’s still an issue, so you’re advised to updated immediately.
What was the issue in GA by Yoast?
We are thankful to Jouko Pynnönen for responsibly disclosing this issue to us.
Note that the fact that it’s responsibly disclosed to us means that we have not seen this issue being actively used by hackers yet. We’re fixing the hole before anyone is using it. Because we do that publicly, someone might start looking for this issue though, so please, please: update.
Are you done with those security issues yet?
I can thoroughly imagine that you’re done with these security issues. Trust me, so are we. But bugs happen, all we can do is fix them as soon as possible when we figure them out and inform you when they do. We’ve just started another review cycle with our partners at Sucuri, who will once again review all our major plugins for security issues. We work hard to prevent issues like this but sometimes we too make mistakes. For that, we apologize.
For now: update!
If you use the free version of our Google Analytics plugin, update to version 5.3.3. If you use Google Analytics by Yoast Premium, you should update to version 1.2.2, if you don’t know how, read our knowledge base article on updating premium plugins.
This morning we released an update to our WordPress SEO plugin (both free and premium) that fixes a security issue. A bit more details follow below, but the short version of this post is simple: update. Now. Although you might find your WordPress install has already updated for you.
What did we fix?
We fixed a CSRF issue that allowed blind SQL injection. The one sentence explanation for the not so technical: by having a logged-in author, editor or admin visit a malformed URL a malicious hacker could change your database. While this does not allow mass hacking of installs using this hole, it does allow direct targeting of a user on a website. This is a serious issue, which is why we immediately set to work to fix it when we were notified of the issue.
Why we didn’t catch it? Well… Long story. It should have been caught in one of our regular security reviews. The values were escaped using
esc_sql, which one would expect would prevent SQL injection. It does not. You’ll need far stricter sanitization. Not an excuse but it’s a good lesson to learn for other developers.
We were notified of this issue by Ryan Dewhurst of the WPScan team, who waited for us to release an update before publishing his find to the public, for which we thank him! This type of responsible disclosure is what keeps us all safe, but it only does so if you update.
Forced automatic update
Because of the severity of the issue, the WordPress.org team put out a forced automatic update (thanks!). If you didn’t specifically disable those and you were:
- running on 1.7 or higher, you’ll have been auto-updated to 1.7.4.
- If you were running on 1.6.*, you’ll have been updated to 1.6.4.
- If you were running on 1.5.*, you’ll have been updated to 1.5.7.
If you are on an older version, we can’t auto-update you, but you should really update for tons of reasons. Of course you should really move to 1.7.4 as soon as you can anyway.
Note: If you’re using WordPress SEO Premium, you should immediately update to version 1.5.3. You can find the how-to in our knowledge base.
Over the last few months we’ve been working hard on improving how we build and test our plugins. We’re writing more and more unit tests and are trying to prevent issues from popping up. There’s one recurring issue though: we can’t test everything. Hosting environments vary so much that we have decided to do more public betas for our plugins. As a direct result of that decision, this post announces two public betas as well as reminds you of our beta mailing list.
For both plugins we’re aiming for a beta period of about a week but if too many bugs come out of a beta we’ll of course postpone release.
WordPress SEO by Yoast 1.8-beta
We’ve refactored large parts of the frontend code of our WordPress SEO plugin and heavily optimized how the plugin loads its modules in both front- and backend. The execution of code of our plugins code on the frontend is now approximately 30 – 40% faster, which of course is awesome. But… This almost has to lead to bugs and while we’ve fixed a fair few and our unit tests all succeed, we’d like you to test.
Most important here is testing whether there are any major differences in meta data between your pages with the current WordPress SEO plugin and this beta. This beta introduces a few new features around Twitter cards (Twitter cards on every page, support for the Twitter Gallery card) but all the other meta data should be the same.
Another thing that should work better in this release is everything to do with characters with accents, umlauts etc in the focus keyword and all the tests around that.
(or check it out from GitHub but in that case make sure to update Git sub-modules too)
Note: this is beta software. Do not use on production environments.
Google Analytics by Yoast 5.3-beta
The release of the dashboards for our Google Analytics plugin has been a bit of a bumpy ride. We’ve made some mistakes and have had to scramble to fix those. Brian Krogsgard actually wrote a nice post over on Post Status about it, if you’re interested in the background. We think this beta release fixes some of the last remaining issues but we’re having a hard time confirming those, so we decided to ask a wider audience to test.
This beta has the option to completely disable the dashboards functionality, should you want to. It should also no longer show any notices about re-authentication or at least show them way less frequently than it did for some people.
(or check it out from GitHub but in that case make sure to update Git sub-modules too)
Note: this is beta software. Do not use on production environments.
How to give feedback
So you want to test and give feedback? Awesome, thank you! We’d prefer your feedback in the form of new issues on GitHub (make sure to mention the beta) or as emails to beta at yoast.com.
The beta mailing list
We have a mailing list for beta testers that we’ll be using more often, you can sign up for that here. We’ll send new versions of the betas out to that mailing list too so make sure to subscribe if you’re testing.
This post first appeared on Yoast. Whoopity Doo!