WordPress is hoping to have a GDPR compliance solution built into WordPress core in time for launch prior to May 25th when the General Data Protection Regulation goes into effect.

The GDPR tools they are going to provide require a widespread adoption, and therefore having these tools as plugins would not ensure full adoption.

Using hooks and filters in WordPress core, it will be possible for a plugin developers to provide information on where their plugins store personal data. This will allow WordPress core to fetch this data and output it in the WP backend to help WordPress administrators find, send and anonymise data on request from a user of their services in order to comply with GDPR requirements on making user data available to users on request.

They are hoping to have this first integration ready in time for 25th of May 2018 with the next WP release. As I write this, a second release candidate package for 4.9.6 has been released and is now available for testing.

In the meantime here’s what you need to be doing as a website owner to comply

Detect and list cookies in use on website

There are a number of cookie detection services out there but they can be expensive. Some of them you sign up for on a monthly subscription and they will monitor the site for changes in cookies etc, but we have found these can be problematic. For example when using a caching plugin on your site, which it is usually advisable to have one, the crawling of the site returns zero cookies in use until you turn off the cache plugin and test again. So you need to know what you are doing and if you want to keep your cache plugin enabled the cookie crawler may not pick up any changes to cookies, in the same way it didn’t pick them up in the first place.

One option we found that requires some work on your part but does give a list of cookies in used based on a recording of a visitor session(with you acting as the visitor) is a free software offering from Attacat. It’s a google chrome extension and they give instructions on their website as to how to use it https://www.attacat.co.uk/resources/cookies/

Up to date Cookie Policy

Once you have detected what cookies are in use on your site you need to list them in your cookie policy

Install Cookie Consent Plugin

We find WeePie Cookie Allow to be best at the moment as it allows us to present a choice to accept or decline from the time a visitor arrives on the site and it gives the option to reset their choice at any time with a Reset Button. It’s the one we use on wpconsult.ie https://codecanyon.net/item/weepie-cookie-allow-easy-complete-cookie-consent-plugin/10342528

Up to date Privacy policy

This is something that is definitely required under GDPR as you need to explain to users how you store their data, how you will use it and for how long you will hold on to it. Here is article with some privacy policy generators https://digital.com/blog/best-privacy-policy-generators/

We find https://getterms.io/ very good, they have a Basic, Custom and Comprehensive package.

WordPress are saying that they will bring in a tool to the core that can help generate a privacy policy for you based on the functionality of your website. But in the meantime try some of the above.

Install SSL Security Certificate to protect user privacy

In some cases this is something that will be available for free from your webs hosting provider. We use Siteground and it’s available to us. By the way, Siteground are fantastic!

Online Contact Form tick to consent option

This will be required, even for contact/query forms. While I know it should be obvious to anyone filling in a contact form to request a callback that they are giving permission for you to have their information in order to call you back, you will still have to ask for consent. So, create a checkbox in your form that they must tick and it can’t be one that is already ticked in advance.

Install Security Plugin to monitor for potential data breach

You will be required to inform users of a data breach within 72 hours of you being aware of it and you will also have to show that you took reasonable precautions to protect their information, and from a WordPress perspective it means using a security plugin to monitor for possible hacks or breaches.

Hacked WordPress WebsiteLet’s have a look at what the indicators are that we should look out for that might suggest we have a hacked WordPress website.
There are many sure signs that will inform you that your site has been hacked and tampered with but there are also some more subtle, that can cause the hack to go undetected for longer.

Here I will explain in detail, some of the indicators to look out for that show your WordPress website, either is, or may have been hacked.

1. A defaced or obviously compromised homepage

Ransomware on your WordPress siteThe most obvious and visible sign that your site has been hacked is the homepage of the site being defaced. While most hackers will want their activities to remain unknown for as long a time as possible, some will make the hack obvious.

So, if the intention is usually to go undetected, you might wonder why some hackers want to make their message know. They sometimes can be what are know as Hacktivists or Grey Hat hackers. The hacktivist is motivated to spread religious, social, political messages etc, while the Grey Hat hacker may want you to know that you are hacked and will be happy to inform you that to have the hack reversed you need to pay them.

Plus they could also just be practicing on your site at random. Although, usually the hacker’s motivation is money, exposure or the use of your servers resources to continue their work.

2. Bad/spammy links on your website

Spam link injection remains one of the prevalent signs that suggests a hacked site. The hackers may have found a way of gaining access to your website (a back door) in order to alter your WordPress database and files.

Once inside they can create links to spammy sites, as that’s usually the intention. These links can be anywhere on your site and can be hard to find. And even if you do find and delete the links, it’s not necessarily the end of the problem.

The back door is the real issue here and you need to find it or go back to a time before the hack and restore your files and database to that date. This is why it’s crucial to have your site backed up on a regular basis, and preferably off site on a different server.

3. Presence of unknown files and scripts on your server

If you know what you are looking for(and not many do), or you are using a Security Plugin(which you should be) you may be aware of modified or suspicious new files. If you are using a good security plugin such as Wordfence or Sucuri for WordPress you will receive a notification of the presence of a these kind of files or scripts contained within new files on your server. Most likely, these suspicious files are named to look like WordPress files in order to conceal their identity.

Prevention is always better than cure and picking up the existence of these offenders early is always better than leaving your site unprotected. That is why it is crucial to have security monitoring in place at all times.

I have seen it before where where I was asked to retrieve a hacked where the owner was unable to login to WordPress and was seeing errors displayed on the front end that showed some files were missing and some corrupt. (remember sign No. 4 above)

There was no security plugin installed and this ended up being how the website owner discovered there was something awry. I was able to get in via ftp and upload the files that should have been part of a WordPress installation as well as replace the corrupt files with a correct version of the file and it got me back in to WordPress.

This can be helpful to allow me to investigate the situation and we can have some success here, but it never beats prevention and backups. The solution here was a complete new install of WordPress on a different server. The hacked site was on a shared server(usually cheaper hosting), and we needed to back some control.

Shared Servers are Like Terraced Houses with no FirewallsOk. let’s jump out and explain how unsafe a Shared Server is. To do this I will compare it to a row of old terraced houses without the presence of firewalls between the houses to stop fire spreading for one attic to the next. Well, this absence would also allow a thief to move freely between houses, should he have access to any single one of the houses in the terrace.

Think about it, no matter how secure your doors and windows are, your house would only be as safe as the least safe house in the row. And you would have no control over how safe it was.

4. Inability to login to your site

If you have suddenly become unable to login to WordPress, then either you are looking at a malfunction within WordPress that can be triggered by events such as incompatibility between plugins after update, corrupt files, etc, but it could also mean that a hacker has deleted your administrator account on your WordPress install.

If this happens you won’t be able to do a password reset, because the account you are trying to reset the password on no longer exists. You could create user account again via CPanel and phpMyAdmin, to let you back into WordPress, but it would only be a band aid and not the full fix.

The full fix is to have the site completely cleaned or restored to a date prior to the attack.

5. Drastic drop in website traffic

Your WordPress site might have been hacked if the reports from your Google Analytics account show a sharp decline in traffic. Trojans, malware and redirect scripts can be used to divert your site’s traffic to some websites renowned for spamming. Sometimes the reason why these re-directs can go undetected is that they do not redirect logged in users, and you may be logged into the website when you are on it and not be redirected, even though your visitors will be.

You may also be experiencing a drastic decline in traffic because the safe browsing tool of Google may be sending danger signals to your website visitors and scare them away. Google identifies over 10,000 phishing and malware sites every day and you don’t want to be one of them.

This is the major reason why all bloggers and entrepreneur website owners should be proactive about their WordPress security. Utilize the safe browsing tool of Google to check the safety report of your website.

6. Dodgy looking user accounts turning up out of the blue

If you see user accounts that you did not create and did not give permission for anyone else to create, and in particular if they are accounts with an administrator role, then you need to act immediately.

Sometimes a website that allows subscribers to register on the site can see lots of added accounts with subscriber rights. These subscriber type accounts would not create the same cause for alarm and the website owner just needs to tighten up on spam to stop this.

If you are seeing new unknown administrator accounts present, it’s a different story, and you have been hacked.

7. Emails are bouncing

If you find that your emails are not sending or people report to you that they cannot send you an email then this may be a sign that your website has been hacked.

The free mail server that comes with most web hosting can be very tempting, mainly because it is free, we always advise against it. We recommend using Office 365 or Google Mail to send from your website domain name. Apart from the drawbacks of lesser functionality and no synchronization between devices using the same email account, we also tell site owners of the danger of their site being hacked and the web server used to send spam emails that can get their domain name blacklisted.

I remember a few years back I bought an extra IP address for a VPS(virtual private server) I was renting to host approx 60 websites. A few days later a colleague told me that a domain name on my server was bouncing emails. When I ran a Spam check for the new IP address I discovered it had been black listed.

I had actually inherited the problem. Whatever activity had caused the IP address to be black listed had occurred when someone else owned it. I immediately rang up the hosting company that I was hiring the vps from and reported the situation. They apologized and moved all my web accounts to another vps with a different IP address straight away. If you are blacklisted you can contact the spam listing services and explain, but it can take a while and in the meantime every website on the blacklisted server is in the same boat.

8. Your website shows up in a search for undesirable keywords

Google-Spam-Results-ProblemsYou will definitely be the last to know about this on. Sometimes when we search for a website, we see in the results that there are what is known as sitelinks below that show some of the other pages on our website as well as our homepage. This can be very good for brand reputation as it has us taking up more of the search result page than what is just a typical single listing. This is fine when it is what we want visitors to see, but if the results have been hijacked it’s a whole different story.

And what’s even worse is that when we know about it and want to take corrective action, it can be a month or more for Google to pick up on the changes as their spider usually comes crawling about every 30 days to our website to check for changes.

Would you have thought that a brand new WordPress website with only a few plugins would not have amassed too much overhead and would have a pretty good PageSpeed right out of the box? It’s probably a reasonable assumption on the face of it, but in reality it wasn’t the case. Well at least not for our website here at wpconsult.ie.

Let’s see what the results were when we put it to the test on gtmetrix.com when the site was only less than a week old.

 

 

I have highlighted the main areas that will be of concern such as the Performance scores from Google PageSpeed and Yahoo YSlow. We will just concentrate on the recommendation from PageSpeed and carry them out first. These recommendations will be similar to that of YSlow anyway, and we will see both numbers rise together as we make the improvements.

The Page details numbers will fall with the improvement actions and these improvement actions will be based upon the recommendations from PageSpeed. I have highlighted the first five in the screenshot as it lists them in order lowest to high grade. There are more below, but I’m sure you get the idea. Finally, another thing to note from the screenshot is that I have circled where it says “Looks like you might not be using a CDN” , however we won’t look at that today as part of this case study.

If you are reading this post it is probably safe to say that you are aware that the page speed of your WordPress website is important, and these are the main reasons why.

  • A fast website will increase your conversion rate
  • Google will look on your site more favourably
  • A better customer experience and a lower visitor bounce rate
  • It reflects positively on your brand if your site loads faster

In this post I will point out and carry out the specific actions required to increase the speed of your WordPress website. There are some obvious places we could start, such as looking at your hosting or the plugins you are using, but here I will just follow the recommendations from the GTmetrix report.

I should also point out that you will need access to CPanel for some of these actions. You can contact your hosting provider for details on this, if they have not already given you access. In some cases depending on your hosting company, they may be willing to help you along. We host our sites on a Siteground cloud server and find it really good. Siteground in general are really helpful and just as important, they really know their stuff.

Enable gzip compression for your pages

The first recommendation is to enable gzip compression. Access to CPanel is required here as you will need to edit the .htaccess file in File Manger in CPanel. This is usually located within the public_html folder, however it you may not be able to see it and may be required to show hidden files in File Manager Settings. See the gallery of screenshots below for help with finding your .htaccess file.

 

gzip code to paste into your .htaccess file

<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
</IfModule>

Straight away after enabling GZIP compression for our text, html, JavaScript, CSS and XML,  we can see an improvement in Performance Scores, and Total page Size

Ok, so now that we can clearly see that the first recommendation affected the speed of our website positively, let’s get on with making it even faster. I probably should say now that you shouldn’t really get obsessed with trying to reach 100% because it’s all relative to what your site’s functional role is and it’s not always possible. If it’s mainly an information site with just text and images then it’s likely you can achieve 100%, but if you have advanced plugins or advanced functionality then it might not be. However I do suggest that you strive for as close to the optimum as possible, whatever that may be for your site, but don’t get hung up on it.

Defer parsing of Javascript

What we want to do here is to defer Javascript from loading until after the page content has loaded. Javascript loading at the same time as the page content slows down the delivery of the content, affecting pagespeed.

In our case we are using the WordPress theme Enfold, so I needed to insert the code below into the theme’s functions.php file. It makes sure the Javascript only loads when it is being used and not all the Javascript at once.

/**
 * Defer parsing of javascript.
 */
if (!(is_admin() )) {
    function defer_parsing_of_js ( $url ) {
        if ( FALSE === strpos( $url, '.js' ) ) return $url;
        if ( strpos( $url, 'jquery.js' ) ) return $url;
        // return "$url' defer ";
        return "$url' defer onload='";
    }
    add_filter( 'clean_url', 'defer_parsing_of_js', 11, 1 );
}

 

Here is the before deferring parsing of Javascript

 

 

After deferring parsing of Javascript, we can see further improvements in the screenshot below, going from a score of 87% to 93%.

 

 

The importance and impact of your web hosting company on PageSpeed

Make your site faster with Siteground SuperCacher

We use Siteground and find it to be a terrific hosting platform with great support and we highly recommend it. They have a fantastic caching plugin called the SG Optimizer plugin. It’s designed to link WordPress with the SiteGround Performance services, and does so very well. However you should note that it will not work on any other hosting provider, other than Siteground.

It’s main function is to purge your dynamic cache whenever your content updates. For example, when you create a new post, someone comments on your articles, etc. In addition to that, if you have a working Memcached service on your server, the plugin will allow you to easily configure and enable WordPress to use it.

You need to switch on the service from your cPanel, and then switch on the service in the SuperCacher Config section of the SG Optimizer plugin. To learn more refer to the Siteground SuperCacher tutorial.

The plugin does more than just look after the caching issues on WordPress, but for case study on PageSpeed we are only looking at the caching element of it.

 

Image Optimisation for WordPress

While it is always better to do your image optimisation outside of WordPress and before you upload your images, I do understand that software such as Photoshop is not available to everyone as it can be costly if you are not getting enough use from it. There are other options such as GIMP, JPEGMini, TinyPNG etc. that can achieve great results, but again they may not be your chosen direction, and you may be looking for a plugin that can do this for you.

We used WP Smush in this case but there are alternatives. Here you can see a comparison of 3 differnent image optimisation plugins over on  WPMU Dev that gives a pretty good comparison.

 

Other things to consider

When using plugins to optimise your website for speed it’s a good idea to start with a backup plugin (we didn’t need to because we have our own daily backups and if anything went wrong we could roll back)

Keep testing your website as you go because some new plugins installed may not be compatible with previously installed plugins and could cause problems. For example, I was working on another website recently to optimise it and used the Fast Velocity Minify plugin, but when I tested the website, I could see that it had interfered with the homepage slider, causing the images in the slider to only load on refresh, but not on initial load. So, I tried a different minifier plugin called Autoptimize and it worked for me without breaking the slider.

In general, only use plugins that are absolutely necessary as they can add overhead and slow load times. An example here is that we are using a Live Chat plugin on WPConsult.ie and the screenshots below show the affect it has on load time. We deactivated the plugin and then reactivated it to show you the difference with and without.

Before de-activating live chat plugin

After de-activating Live Chat plugin

 

 

Managing page speed will be an ongoing challenge for website owners, particularly on a website that is regularly updated with images, content, new products, extra functionality requirements via new plugins etc. and it is important to keep a handle on it by checking it on the various tools available such as https://developers.google.com/speed/pagespeed/insights/https://gtmetrix.com/ and  https://tools.pingdom.com/