Wordpress - build your own website - howto, tips & links - beginners to advanced

[Chris Locke]

> I've never had this happen before

Wordpress has grown enormously in popularity, and therefore, the 'risk' of these sites has also exploded, as more and more people try and attack them. I've only got a noddy little site, but it gets hit constantly by people trying to either log in as 'admin' or weird passwords. Annoyingly, its more popular by hackers than legitimate users! *sigh*

It really is crucial to have daily backups of the site and database.

[driver8]

On standard shared hosting, without any security plugins, a new WP site (updated) will likely get hacked in a few days (I did read an article about this a while ago, but cos hacked WP is such a hot SEO topic, I can't find it now!)

I use WordFence, iThemes and Sucuri all together on my sites, and have done for several years, with no apparent problems.

[ascender]

So, Wordfence also found some modified files which were replaced, but I got a notification last night to say an admin user had logged in from The Netherlands. So there's still a backdoor there after running that and changing passwords. Sigh...

Not entirely sure what to do next to be honest.

[Chris Locke]

You have to ditch and restore. Its no different to getting a virus from downloading something. Installing 'antivirus software XYZ' may return 'no threats' but that is no guarantee you have no viruses - it just means it didn't detect anything.
Ensure all your remote passwords to the site are changed (and secure, and unique) then reinstall Wordpress with a unique admin user (so don't use the 'admin' user account - disable it) with full secure passwords/pass phrases.
'nuke from orbit ... its the only way', etc. Sorry, but the worst thing is they'll log in, change the wordpress passwords, so you'll get locked out of your own site.

[driver8]

Yes, the security plugins have 'hardening' options, but you could spend days messing around.

The first time I was majorly hacked was actually due to an old Drupal install that then infected WP. I spent 2 solid days cleaning up the server and databases, only to get re-infected within the week. I then paid Sucuri $100 to cleanup (it's much dearer now) which included 12 months protection. Money well-spent.

The second time I was infected was just a few months back due to a zero-day plugin exploit. Rather than wasting time, I actually switched my hosting to WPX who guarantee to fix any issues. It's early days for me, but so far the service (and site speed) have been excellent. After a day of researching all options, their services are less than half the price of their nearest competitor.

WPX Hosting - my affid (any proceeds will be donated to tdf).

Quote:

• Fastest WP CDN - 3x Your Site Speed, Free
• We move all your sites to us for free
• Malware removed for you - Hackings and malware gone fast & free
• We fix your technical issues for free, fast
• #1 on both G2 Crowd & Trustpilot!
• "WPX is the fastest WordPress host... with first-class support!"

[ascender]

That makes perfect sense...

In terms of losing customisations, I'm assuming my child theme directory is ok to restore as-is once I've done my fresh install of everything else?

Cheeky fvckers even deleted Wordfence.

[Chris Locke]

> I'm assuming my child theme directory is ok to restore as-is

I believe they're just .CSS files? If so, then yes, you should be fine. I wouldn't trust any .php files though. Again, going back to the 'infected on a PC' analogy, thats like saying, "I'll remove all the infected files, but I need Office and my Word documents, as I need them for work."
If your site has been compromised, then its probably safer (albeit overkill?) to assume everything has been 'infected' (.php files, obviously)

[JonLaidlow]

Contemplating a premium theme - normally i tweak the free ones with extra css and widgets. Where's a reliable source for good themes outside of wordpress itself? There are quite a few marketplaces but not really sure how to differentiate them.

[driver8]

Envato is the biggest theme store, with themes from $49-69. If price is important, some themes are offered at a launch discount ($29-39), even the big authors, and there are a couple of sales per year ... and one right now ! >> https://envato.com/birthdaysale/themes/

Most of the popular themes use a page-builder these days. They all have pros and cons, but you will likely get used to how it works, so best stick to the same one for any future themes.

[driver8]

Looking for a new host ? Been hearing good things about UK-based 20i, although not used them myself.
They offer a trial month for a £1, and free basic hosting with a domain registration.

>> https://www.20i.com/wordpress-hosting (non-affiliated link)

[driver8]

3 x premium themes, free for a week - perfect for experimenting to decide whether to make the jump from free -> paid.

'Faded' theme looks so-so (and the demo is broken), but the other 2 look quite good.

ENVATO themeforest: Free WordPress Themes

[Chris Locke]

Quite liked the look of 'Faded' - quite a nice simple layout. Ta for the heads up!

[driver8]

Quote:

Originally Posted by driver8

3 x premium themes, free for a week - perfect for experimenting to decide whether to make the jump from free -> paid.

And again this month - 3 different WP themes by established sellers, free for a week.

• Intrinsic - Creative Personal Portfolio WordPress Themes
• Paperio - Responsive and Multipurpose WordPress Blog Theme
• Structura - Minimal One Page Theme

[Dazzz]

SSL certificates: can anyone give me a quick dummies’ guide, what to buy and what to do with it?

I have a few Wordpress sites. All are information only, with no logins or information sharing, but I’d like to https them, to get rid of the “not secure” chrome message. So I think I just need a cheap one, with no bangs or whistles. Any tips?

[ljp]

Quote:

Originally Posted by Dazzz

SSL certificates: can anyone give me a quick dummies’ guide, what to buy and what to do with it?

I have a few Wordpress sites. All are information only, with no logins or information sharing, but I’d like to https them, to get rid of the “not secure” chrome message. So I think I just need a cheap one, with no bangs or whistles. Any tips?

The last few I have done for friends I have used Cloudflare! Free and pretty damn easy to do as well.

https://www.cloudflare.com/en-gb/ssl/

[Chris Locke]

The 'king' of free SSL certificates is Lets Encrypt.
https://letsencrypt.org/

[driver8]

Another Envato sale - now there really is no excuse to get that site done!

Themes - and - Plugins.

As usual, several of the really big sellers (if you want to play safe) plus plenty niche options too.

[driver8]

COVID-19: Free Awareness Icons

[driver8]

I set up a Health & Nutrition forum a few weeks ago that currently has me as the only active member!

If you have the time & inclination, please sign-up to assess the process and my site-building skills. Then you can decide if you want to post or not (for anything non-TDF).

Tips & suggestions welcomed.

[Chris Locke]

How pedantic are we allowed to be?
In the sub header you have "Discussing Food + Health" but in the middle, it says "forum for discussions about food & health". I know ... Mr Pedantic, but it should either be + or &.
The the 'about us' at the bottom, it has two "&"s which could be "and"s. I think it reads better if "and" is used instead of ampersands. But ... well, its only a cosmetic thing.
Is there no way to cancel the 'If you recently registered but did not receive the automated email...' banner? Especially if you're already signed in...