Did you know that May 5, 2022, is World Password Day?1 Created by cybersecurity professionals in 2013 and designated as the first Thursday every May, World Password Day is meant to foster good password habits that help keep our online lives secure. It might seem strange to have a day set aside to honor something almost no one wants to deal with—like having a holiday for filing your income taxes (actually, that might be a good idea). But in today’s world of online work, school, shopping, healthcare, and almost everything else, keeping our accounts secure is more important than ever. Passwords are not only hard to remember and keep track of, but they’re also one of the most common entry points for attackers. In fact, there are 921 password attacks every second—nearly doubling in frequency over the past 12 months.2
But what if you didn’t have to deal with passwords at all? Last fall, we announced that anyone can completely remove the password from their Microsoft account. If you’re like me and happy to ditch passwords completely, read on to learn how Microsoft is making it possible to start enjoying a passwordless life today. Still, we know not everyone is ready to say goodbye to passwords, and it’s not possible for all your online accounts. We’ll also go over some easy ways to improve your password hygiene, as well as share some exciting news from our collaboration with the FIDO Alliance about a new way to sign in without a password.
Free yourself with passwordless sign-in
Yes, you can now enjoy secure access to your Microsoft account without a password. By using the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email, you can go passwordless with any of your Microsoft apps and services. Just follow these five steps:
Choose Security. Under Advanced security options, you’ll see Passwordless account in the section titled Additional security.
Select Turn on.
Approve the notification from Authenticator.
Once you approve the notification, you’ll no longer need a password to access your Microsoft accounts. If you decide you prefer using a password, you can always go back and turn off the passwordless feature. Here at Microsoft, nearly 100 percent of our employees use passwordless options to log into their corporate accounts.
Strengthen security with multifactor authentication
One simple step we can all take to protect our accounts today is adding multifactor authentication, which blocks 99.9 percent of account compromise attacks. The Microsoft Authenticator app is free and provides multiple options for authentication, including time-based one-time passcodes (TOTP), push notifications, and passwordless sign-in—all of which work for any site that supports multifactor authentication. Authenticator is available for Android and iOS and gives you the option to turn two-step verification on or off. For your Microsoft Account, multifactor authentication is usually only needed the first time you sign in or after changing your password. Once your device is recognized, you’ll just need your primary sign-in.
Make sure your password isn’t the weak link
Rather than keeping attackers out, weak passwords often provide a way in. Using and reusing simple passwords across different accounts might make our online life easier, but it also leaves the door open. Attackers regularly scroll social media accounts looking for birthdates, vacation spots, pet names and other personal information they know people use to create easy-to-remember passwords. A recent study found that 68 percent of people use the same password for different accounts.3 For example, once a password and email combination has been compromised, it’s often sold on the dark web for use in additional attacks. As my friend Bret Arsenault, our Chief Information Security Officer (CISO) here at Microsoft, likes to say, “Hackers don’t break in, they log in.”
Some basics to remember—make sure your password is:
At least 12 characters long.
A combination of uppercase and lowercase letters, numbers, and symbols.
Not a word that can be found in a dictionary, or the name of a person, product, or organization.
Completely different from your previous passwords.
Changed immediately if you suspect it may have been compromised.
Tip: Consider using a password manager. Microsoft Edge and Microsoft Authenticator can create (and remember) strong passwords using Password Generator, and then automatically fill them in when accessing your accounts. Also, keep these other tips in mind:
Only share personal information in real-time—in person or by phone. (Be careful on social media.)
Be skeptical of messages with links, especially those asking for personal information.
Be on guard against messages with attached files, even from people or organizations you trust.
Enable the lock feature on all your mobile devices (fingerprint, PIN, or facial recognition).
Ensure all the apps on your device are legitimate (only from your device’s official app store).
Keep your browser updated, browse in incognito mode, and enable Pop-Up Blocker.
Tip: When answering security questions, provide an unrelated answer. For example, Q: “Where were you born?” A: “Green.” This helps throw off attackers who might use information skimmed from your social media accounts to hack your passwords. (Just be sure the unrelated answers are something you’ll remember.)
Passwordless authentication is becoming commonplace
As part of a historic collaboration, the FIDO Alliance, Microsoft, Apple, and Google have announced plans to expand support for a common passwordless sign-in standard. Commonly referred to as passkeys, these multi-device FIDO credentials offer users a platform-native way to safely and quickly sign in to any of their devices without a password. Virtually unable to be phished and available across all your devices, a passkey lets you sign in simply by authenticating with your face, fingerprint, or device PIN.
In addition to a consistent user experience and enhanced security, these new credentials offer two other compelling benefits:
Users can automatically access their passkeys on many of their devices without having to re-enroll for each account. Simply authenticate with your platform on your new device and your passkeys will be there ready to use—protecting you against device loss and simplifying device upgrade scenarios.
With passkeys on your mobile device, you’re able to sign in to an app or service on nearly any device, regardless of the platform or browser the device is running. For example, users can sign in on a Google Chrome browser that’s running on Microsoft Windows, using a passkey on an Apple device.
These new capabilities are expected to become available across Microsoft, Apple, and Google platforms starting in the next year. This type of Web Authentication (WebAuthn) credential represents a new era of authentication, and we’re thrilled to join the FIDO Alliance and others in the industry in supporting a common standard for a safe, consistent authentication experience. Learn more about this open-standards collaboration and exciting passwordless capabilities coming for Microsoft Azure Active Directory in a blog post from Alex Simons, Vice President, Identity Program Management.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
Learn how to Defer Parsing of JavaScript to improve pagespeed score. And how you can fix ‘Eliminate render-blocking of JavaScript’ warning in Google PageSpeed Insights by deferring non-critical JavaScript(s). The newer version of Google PageSpeed Insight refers to this issue as ‘Eliminate render-blocking resources’; these render-blocking resources may include JavaScripts and CSS.
In this article, I will cover what is defer parsing of JavaScript, how to defer parsing of JavaScript properly, why you should defer parsing JavaScript, how to find render-blocking JavaScript(s) which are to be deferred, how to defer multiple JavaScripts in one go, how you can defer parsing of JavaScript in WordPress with or without plugin and how does deferred loading of JavaScript help to speed up your website?
How to Defer Parsing of JavaScript
In a nutshell, we’ll eliminate render-blocking JavaScript(s) not by actually removing (deleting) them from the website code but by defer loading them. So that they stop blocking the loading (rendering) of meaningful content (the first paint) of the website.
These terms (the above terminology) might be overwhelming for you at first, especially if you’re not a tech guy.
But, don’t worry about that!
I am going to explain everything step by step in simple words. So that you can proceed at your pace and implement the methods to fix ‘Eliminate render-blocking resources’ on your website/blog.
A web page is made of up several components which include HTML, CSS/Stylesheets, JavaScript, and graphical (images & icons) components etc. These components are stacked one over another in the code structure of the web page.
When a user types your website URL in the web browser’s address bar and hit enter. The browser first establishes the connection with the server on which your website is hosted.
Once the connection is established, the browser starts rendering the components of the webpage to display the web page.
The browser renders the components serially from the top towards the bottom of the webpage. That means what comes first rendered first and so on.
When the browser encounters JavaScript on a web page, it downloads the JavaScript, executes it, and then proceeds to render the next component. So during this time browser stop rendering the rest of the web page.
Every time the browser encounters JavaScript, it stops rendering the rest of the webpage until it renders and executes the encountered JavaScript.
That’s how JavaScript blocks the critical rendering path.
To avoid this situation, Google Engineers recommend deferring non-critical JavaScript.
The question still remains the same, What is Defer Parsing of JavaScript?
Defer Parsing of JavaScript can be defined as the process of using defer or async attribute with JavaScript to avoid render blocking of the first paint of a web page. These attributes tell the web browser to parse and execute the JavaScript in parallel (asynchronously) or after (defer) the parsing of HTML of a web page. Thus, the visitors need not wait longer to see the meaningful content of the web page.
Difference between defer or async
Now you know that there are two attributes – defer or async; that can be used to defer javascript loading.
Before we talk about the difference between defer and async, let’s see how does <script> tag works.
Legend
legend async vs defer attribute
<script>
script tag
When we use <script> tag to add script in our code, the HTML is keep parsing till the script file is reached, then onwards parsing will be paused until the script file is downloaded and executed.
Suitability: Not recommended in most cases.
<script defer>
script defer attribute
When defer attribute is appended with script tag, the script file is downloaded alongside the HTML parsing but the downloaded script executes only after the completion of HTML parsing.
Suitability: For non-critical script files.
<script async>
script async attribute
When async attributed is used with script tag, the script file downloads during HTML parsing, then HTML parsing pauses just to execute the downloaded-script file.
Suitability: For critical script files that cannot be inline.
Defer loading of JS & PageSpeed Insights recommendation
Let’s try to put this in a perspective with Google PageSpeed Insights warning and recommendation.
When you test, a website using Google Pagespeed Insights Tool, you get some warnings and recommendations to fix those warnings/errors.
Google PSI – Render blocking resources – JavaScripts to be deferred
The PageSpeed Insights (PSI) text for render-blocking resourcessays,
Eliminate render-blocking resources.
Resources are blocking the first paint of your page. Consider delivering critical JS/CSS inline and deferring all non-critical JS/styles.
This warning triggers for two different elements i.e. JavaScript (JS) and CSS when any of them block the critical rendering path 1 during the website loading. Here in this article, we are discussing the JavaScript part.
(In the previous version of PageSpeed Insights Tool, the same warning (for the JavaScript) used to be called ‘Eliminate render-blocking of JavaScript’.)
In simple words, this warning triggers when there are some JavaScript(s) loading on your website which blocks the loading of the content that matters most to your visitors.
This means your visitors have to wait longer to see the meaningful content of your website because JavaScript(s) are blocking the rendering of content.
Clearly, Pagespeed Insights or other site speed testing tools (GTMetrix, etc.) show this warning/error, if your site loads some JavaScript(s) that block the loading of meaningful content (the first paint) of your site.
And this needs to be fixed.
Critical vs Non-critical JavaScript: Explained
As Google PageSpeed Insights (PSI) recommendation says you should deliver critical JSinline and defer all non-critical JS.
What does this mean?
Let’s break that down by terminology.
Critical JavaScripts: JavaScripts that are necessary to load during optimized critical rendering.
Non-critical JavaScripts: Those JS that can wait to load until the first meaningful content (the first paint) of the webpage has loaded.
Inline Delivery: Inline delivery refers to loading a resource (in this case JS) within the HTML code instead of calling/importing that separately.
Curious? Why does JavaScript block the critical rendering path in the first place?
We’ll discuss that in the next section with other reasons why you should Defer JavaScript Parsing.
First of all, JavaScript(s) is one of the major culprits to make your website slow.
Wondering, why is that?
Because when the web browser comes across a script, it executes the script firstbefore continuing to load HTML that includes the content users are looking for.
For a browser, executingJavaScript is a heavier task (depending on the size of the script) and takes more time as compared to rendering the meaningful content (the first paint) of the webpage.
Hence JavaScript affects the critical rendering path and slows down pagespeed of your website.
Why not defer this heavier task of JS execution so that the critical rendering path remains uninterrupted, right?
Pagespeed: is now a Ranking Factor
Site speed has already become a ranking signal.
About a decade ago Google announced 2 in an official blog post on Google Webmaster Central Blog that site speed has become a ranking signal.
In another blog post published on the Official Webmaster Central Blog in 2018, they revealed 3 that Google started using page speed as a ranking factor in mobile search ranking.
Since Google had declared pagespeed a factor in search result rankings for desktop and mobile. Therefore, site speed optimization has become a significant aspect of technical SEO.
For the same reason, Google PageSpeed Insights Tool recommends deferred parsing of JavaScript as one of the solutions 4 to remove render-blocking JavaScript in above-the-fold content.
User Experience: decides Your Site’s Success
How does JavaScript affect user experience (UX)?
We have already discussed that JavaScript(s) slow down the pagespeed by blocking the rendering of first paint (the meaningful content). That led to more loading time and a longer wait for users to see the content; bad user experience, right.
Speed matters a lot, the truth is users do not like slow-loading websites. In fact, studies show that the users leave a slow loading site early and move on.
On the contrary, you want your website audience to engage with your site and eventually turn into a customer, subscriber, or ad-viewer. In order to make that happen, you need to improve your pagespeed by deferring non-critical JavaScript(s).
Reasons to Defer Loading of JavaScript: Summing it up
As I mentioned above, however, the parser (browser) starts downloading and executing the script over parsing the rest of HTML, whenever it encounters the script.
But the fact is, most of the JavaScript(s) come into use when the complete web page is loaded. For example, in some animation, effect, or functionality, etc.
Therefore, it is a good idea to load JavaScript(s) only after the content has loaded.
This way deferred loading of JavaScript does not affect the critical render path and consequently helps to speed up your website. And hence, a better user experience for your readers.
And by making your site load faster, you also improve your search ranking on desktop as well as mobile.
Do you know, good web hosting is a must for better pagespeed? If you are already using good web hosting? Awesome, let’s skip to defer parsing of JavaScript. Not sure? whether your hosting is as good as your website deserves, don’t worry. We recommend Cloudways and Kinsta Hosting for better sitespeed. Read our Kinsta Review.
Now, since you have an understanding of what is defer parsing of JavaScript and why you should defer loading of JavaScript(s).
It is a good time to figure outwhich JavaScript(s) (on your website) are the culprits and need to be deferred.
If you already know which JavaScript(s) on your website are blocking the critical rendering path, you may skip the following section and jump to the implementation part. Otherwise, keep on reading…
How to Find Render-blocking JavaScript(s)
JavaScript(s) which block the rendering of meaningful content are called ‘Render Blocking JavaScript(s)’ and need to be deferred.
You can find render-blocking JavaScript(s) by analyzing your website using site speed testing tools.
There are several pagespeed testing tools available to analyze a website for site speed and loading time. I am sharing with you the most reliable and trusted tools for pagespeed testing.
Test your site using these tools and note the results of these tools so that you can compare the results before and after implementing defer parsing of JavaScript(s).
1. PageSpeed Insights by Google
PageSpeed Insights by Google
Google PageSpeed Insights (PSI) is an exclusive pagespeed testing tool by Google. Test your website using Google PSI Tool to find out render-blocking JavaScript(s). PageSpeed Insights Tool results give information about warnings and their solutions/fixes.
2. GTmetrix
GTmetrix – Speed and Performance Test Tool
This one (GTmetrix) is another good free tool to test site speed. You can test your site with GTmetrix to know which JavaScripts need to be deferred.
3. Pingdom Tools
Pingdom Tools for Website Speed Test
Solarwinds’ Pingdom Tools are also very popular when it comes to site speed testing tools. You can test your site using Pingdom Tools to check the number of JS requests on your site and how much they contribute to the total number of requests.
Now you know which JavaScript(s) are making your site slow and need to be deferred. So, let’s see how to fix this issue by deferring non-critical JavaScript(JS).
Test Results: Before Defer Parsing of JavaScript
I have tested a website beforeimplementing defer parsing of JavaScript. Consider these a baseline and compare these results after deferred loading of JavaScripts.
Pagespeed Insights Result before Defer Parsing of JSGTmetrix Result before Defer Parsing of JS
How to Defer Parsing of JavaScript [Step by step]
You need to use the following code to defer parsing JavaScript. Insert this code in HTML file just before the </body> tag. Read the instructions given below to use this script.
< script type="text/javascript">
function parseJSAtOnload() {
var element = document.createElement("script");
element.src = "script_to_be_deferred.js";
document.body.appendChild(element);
}
if (window.addEventListener)
window.addEventListener("load", parseJSAtOnload, false);
else if (window.attachEvent)
window.attachEvent("onload", parseJSAtOnload);
else window.onload = parseJSAtOnload;
</script >
Instructions for Defer Parsing JavaScript using the script
Don’t forget to take a complete backup before making any changes in the code. If something went wrong, you can use that backup to go back.
Copy the code and paste it in HTML file just before the </body> tag (near the bottom of HTML file).
Replace script_to_be_deferred.js with the link of the JavaScript which is to be deferred. You can copy the link of JavaScript(s) (which Google PageSpeed tool suggests to defer) from Google PageSpeed Insights tool results for your website.
Save changes. And you are done.
Finally, test your website again to see the effect.
Code to Defer Multiple JavaScripts in One-go
If you want to defer multiple scripts in one go. You can use the same script with little modification. In the following code replace defer1.js, defer3.js, and defer3.js, etc. with the link of scripts that you want to defer.
< script type="text/javascript">
function parseJSAtOnload() {
var links = ["defer1.js", "defer2.js", "defer3.js"],
headElement = document.getElementsByTagName("head")[0],
linkElement, i;
for (i = 0; i < links.length; i++) {
linkElement = document.createElement("script");
linkElement.src = links[i];
headElement.appendChild(linkElement);
}
}
if (window.addEventListener)
window.addEventListener("load", parseJSAtOnload, false);
else if (window.attachEvent)
window.attachEvent("onload", parseJSAtOnload);
else window.onload = parseJSAtOnload;
</script >
How to Defer Parsing of JavaScript in WordPress
You can defer parsing of JavaScript in WordPress by following methods:
Using WordPress Plugins (with a plugin) – suitable for all plugin lovers.
Adding a Code Snippet to function.php file – suitable for those who are used to playing with code and editing files in WordPress. – without plugin method #1
Using the Script mentioned above – suitable for geeks who don’t want to use a plugin. – without plugin method #2
1. Defer Parsing of JavaScript using WordPress Plugin
There are several WordPress plugins available to defer parsing of JavaScript in WordPress, I am listing the best plugins that stand out in the crowd because of their performance and reliability.
Obviously, the process of installing and activating any of the following plugins remains the same.
If you’re not sure about the process of installing a WordPress plugin, you can refer this beginner’s guide to learn different methods of installing a plugin in WordPress.
#1.1 Async JavaScript Plugin
If you want a standalone plugin to defer parsing of JavaScript, Async JavaScript should be your pick.
This tiny plugin offers all necessary settings to tweak deferred loading of JS in WordPress.
HOW TO USE ASYNC JAVASCRIPT PLUGIN: SETTINGS & USAGE GUIDE
Steps to defer parsing of javascript in WordPress using a plugin:
Navigate to WordPress Dashboard > Plugins > Add New.
Search Async JavaScript Plugin in the plugin repository.
Go over WP Dashboard > Performance (W3 Total Cache Settings) > Minify.
Scroll down to JS minify settings. You will see settings like shown in the image below.
Check/select options as shown in the image below. Click Save all settings and you are done.
Test your site using pagespeed test to see the results.
Defer JavaScript – W3 Total Cache
#1.4 Defer Loading of JavaScript in LiteSpeed Cache Plugin
LiteSpeed Cache is an amazing optimization plugin for LiteSpeed server hosting. But the general features of this plugin can be utilized on any server like LiteSpeed, Apache, NGINX, etc.
Steps to defer parsing of javascript in LiteSpeed Cache plugin:
Go to Dashboard > Settings > Autoptimize > JS, CSS & HTML.
Under JavaScript Options enable Optimize JavaScript Code and,
Then enable Do not aggregate but defer option and save changes.
Now Empty Cache and test your site using speed test tool to see the result.
Defer Javascript Loading – Autoptimize
#1.8 WP Fastest Cache to Defer Parsing of JavaScript
You can eliminate render-blocking JavaScript resources using WP Fastest Cache plugin. But this feature is available with the premium version only.
2. Defer JavaScript Parsing in WordPress via functions.php file
Yes, you can defer parsing of JavaScript in WordPress by adding a code snippet to function.php file.
This is one of the methods that you can use to Defer Parsing of JavaScript in WordPress without using a plugin.
As I have mentioned above this method is suitable for people who are comfortable with code editing in WordPress.
You might be thinking, but why?
First of all, functions.php is an important theme file. That means you might end up breaking your site easily if anything went wrong with the editing of functions.php file.
Also, there are different versions of the code snippet on the web to fix defer parsing of JavaScript in WordPress via functions file. Unfortunately, not all the code snippets work fine.
So you should be careful while using a code snippet to defer loading of JavaScript.
How to Edit functions.php File Safely
I always recommend using a child theme in WordPress in order to avoid code editing mess.
Because while editing the code, even if you miss a single comma (,) semicolon (;) or any other symbol/syntax, your website will break completely or partially. And you have to make extra efforts to recover the site.
For any reason, if you don’t want to implement a child theme now, you can use this plugin to add code to functions.php file of your theme without editing the original file.
Step by step process to Defer Parsing JavaScript in WordPress via functions.php
Take a complete backup before making any changes to the code.
I assume that you’re using a child theme. If you’re not, first create and activate a child theme to any trouble because of theme file editing.
Go to your WordPress Dashboard > Appearance > Theme Editor
Select/open functions.php file (of child theme) from theme files.
Paste the code snippet given below at the end of functions.php file.
You can specify JS files to exclude from defer in the array (‘jquery.js’).
Finally, click Update File to save changes. That’s all.
The code snippet is to be pasted in functions.php file.
// Defer Parsing of JavaScript in WordPress via functions.php file
// Learn more at https://technumero.com/defer-parsing-of-javascript/
function defer_parsing_js($url) {
//Add the files to exclude from defer. Add jquery.js by default
$exclude_files = array('jquery.js');
//Bypass JS defer for logged in users
if (!is_user_logged_in()) {
if (false === strpos($url, '.js')) {
return $url;
}
foreach ($exclude_files as $file) {
if (strpos($url, $file)) {
return $url;
}
}
} else {
return $url;
}
return "$url' defer='defer";
}
add_filter('clean_url', 'defer_parsing_js', 11, 1);
The above code snippet is using defer attribute to defer parsing of JavaScripts. You can replace the defer attribute with async attribute to parse JavaScript asynchronously. You can read more about async attribute and other methods to fix render-blocking JavaScript.
3. Defer Parsing of JavaScript without WordPress Plugin – Script Method
The script method explained above can be used in WordPress to defer loading of javascript. In WordPress, the above-mentioned code can be placed in HTML file just before the </body> tag using hook content option.
Most of the popular WordPress themes come with hook content provision. If you are not using the hook content option or it is not available in your theme. Then, either you can use a WordPress plugin to add the script to WordPress footer before </body> tag or you can place the script in the footer file just before the </body> tag manually.
Steps to defer load javascript in WordPress without using a plugin:
Copy the code and paste that before the </body> tag (using a plugin or built-in theme hook) .
Now replace script_to_be_deferred.js with the JavaScript to be deferred.
Save changes and you’re done.
Clear the cache, if there is any.
Test your website again to see the result.
Test Results: After Defer Parsing of JavaScript
The following are the test results after defer loading of JavaScript.
PageSpeed Insights Result after fixing Defer Parsing of JavaScriptGTmetrix result after implementing Defer Parsing of JavaScript
Wrapping it up
Other than defer parsing of JavaScript, you can also use async attribute or inline JavaScript to remove render-blocking JavaScript. I have covered async attribute or inline JavaScript in another blog post, read that article here. In that article, I have also mentioned a few useful WordPress plugins to defer parsing JavaScript.
Although WordPress plugins are available to defer parsing of JavaScript. The above-explained script method is considered more appropriate by several experts and webmasters. But the people who use WordPress know that using a WordPress plugin is like bliss.
I hope this guide will help you to defer parsing of JavaScript. Let me know, which technique you use to defer parsing of JavaScript. If you are facing any problem implementing the above methods or have a question. Let me know via the comment section. I will be happy to answer.
Our lastest ShieldPRO 14.1 security plugin for WordPress brings a huge WordPress REST API integration along with some much-needed tweaks and enhancements.
Read on to discover everything we’ve included in your newest and favourite WordPress Securty Plugin.
Consider the work that’s involved with managing just 1 WordPress site and all its plugins, themes, updates, backups and, of course, security.
Now multiply that by the number of WordPress sites you run.
It’s a huge amount of work.
This is why we built iControlWP many years back and why we also integrated Shield Security into it to allow WordPress admins to manage their WordPress sites at scale, and also their WordPress security.
But not everyone wants to use iControlWP and that’s totally cool! But we still want to open up management of Shield to folk that need to scale their WordPress security.
This is where our new WordPress REST API integration comes in. It leverages the very thorough platform that the WordPress Core provides, letting us build a REST API that is powerful, secure and easy to maintain.
Many clients won’t have a need for our REST API directly, but you may use tools and services that could take advantage of if you asked them to.
This involved a major revamp of the UI and the tables that display the logs.
As you can imagine, these tables and data set can grow very large, particularly for busy websites.
Since we were loading a large dataset all at once, browsing these log tables became tedious and slow. For high traffic sites, it would unusable in some cases resulting in loading errors!
So we went back to our core implementation (again) and made the entire thing dynamic. Instead of loading all the records, we only load precisely what we need. This makes the initial loading near-instant.
The pagination will be a bit slower than what you’re used to – but this is because we’re loading just the log records you need, when you need them.
We’ve also adjusted the traffic log database table structure to help us speed all this along and provide more useful information right where you need it.
This is a major reworking and we hope you’ll love it!
#3 Run Shield As A “Must-Use” (MU) Plugin
If you’ve never heard of a must-use WordPress plugin, don’t worry, you’re not alone.
They’re installed in a different directory (/wp-content/mu-plugins/) instead of the default (/wp-content/plugins/).
So why would you want to switch Shield to be an MU plugin?
In much the same way as Shield offers the Security Admin module to protect against tampering, you could set Shield to be an MU plugin to prevent the plugin from being disabled accidentally, maliciously.
It’ll also ensure Shield executes before other plugins. While this won’t offer an advantage currently, we’ll soon adjust some Shield’s code to block malicious requests much earlier in the WordPress load.
What actually happens when you enable MU Mode?
The core of the Shield plugin will remain in the normal installation directory- /wp-content/plugins/.
Shield will then create a new file in the MU directory that loads the normal Shield plugin. When this happens you’ll see 2x Shield plugins installed on your site as shown below:
How can you disable Shield after enabling MU Mode?
Once MU mode is enabled, you can’t disable the normal Shield plugin from the WordPress dashboard. This is normal WordPress behviour.
However, you can simple revert the option within Shield’s settings to disable MU Mode, and then return the plugins screen and disable Shield like any other plugin.
The setting for MU Mode is found within the Security Admin module and doesn’t require a Security Admin PIN to be set.
Shield’s MU Mode plugin option
#4 Better Detection Of Incorrect Application Passwords
Until now Shield wasn’t correctly spotting when these application password login attempts were failing. We’ve added some new events and logging and we’ll even increase the offense counter for an IP address when the event is triggered.
We spotted these new events being triggered almost immediately after we put them live for testing.
#5 More Quick Access Data In Admin Bar
Some time ago we add a top menu to the WordPress admin bar to help indicate when Shield found some scan items that warrant further investigation.
The original WP Admin Bar addition by Shield Security
After prompting for some extra information by a client, we’ve made some new helpful additions to the menu (see image below).
Shield’s Additional WP Admin Bar Items
Each of these additions provide helpful links to the item in question, for example:
Recently Blocked IPs and Offenses link to the IP Analyse Tool for the specific IP in-question.
Recent Sessions links to the Shield Sessions table and the individual session item in the menu links to the profile of the given user.
On March 10, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “SiteGround Security”, a WordPress plugin that is installed on over 400,000 sites. This flaw makes it possible for attackers to gain administrative user access on vulnerable sites when two-factor authentication (2FA) is enabled but not yet configured for an administrator.
Wordfence Premium, Wordfence Care, and Wordfence Response received a set of firewall rules on March 10, 2022 to provide protection against any attackers trying to exploit this vulnerability. Wordfence Free users will receive this same protection 30 days later on April 9, 2022
After sending the full disclosure details to the SiteGround security team on March 10, 2022 a patch was released the next day on March 11, 2022. While the plugin was partially patched immediately, it wasn’t optimally patched until April 7, 2022.
Sites hosted on the SiteGround platform have automatically been updated to the patched version while those hosted elsewhere will require a manual update, if auto-updates are not enabled for the plugin. We strongly recommend ensuring that your site has been updated to the latest patched version of “SiteGround Security”, which is version 1.2.6 at the time of this publication.
SiteGround Security is a plugin designed to enhance the security of WordPress installations via several features like login security including 2FA, general WordPress hardening, activity monitoring, and more. It’s also worth noting that it comes pre-installed on all SiteGround hosted WordPress sites. Unfortunately, the 2FA functionality of the plugin was insecurely implemented making it possible for unauthenticated attackers to gain access to privileged accounts.
When two-factor authentication is enabled, it requires all administrative and editor users to set-up two factor authentication. This requirement is triggered when the site’s administrative and editor users log into the site for the first time after 2FA has been enabled at which time they are prompted to configure 2FA for their account. This means that there will be a period of time between 2FA being enabled on a site and each user configuring it for the account.
During this interim period, attackers could hijack the 2FA set-up process. The plugin had a flaw that made it so that attackers could completely bypass the first step of authentication, which requires a username and password, and access the 2FA set-up page for users that had not configured 2FA yet.
It was as simple as supplying the user ID they would like to compromise via the sg-user-id parameter, along with a few other parameters to indicate that they would like to trigger the initial 2FA configuration process.
The following validate_2fa_login() function shows the process by which a user-supplied ID is validated. If the results from the check_authentication_code() function and the sg_security_2fa_configured user meta retuned false, which indicated that 2FA hasn’t yet been configured for that user, then the plugin would load the 2fa-initial-setup-form.php template which displays the QR code and 2FA secret needed to configure the authenticator app for the user supplied ID.
</pre><pre>publicfunctionvalidate_2fa_login( $user) {// Bail if there is no valid user authentication.if( ! isset( $_POST['sg-user-id'] ) ) { // phpcs:ignorereturn;}$result= $this->check_authentication_code( wp_unslash( $_POST['sgc2facode'] ), wp_unslash( $_POST['sg-user-id'] ) ); // phpcs:ignore// Check the result of the authtication.if( false === $result) {if( 0 == get_user_meta( $_POST['sg-user-id'], 'sg_security_2fa_configured', true ) ) { // phpcs:ignore// Arguments for initial 2fa setup.$args= array('template'=> '2fa-initial-setup-form.php','qr'=> get_user_meta( $_POST['sg-user-id'], 'sg_security_2fa_qr', true ), // phpcs:ignore'secret'=> get_user_meta( $_POST['sg-user-id'], 'sg_security_2fa_secret', true ), // phpcs:ignore'error'=> esc_html__( 'Invalid verification code!', 'sg-security'),'action'=> esc_url( add_query_arg( 'action', 'sgs2fa', wp_login_url() ) ),);} else{// Arguments for 2fa login.$args= array('template'=> '2fa-login.php','error'=> esc_html__( 'Invalid verification code!', 'sg-security'),'action'=> esc_url( add_query_arg( 'action', 'sgs2fa', wp_login_url() ) ),);}$this->load_form( wp_unslash( $_POST['sg-user-id'] ), $args); // phpcs:ignore}// Set the auth cookie.wp_set_auth_cookie( wp_unslash( $_POST['sg-user-id'] ), intval( wp_unslash( $_POST['rememberme'] ) ) ); // phpcs:ignore</pre><pre>
The authentication QR code and secret key displayed that would be displayed to potentially unauthorized users.
The returned QR code and secret key are the only things needed to connect the user account with an authentication mechanism, such as Google Authenticator. Attackers were able to use this to connect their authentication app with the account and successfully use a code to pass the “second factor of authentication.” This function would then set the user authentication cookies via the wp_set_auth_cookie() function using the user supplied ID from the sg-user-id parameter which effectively logs the attacker in as that user. Due to the default configuration of the plugin, this account would most likely be a privileged user like an administrator or editor. It’s also worth noting that the function returns the back-up codes which could be used via the weakness outlined in the next section.
To sum it up, there was no validation on the validate_2fa_login() function that the identity a user was claiming was in fact legitimate. As such attackers could bypass the first authentication mechanism, a username/password pair, which is meant to prove identity and successfully log in, due to a weakness in the second authentication mechanism, the 2FA process. When successful, an attacker could completely infect a site by exploiting this vulnerability.
In addition to the above outlined vulnerability, the method in which 2FA back-up code authentication was handled made it possible for attackers to log in if they were able to brute force a back-up code for a user or compromise it via other means such as SQL Injection.
Diving deeper, the plugin registered the validate_2fabc_login() function which validated the supplied backup code through the validate_backup_login() function using the user supplied user ID from the sg-user-id parameter along with the back-up code supplied via the sgc2fabackupcode parameter. If the back-up code was found in the array of stored back-up codes for that user, then the function would use the wp_set_auth_cookie() function to set the authentication cookies for the supplied user ID. If that user ID belonged to an administrator, the attacker would effectively be logged in as an administrator.
</pre><pre>publicfunctionvalidate_2fabc_login() {$result= $this->validate_backup_login( wp_unslash( $_POST['sgc2fabackupcode'] ), wp_unslash( $_POST['sg-user-id'] ) ); // phpcs:ignore// Check the result of the authtication.if( false === $result) {$this->load_form(wp_unslash( $_POST['sg-user-id'] ), // phpcs:ignorearray('template'=> '2fa-login-backup-code.php','action'=> esc_url( add_query_arg( 'action', 'sgs2fabc', wp_login_url() ) ),'error'=> esc_html__( 'Invalid backup code!', 'sg-security'),));}// Set the auth cookie.wp_set_auth_cookie( wp_unslash( $_POST['sg-user-id'] ), intval( wp_unslash( $_POST['rememberme'] ) ) ); // phpcs:ignore
Similarly to the previous vulnerability, the issue here is that there was no true identity validation for the authentication, which indicates an authorization weakness. The function performed no checks to verify that a user had previously authenticated prior to entering the 2FA back-up code, and as such they did not need to legitimately log in prior to being logged in while using a back-up code. This meant that there were no checks to validate that a user was authorized to use a back-up code to perform the second factor of authentication that would log them in.
Though the risk in this case is lower, the backup codes were 8 digits long and entirely numeric, so an attacker could potentially brute force one of the 8 back-up codes and automatically be logged in without knowing a username and password combination for an administrative user.
While this might not be practical to attempt on most servers, a patient adversary attacking a well-provisioned server capable of processing a large number of requests at once would have a high chance of eventually gaining access unless the brute force attempts were stopped by another mechanism, such as the Wordfence plugin’s built-in brute force protection or rate limiting rules.
Further, this vulnerability could be used in conjunction with another vulnerability, such as SQL injection, where an attacker would be able to compromise the 2FA back-up codes that are stored in the database and then subsequently use them to log in without needing to crack the password of an administrative user which would likely be significantly stronger. In both cases, the impact would be significant as an attacker could gain administrative access to the compromised WordPress site which could be used for complete site infection.
An Important Security Reminder: Audit Your WordPress Site’s User Accounts
This vulnerability serves as an important reminder to audit your WordPress site’s user accounts. This means identifying any old and unused user accounts that have been inactive for an extended period of time and/or are likely to never be used again and removing them or completely stripping the user’s capabilities. This vulnerability could easily be exploited on sites where the site owner enabled 2FA, which is required for all administrative and editor users, and had old inactive administrative/editor user accounts on the site that an attacker could target. Considering accounts that are no longer active are unlikely to log in after the 2FA setting has been enabled, the 2FA for those accounts would not be configured leaving the site ripe for exploitation by any attackers exploiting the vulnerability.
A situation involving a similar security issue involving insecure 2FA was reported by the CISA in conjunction with the FBI a few weeks ago, around the same time we discovered this vulnerability. In the Cybersecurity Advisory (CSA) by the CISA, it was disclosed that a threat actor was able to successfully brute force a dormant user’s account credentials, and due to a default 2FA setting that would allow dormant users to re-enroll a new device for 2FA during the next active log in, the threat actor was able to connect the 2FA secret to their own account and retrieve the code needed to pass the second factor of authentication. Once the threat actor gained initial access to the system they were able to escalate their privileges by exploiting the “PrintNightmare” vulnerability, which you can read more about here, and steal sensitive information from across the organization’s network. This goes to show that attackers are definitely looking for flaws like the one disclosed today to exploit and any site can be a target. As such, it’s important to actively maintain and validate the security of your site through regularly performed professional or self-conducted security audits and penetration tests, which is a service Wordfence provides. Security is an active and continuous process.
Timeline
March 10, 2022 – Conclusion of the plugin analysis that led to the discovery of two Authentication Bypass Vulnerabilities in the “SiteGround Security” WordPress plugin. We deploy firewall rules to protect Wordfence Premium, Wordfence Care, and Wordfence Response users. We send the full disclosure details to SiteGround in accordance with their responsible disclosure policy. March 11, 2022 – The CTO of SiteGround responds indicating that a patch has been released. We review the patch and inform them that it is insufficient. They release an additional patch. March 11, 2022 – A patched version of the plugin is released as version 1.2.3. We suggest further security enhancements to the functionality. March 16, 2022 – An update is made that reduces the security of the 2FA functionality, we follow-up again to suggest better security enhancements to the functionality. The CTO assures us that they are working on it. April 6, 2022 – A fully and optimally patched version of the plugin is released as version 1.2.6. April 9, 2022 – Wordfence Free users receive the firewall rules.
Conclusion
In today’s post, we detailed a flaw in the “SiteGround Security” plugin that made it possible for unauthenticated attackers to gain access to administrative user accounts in instances where 2-Factor Authentication was enabled, though not yet fully set up, and in cases where an attacker could successfully brute force a back-up code. This could easily be used by an attacker to completely compromise a site. This flaw has been fully patched in version 1.2.6.
We strongly recommend ensuring that your site has been updated to the latest patched version of “SiteGround Security”, which is version 1.2.6 at the time of this publication.
Wordfence Premium, Wordfence Care, and Wordfence Response received a set of firewall rules on March 10, 2022 to provide protection against attempts by attackers to exploit this vulnerability. Wordfence Free users will receive this same protection 30 days later on April 9, 2022
If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both Wordfence Care and Wordfence Response include hands-on security support that provide you with ongoing assistance from our incident response team, should you need it.
Special thanks to the team at SiteGround, for responding swiftly and working quickly to get a patch out to protect their customers and working to further secure the 2FA component.
On April 18, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for an Object Injection vulnerability in the Booking Calendar plugin for WordPress, which has over 60,000 installations.
We received a response the same day and sent over our full disclosure early the next day, on April 19, 2022. A patched version of the plugin, 9.1.1, was released on April 21, 2022.
We released a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers on April 18, 2022. Sites still running the free version of Wordfence will receive the same protection on May 18, 2022. We recommend that all Wordfence users update to the patched version, 9.1.1, as soon as possible as this will entirely eliminate the vulnerability.
The Booking Calendar plugin allows site owners to add a booking system to their site, which includes the ability to publish a flexible timeline showing existing bookings and openings using a shortcode, [bookingflextimeline].
The flexible timeline includes the ability to configure viewing preferences and options when viewing the published timeline. Some of these options were passed in PHP’s serialized data format, and unserialized by the define_request_view_params_from_params function in core/timeline/v2/wpbc-class-timeline_v2.php.
An attacker could control the serialized data via several methods:
If a timeline was published, an unauthenticated attacker could obtain the nonce required to send an AJAX request with the action set to WPBC_FLEXTIMELINE_NAV and a timeline_obj[options] parameter set to a serialized PHP object.
Any authenticated attacker could use the built-in parse-media-shortcode AJAX action to execute the [bookingflextimeline] shortcode, adding an options attribute in the shortcode set to a serialized PHP object. This would work even on sites without a published timeline.
An attacker with contributor-level privileges or above could also embed the [bookingflextimeline] shortcode containing a malicious options attribute into a post and execute it by previewing it, or obtain the WPBC_FLEXTIMELINE_NAV nonce by previewing the [bookingflextimeline] shortcode and then using method #1.
Any time an attacker can control data that is unserialized by PHP, they can inject a PHP object with properties of their choice. If a “POP Chain” is also present, it can allow an attacker to execute arbitrary code, delete files, or otherwise destroy or gain control of a vulnerable website. Fortunately, no POP chain was present in the Booking plugin, so an attacker would require some luck as well as additional research in order to exploit this vulnerability. Nonetheless, POP chains appear in a number of popular software libraries, so many sites could still be exploited if another plugin using one of these libraries is installed.
Despite the lack of a POP chain and the complexity involved in exploitation, the potential consequences of a successful attack are so severe that object injection vulnerabilities still warrant a “High” CVSS score. We’ve written about Object Injection vulnerabilities in the past if you’d like to find out more about how they work.
Timeline
April 18, 2022 – We release a firewall rule to protect Wordfence Premium, Care, and Response customers. We initiate the disclosure process. The plugin developer verifies the contact method. April 19, 2022 – We send the full disclosure to the plugin developer. April 21, 2022 – A patched version of the Booking Calendar plugin, 9.1.1, is released. May 18, 2022 – The firewall rule becomes available to free Wordfence users.
Conclusion
In today’s post, we covered an Object Injection vulnerability in the Booking Calendar plugin. Wordfence Premium, Wordfence Care, and Wordfence Response customers are fully protected from this vulnerability. Sites running the free version of Wordfence will receive the same protection on May 18, 2022, but have the option of updating the Booking calendar plugin to the patched version 9.1.1 to eliminate the risk immediately.
If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.
The WordPress block directory is a new way that WordPress users can discover, install and test third-party WordPress blocks from within the WordPress block editor. Introduced in WordPress 5.5, the WordPress Block Directory makes it easier to find the WordPress block that best fits your needs.
If you haven’t yet heard of the WordPress block directory, you’re not alone. In this guide, we’ll cover everything you need to know about the new block directory. We’ll also explain how to start using the Block Director to streamline your content workflow.In this Guide
The WordPress Block Directory is a category of free WordPress plugins that provide third-party WordPress blocks for use within the WordPress block editor.
The new WordPress block directory is built right into the block editor, so you can install new block types to your site without ever leaving the editor. The block directory is designed to make it easier for users to search and install WordPress blocks directly from the block editor, so you can quickly add the type of block you need into your content.
To search the WordPress block directory, use the “+” icon on the top left of the page to use the new block inserter and search for available blocks.
Here are a few important things to note about the WordPress block directory:
The block directory search functionality is only available to WordPress user roles who have the permission to add or install plugins.
If you add a third-party block from the block directory, the corresponding WordPress plugin will be installed on your site. So if you see a new plugin installed on your website, and you don’t remember installing it, check to see if the plugin is a WordPress block plugin.
The WordPres block directory pulls in both built-in default WordPress blocks and third-party WordPress block plugins so you can install them directly from your page/post editor.
Search results of third-party block plugins depend a few requirements that developers must meet (covered in more detail later in this article).
History of the WordPress Block Directory
The WordPress block directory is the result of WordPress core discussions about how block plugins need to be distinguished from other free plugins available on the WordPress.org plugin directory.
The WordPress block directory endeavor was a cross-team development effort that involved major updates on:
The WordPress plugin update processes
The WordPress plugin repository
Integration into the WordPress block editor’s Inserter
The 8.4 version of the featured Gutenberg WordPress plugin was when the block directory was merged into the WordPress core; on August 11, 2020 in WordPress 5.5.
The Purpose of WordPress Block Directory
A new WordPress block directory is included in the main WordPress.org plugin directory, so you’re either browsing regular WordPress plugins or single block-enabled plugins.
The block directory is designed to help distinguish block plugins, which are javascript-only and register only WordPress blocks, versus traditional WordPress plugins that have more functionality.
What Are WordPress Blocks?
WordPress blocks are page elements that you can use from within the WordPress block editor to help organize and design the content of your blog posts and pages. From images to quotes to lists and media embeds, there’s a WordPress block for just about everything.
Built-in Default WordPress Blocks
WordPress comes with a library of built-in default blocks. Here’s a table of some of the most frequently-used blocks. This table includes some of the default WordPress blocks included with WordPress in the new block editor.
WordPress block
Description
Audio
Embed a simple audio player.
Buttons
Drive conversions with beautiful buttons.
Categories
Display a list of all categories.
Classic
Use the classic WordPress editor
Code
Display code snippets that respect your spacing and tabs.
Columns
Add a block that displays content in multiple columns, then add whatever content blocks you’d like.
Cover
Add an image or video with a text overlay – great for headers.
Embed
Embed videos, images, tweets, audio, and other content from external sources.
File
Add a link to a downloadable file.
Gallery
Display multiple images in a rich gallery.
Heading
Introduce new sections and organize content to help visitors (and search engines) understand the structure of your content.
Image
Insert an image to make a visual statement.
Latest post
Display a list of your most recent posts.
List
Create a bulleted or numbered list.
Paragraph
The building block of all narrative.
Pull quote
Give special visual interest to a quote from your text.
Quote
Give quoted text visual emphasis.
More
Adds a “Read more” element
Separator
Create a break between ideas or sections with a horizontal separator.
Add white space between blocks and customize height.
When you login to your Admin dashboard (assuming that you’re using WordPress 5.0 or higher) and click to write a new post, immediately you’ll notice a panel for content editing that’s based on blocks.
Previously, this section of your post editor was one big content field that contained standard text formatting controls.
When comparing the old version of the editor to the new block-based version, this was a major upgrade for users.
The overall editing experience within the new version is a lot more streamlined and free of distractions. It gives you clear visibility to your main “canvas” without other elements that were mostly unneeded.
WordPress Block Library Plugins
In addition to the built-in WordPress blocks, other plugins like Kadence Blocks add even more blocks to the WordPress block library. The Kadence Blocks plugin adds even more power to the block editor, adding page builder features.https://wordpress.org/plugins/kadence-blocks/embed/#?secret=Q4GmBAmiJd#?secret=hdsqudoOKw
For example, Kadence Blocks custom blocks include:
Row Layout – Create rows with nested blocks either in columns or as a container. Give style to your rows with a background, overlay, padding, etc.
Advanced Gallery – Create stunning photo galleries, carousels, and sliders! Enable custom links, captions, and more. Plus you can select the image size for performance.
Form – Our powerful form block allows you to easily create a contact or marketing form and style it within the block editor.
Advanced Text – Create a heading or paragraph and define sizes for desktop, tablet and mobile along with font family, colors, etc.
Advanced Button – Create an advanced button or a row of buttons. Style each one, including hover controls. Plus you can use an icon and display them side-by-side.
Tabs – Create custom vertical or horizontal tabs with advanced styling controls. Each tab content is an empty canvas able to contain any other blocks.
Accordion – Create beautiful accordions! Each pane is able to contain any other block, customize title styles, content background, and borders.
Testimonials – Create confidence in your brand or product by showing off beautiful and unique testimonials. Display add as a carousel or a grid.
Icon – Choose from over 1500+ SVG icons to add into your page and style the size, colors, background, border, etc. You can also add multiple icons side-by-side.
Spacer / Divider – Easily create a divider and determine the space around it or just create some space in your content. You can even define the height per screen size.
Info Box – Create a box containing an icon or image and, optionally, a title, description, and learn more text. Style static and hover separately.
Icon List – Add beautiful icons to your lists and make them more engaging and attract viewers’ attention. Over 1500 icons to choose from and unlimited styles.
Countdown – Increase your conversions by adding a sense of urgency to your offering. Pro includes evergreen campaigns as well.
Posts – Display a clean grid of posts anywhere on your site, great for your homepage where you want to tease your blog.
Table of Contents – Allow your readers to navigate your content easily with a table of contents block. Includes smooth scroll to anchor.
Lottie Animation – You can import lottie animations into your site. You can choose how the animation plays and control animation speeds, loops, etc.
Count Up – An animated count up or down to a certain value. Great for displaying stats.
Google Maps – Embed a Google Map on your site.
Advanced Image – An image block with greater controls and advanced features.
What is a WordPress Block Plugin?
AWordPress block pluginis a relatively small, simple WordPress plugin that provides a single WordPress block. The plugin is the block, essentially.
The WordPress block directory helps organize third-party block plugins in a category separate from traditional WordPress plugins so they are easier to search and install.
For example, the Donation Form Block for Stripe by GiveWP adds a Stripe-powered donation form to your website in a few seconds with a single WordPress block. Once installed, the block is easily inserted into your WordPress website and is designed to be easily customized to fit your needs.
What are Block-Enabled Plugins?
In a nutshell, block-enabled plugins are “traditional” WordPress plugins that include blocks you can use within the block editor. The WordPress plugin directory has also started distinguishing “Block-enabled plugins” to highlight plugins that utilize block functionality.
As you start working on new content for your site, whether it’s a new page or a blog post, you’ll notice that every content piece you include (such as an image or a paragraph of text) is converted into its own block.
You can basically think of a block like a wrapper that’s placed around each piece of content that you include on your post or page. But the block system doesn’t change anything about the content pieces individually, or how they appear on your website. An image is still an image and doesn’t appear any different to the end-user.
You’ll find that creating content with blocks is highly intuitive. When you start creating a new page or post, WordPress invites you to choose your block type or begin writing text.
When you complete a paragraph of text, hit enter and WordPress automatically transitions you to a new block.
When you want to add a different block besides a text paragraph, simply click the “+” icon, located within the block editor in the upper-left corner.
Each block type available for you to choose from is highly customizable in many ways. With a little time and experimentation, you’ll be able to make any block look exactly how you envisioned.
Benefits of the Block Editor
The introduction of the block-based editor has brought a number of benefits to WordPress content creators.
First, you can much more easily rearrange your blocks within each page than the previous editor allowed you to do. Every block has individual controls that allow you to move the block up or down one spot. You can also use the drag and drop function to move blocks around manually.
In previous WordPress editors, moving content around was a pain. First, you had to cut and paste content into the areas that you wanted to put them. Often, doing this caused a lot of formatting issues; although more so with some text editors than others. At times, users would lose entire content sections prior to moving them because they accidentally copied over it in their clipboard.
These aren’t issues that you’ll experience with blocks, and they’re a lot more maneuverable as well.
How Do I Use the WordPress Block Directory?
Now that we’ve discussed what WordPress Blocks are, let’s look into the new WordPress block directory.
The idea behind the block directory is not that complicated. But it’s highly useful for developers and site designers once they understand how to properly utilize the tool.
When a WordPress user wants to use a block that’s not available in the default WordPress blocks available locally in their editor, they can head to the search field of the Inserter and type in a keyword, such as “menu” or “team.”
Behind the scenes, the intuitive system first runs a search on the user’s local site. If it’s unable to find the specific block that’s being searched for, it starts searching the block directory: A designated part of the overall WordPress plugin repository that houses single block plugins.
When the system finds blocks that match the current search term, those blocks are displayed within the Inserter, with a preview section available for the user to review.
At this point, the designer decides which block they want to utilize, then clicks on the “Add Block” button. This causes a single-block plugin to be installed and activated, while the designer continues creating the post or page.
If the first block selection wasn’t the best choice, a user can then go back and search for a different block that can also be installed. This allows users a quick and easy way to test different block elements in their designs.
Keep in mind that the block directory can only be accessed by content creators that have full site rights and privileges to install and activate WordPress plugins.
Searching for WordPress Blocks
The search function works really well. The only problem is the current lack of plugins in the repository. It’s important to remember that the block directory is still very new and it’s overall functionality isn’t finalized.
Designers Steven Dufresne and Enrique Sanchez (along with others) have been actively exploring different considerations and variations of the flow for searching, selecting and installing block plugins within the editor.
For example, what happens when a user runs a search and a block plugin shows up in the Inserter that the user already has installed in their editor? Should it display “Disable Block” for that particular search result?
What if the search result displays a block plugin that the user has installed but deactivated? Should it display “Activate Block” for this result?
As you can see, there are many questions that remain up in the air regarding block searches and how they’re delivered.
The discussion is onoging with the designers and developers.
For the WordPress block directory to work, there are several factors that need to perfectly align.
First, the Directory has to have a unique section that’s designated only for single-block plugins to populate the search. There are many plugins that have two or more blocks that cannot be allowed to show in the block directory search feed.
After this, the Directory search feature must return its results within a format that can be displayed in the Inserter.
The block editor then has to run a process that searches the WordPress Plugin directory by way of REST-API. Then, the Inserter requires a method that will allow it to install and activate site plugins.
To do this, it must be able to consider the current user’s site privileges. Only site administrators have the ability to install and activate plugins.
For a plugin author to have their plugin be a part of the block directory, they have to provide a block.json file and an image to be displayed in the search results. It’s also important for plugin authors to remember that users will need additional information about the plugin, in the preview area, before they decide to download it.
In most cases, a user will want to see a plugin’s:
User ratings
Author information
Date of last plugin update
This helps push forward the decision-making process for users trying to decide which blocks to use on their site. After all, a lot of people don’t decide on things based only on how they look. They want to know what’s under the hood as well.
For the block editor, it would be a good idea (although an extremely difficult proposition that will no doubt require a lot of tweaking down the road) to automatically monitor the discarded plugins and make sure that unused blocks are uninstalled from the site after saving the post.
It’s also important to avoid the potential of a “block graveyard” within the site. With an updated Block Manager, this problem should be solved. It was talked about last year by Mel Choyce-Dawn as a part of the initial block directory designs. But it wasn’t a part of the initial release.
WordPress Single Block Plugins List
If you head over to the WordPress plugin repository, you’ll be able to browse WordPress block-enabled plugins that will feed your search results within the WordPress block editor.
At the time of this writing, there are only six pages of results available to browse. And in reality, only about half of those showing in the plugin repository search are actually going to be visible within the block editor via the Inserter.
With a quick spot check, it seems like a lot of them are completely missing the required block.json files. In those cases, the plugins will not be visible in the WordPress block editor search results, but you will see them in the WordPress plugin repository.
This seems to be improving within the last month, however, as final requirements have been more thoroughly documented and key guidelines published. A lot more of the plugin authors are starting to update their plugins to make sure they’re 100% searchable within the block editor.
Some examples of current, fully tested single-block plugins on the block directory include the Donation Form Block for Stripe by GiveWP.
How To Install a New WordPress Block
The block installation process should be seamless and intuitive for the user. At least it should be in theory.
Basically, all a user needs to do is to click on the “Add Block” button without ever exiting the block editor. The desired new block then immediately becomes available.
You’ll probably find out that in some cases you’ll get an error message that will ask you to try the installation again. But before you do, make sure to check and see if the plugin actually was installed and the block available for use.
In many cases, it seems like the error message is, in and of itself, an error and the block is ready to go. As time moves on, more of these minor bugs will be worked out and this useful new feature called the WordPress block directory will be running smoothly.
Block Directory Plugin Author Guidelines
Near the end of 2019, the Meta Team Lead Alex Sheils published an initial draft of WordPress block plugin guidelines for those who want to have a plugin added to the block Directory. It has since been updated with more detailed requirements as of just a few months ago.
To sum up the key points, plugins on the block Directory must have these specific characteristics:
Contain only one single block
Not have UI outside of the post editor
Have a minimum amount of server-side code
Must be structured according to certain specs and include a readme.txt file
Some additional rules that governed the first release of the block directory have been met with some controversy by plugin authors, due to how strict the rules were. However, the restrictions on the Directory weren’t intended on stifling plugin creators.
The goal is to keep the types of blocks that return into the block editor restricted to a specific protocol and type.
That was especially important on the initial release, where it wasn’t a case where more results would be better. The results needed to be very specific within the Inserter.
Knowing that, these additional rules apply to all plugin authors that want to get their plugin on the WordPress block directory:
Block plugins are created to use in the Block Editor
Block plugins must be separate blocks
The title of the plugin must reflect the title of the block
The plugin has to include a specific block.json file
The plugin author cannot charge a fee or require payment for funcationality. Paid accounts also are not allowed
The plugin should be able to function independently
It cannot, in any way, promote other plugins, themes or blocks
Think about the block directory sort of like an immature plant that you’ve just put into the ground. You know that you need to watch it and protect it so that it’ll grow into a bigger and better version of itself.
The block directory is no different.
As the design and development team continues to watch, listen and problem-solve, the Directory will begin to evolve into a place where plugin authors and users find a lot of value.
If you’re a plugin author and your plugin doesn’t yet meet the requirements to be on the block directory, keep in mind that it’s still welcomed on the normal WordPress plugins directory.
The Future of the WordPress Block Directory and Block-Enabled Plugins
The block directory has the potential to really extend the design functionality of the WordPress platform. It gives content creators a quick and streamlined way to extend their content creation capabilities with fingertip access to dozens of useful single blocks.
Even with the continuously moving parts, the first release of the block directory is a major milestone that should be celebrated by content creators and plugin authors alike.
Those of you reading this around the time of its publishing are on the cutting edge of the block directory and what it’s going to become. Now is a great time for you to consider some additional WordPress training that will show you other areas of WordPress, like the block directory, that you haven’t yet discovered.
As you continue to grow through the learning curve while turning your site into the success that you envision, remember that mistakes can (and will) happen. That’s why it’s so important to have a WordPress backup plugin and WordPress security plugin protecting your site at all times.
With everything in place, your website can continue to grow and evolve just like the WordPress block directory.
Adesigner friend discovered a new website creation tool. It claimed to be super-easy to use. Just drag and drop. See results right away. No coding. What’s not to like about that?
She built her new website and worked hard to make the site exactly as she wanted. Then she launched it.
That’s when the makers of the website creation tool proudly announced version 2.0. All new, from the ground up. Even better. More features. Easier to use.
Just one hitch. A minor one. Hardly worth mentioning: There was no way to migrate a website built in the old version. That was bad. What made it really bad was that version 1 would shut down in a few months.
My friend’s new website suddenly had the lifespan of a mayfly. Pretty, but destined to disappear.Let’s face it, it’s quite a task to build a website — one that works well for you, is aligned with your business, and effectively connects with your ideal audience. Doing all that well takes time and effort. So, of course, we count on our new website serving us well for a long time to come.Let’s face it, it’s quite a task to build a website — one that works well for you, is aligned with your business, and effectively connects with your ideal audience. Doing all that well takes time and effort. So, of course, we count on our new website serving us well for a long time to come.
If you’ve had your website for several years, you now have lots of content created over that long time. It definitely would be disastrous to one fine day find out what powers the website has been end-of-lifed.
So how can we avoid ending up like my friend, with a new, but dead-on-arrival, website? Or with an existing website that can no longer be updated?
The 2 Key Components of Future-Proofing
It starts before we build anything on a new website and involves 2 key components:
Adopting a future-proofing mindset
Future-proofing the technology
It’s tempting to view future-proofing a website as a done-and-forget it action. Because it’s an ongoing process. As much mindset as technology.
First, let’s look at developing a future-proofing mindset. Then it will be easier to consider the tech impact of future-proofing.
1. Adopting a Future-Proofing Mindset
Web technology is constantly changing, as are best practices and security concerns.
If we don’t understand (and accept that), at some point any new website will be outdated. Obsolete. Probably sooner rather than later.
WordPress introduced a new blog post editor in 2018. A major upgrade that changed how we approached writing and posting new content.
Many website owners were upset. They didn’t want to change how they edited post content. Not that they liked the old editor. But they had found ways to work with it. It was familiar. They might even use plugins to improve the editing experience.
Now here was something new. A major change that upset existing workflows. It didn’t help that the first iteration still lacked some refinement.
Others, like me, switched to the new block editor early and found that it truly speeded up posting. Plus it really was easier to work with.
In this change WordPress gave us a choice: Adopt early or later, either is okay. They even told us we had several years before they’d shut down the old editor. The only choice that is not okay, is to never adopt.
Being aware of new developments and recognizing when they affect our WordPress websites
Years ago we designed websites for computer screens. The biggest arguments were about what size computer screen. Designers fretted about pixel-perfect alignment.
Those few people who insisted on visiting websites from their mobile phones were content with dumbed-down mobile versions of websites. But most website owners didn’t worry about mobile browsing.
Today 2/3 of all web browsing is from mobile devices. Google now bases their SEO ranking on how a website shows up on mobile devices. It’s no longer okay to have a dumbed-down website for mobile visitors. Or to ignore them by having a desktop-only website.
Yet I still regularly see websites that are desktop-only. Clearly some website owners haven’t gotten the message. They persist with websites that are not future-proofed. Gradually slipping into oblivion.A future-proofing mindset means paying attention to changes in the online world and recognizing when it’s the right time to adapt and adopt. Often when we do, we find that the new way is clearly better and we really would never want to go back to the old ways.A future-proofing mindset means paying attention to changes in the online world and recognizing when it’s the right time to adapt and adopt. Often when we do, we find that the new way is clearly better and we really would never want to go back to the old ways.
What we don’t want to happen is to one day find out that functionality we relied on has been obsoleted, turned off and now my website doesn’t work anymore. Which of course hurts the business relying on that website bringing in customers.
Fortunately, when a change is announced, there is often a planned a transition time until full implementation. We have time to learn how to master the new approach. We may even be able to approach a major change with a hybrid approach, combining the best of 2 worlds and takes some pressure off today while ensuring that we’ll be ready for the future.
Tips for developing a future-proofing mindset
Become friends with your website — it’s an integral part of your business.
Stay up-to-date with WordPress developments on the official Make WordPress blog.
Be curious and explore how changes in the online world can help your business grow.
Be open to change.
2. Future-Proofing the Technology of WordPress
Choose wisely, we must
It might be tempting to go for that brand-new website builder that has every bell-and-whistle imaginable. But will it be around for years to come?
WordPress has been with us for since 2003! All that time, updates and new versions have been released regularly.
However, WordPress is just one part of the puzzle. There are three main components we’ll need to consider:
Theme — controls what the website looks like and much of the functionality
Page Builder — makes design, layout and editing easier
Plugins — add specific functionalities and integrations
Together these components form the technical base of a website and must be regularly updated to ensure full functionality and keep the website safe and secure.
Let’s look how to future-proof each component of WordPress.
WordPress Core
WordPress started as a blogging solution. Then folks like me concluded that managing content for the entire website in a database would make life easier. It wasn’t long before WordPress grew into a great tool for powering entire websites.
If you could look at the very first version of WordPress core next to the current one, they would seem a world apart. Yet there has never once been a time when a new version was incompatible with older sites.
For example, in 2018 when WordPress released a new editing experience (block editor) for posts, they outlined a roadmap for several years, so we could all see where development was going. Nobody was being left behind. Yes, some features (like the old editor) will eventually be turned off, but there is ample time to upgrade.
For instance, once I started using the new block editor for my blogs, old posts just showed up in a classic block. For site visitors, nothing changed.
I can leave those classic block posts as is. Or turn them into blocks and get all the benefits of the new editor with one click.
That’s future-proofing at work.
In Spring 2022, WordPress took the next step by releasing full site editing. You can now use blocks to add and edit content anywhere on the website and do much layout and design that formerly could only happen through hands-on coding or in a page builder. Again, it’s your choice to start using this new feature right now or take some time to learn more about it.
This gradual roll-out of features and backward compatibility builds confidence that WordPress will continue to be a great website platform for years to come.
Tips for Future-Proofing WordPress Core
Stay up-to-date with WordPress developments on the official Make WordPress blog.
Be aware of the changes included in each new version of WordPress.
Embrace the block editor.
Themes
Once upon a time there were themes for just about every kind of site that could be imagined. They came with pre-made layouts and places to drop in content. You wanted to change the look of the website, you got a new theme.
Since the theme is at the heart of a website (2nd only to WordPress), we have to select carefully. If you switch to another theme, the entire design and layout of your website will go away. Yes, the content is still there, but you’ll have lots of work in the new theme to get things to show up where you want them to.
Fortunately, the days of those specialized, fill-in-the-blanks themes are gone. Today, a future-proof theme is really a framework that lets you create the site you want.
In 2021, I switched to using the Kadence Theme for all my website development work. It’s very lightweight and extremely customizable. You can start with a blank canvas. Or choose from a library of starter sites. Except you’re not limited to an entire starter site. Like one page? Pick that. How about just a row or an element of a starter design? Copy it to your own site and insert your content.
The result is a site that’s truly yours.
Kadence is built for block editing and comes with a library of blocks, letting you easily create even complex layouts. And customize them to your heart’s content.
In many ways, Kadence gave us full site editing with blocks before WordPress officially turned on the feature.
In fact, Kadence does a lot of things with blocks that I used to need a page builder for. That’s of course the ultimate promise of full site editing: Everything done with blocks and no need for page builders.
At the same time Kadence plays nice with page builders. Which means I can choose on a page by page basis to create with Kadence blocks or use a page builder. I have even built pages where part of the layout comes from a page builder and part from Kadence blocks or elements. Everything seamless to the website visitor.
Kadence is fairly new on the market, but is aggressively developed and I expect it to be around for a long time to come.
Tips for Future-Proofing Themes
Make sure your theme is being actively developed alongside the latest developments in WordPress core
Select/switch to a theme that is specifically ready for full site editing and block editing
Page Builders
Page builders have been with us for quite a while. They help us customize page design and layout without having to write code. Plus you can see the layout and design you’re creating as you go.
However, the future of WordPress is now full site editing, where you use blocks to build not just posts, but for content everywhere on the site. That means eventually, page builders won’t be needed.
How soon that day comes varies for each of us. There’s definitely a learning curve for full site editing. Because full site editing is new, it’s still rough around the edges. Controls can be confusing or lacking (meaning I’d have to add custom styling [CSS] or code to get the look I want).
For those reasons, the safe approach for now (in 2022) is to still use a page builder. Because we’re used to how they work.
It is, however, important to select the right page builder.
Some page builders are shortcode-based. Meaning if you were to turn off the page builder, there would be no content on the page. Just some shortcodes. Actual content is hidden inside the database and will stay there, unless you are a database geek and know how to extract it.
A better choice is a page builder that places actual content on the page, along with code needed for styling/layout. If you remove the page builder, everything is still on the page. While it won’t display as when the page builder was active, you can access the content and work with it.
All page builders add code to the website, increasing load time. But some page builders add a lot more code than others.
For future-proofing, select a page builder that is lightweight and that doesn’t rely on shortcodes for everything. Then content is still accessible if you were to remove the page builder one day. Or if that page builder were to become defunct.
Note that there is no direct migration path from page builder formatted content to full site editing. Or from one page builder to another page builder. But at least the content is still on the page.
My choice is BeaverBuilder. It adds less weight than many competitors and it doesn’t rely on shortcodes.
BeaverBuilder can also be used on a page by page basis. Meaning you only use it for pages where you need it. A website I recently built has 49 pages and about half use BeaverBuilder, while the others don’t (block editing). As a rule, I also don’t use the page builder at all for blog posts. Because block editing lets me handle content there with much less added code weight.
Tips for Future-Proofing Page Builders
Select a page builder that is light weight and that doesn’t rely on shortcodes for content placement. Then content is still accessible if the page builder is removed or becomes defunct.
To further future-proof your website, start now to learn how to build pages using blocks instead of a page builder. Remember, it’s a page-by-page choice.
Plugins
WordPress websites rely on plugins for a wide range of different purposes. Security, backup, adding specific functionalities, integrations with other services. Even page builders are plugins. And extended features of your theme could come in plugin form.
Plugins may be the hardest area to future-proof. Why? Because many plugin developers don’t publish roadmaps. And sometimes even plugins that have been around for a long time suddenly go away.
Fortunately, there are usually several options for plugins to provide a particular functionality. So we can switch to using an alternative.
Tips for Future-Proofing Plugins
On your website, make certain to update plugins regularly and remove any unused ones.
From time to time also review the plugins on your site and make sure you really still need them. Don’t let a plugin hang around just because it’s always been there.
Invest in premium plugins with active development and support.
Ready for the Future?
WordPress is a great platform to build your website on. One that has been with us for years and will be there for the long haul.
With a future-proofing mindset and care in selecting the tech, a WordPress website built today will still work next year or five years from now. Because there is a real path forward.
I have a couple websites originally built with WordPress in 2010. Everything about them has been updated multiple times. Today they run the latest version of WordPress. There was never a time that WordPress came out with a new version that didn’t include a way to upgrade older websites. Even when block editing came along, it didn’t mess anything up.
That’s how flexible and future-ready WordPress is. When applying best practices and keeping a future-focused mindset, we can rest assured that today’s website will be around for tomorrow and beyond.
No matter how big or small your WordPress site, unwanted WordPress spam in comments sections, site registrations and contact form messages are issues that you’ll need to address.
Left unchecked, WordPress spam comments and spam user registration issues can quickly take over your site with intrusive content that detracts from the message your site is intended to portray.
In this guide, we’ll take you step-by-step through the process of stopping WordPress comment spam. You’ll also learn the best ways to prevent spam registration WordPress messages, end spam user registration efforts, stop WordPress contact form spam, and a lot more. Let’s take a closer look.In This Guide:
Spam has been an annoying, and often serious issue since the Internet became a staple in our lives. In the early days of being online, we became familiar with spam when unsolicited messages started to overtake our email inboxes, promoting everything from car insurance to cheap vacations. In fact, you probably continue to deal with this kind of unwanted spam every time you log into your email.
When discussing the spam that bombards a WordPress website, it’s a more multi-faceted subject than traditional email spam.
In a nutshell, WordPress spam attacks happen in many forms. As a WordPress site owner, chances are that you’ve dealt with these 3 types of WordPress spam:
Comment spam
User registration spam,
Contact form spam
While these WordPress spam attempts are, of course, highly annoying to both you and your site visitors, it’s important to understand that there are also some major security components that are tied to the spam you’re experiencing.
While attacking and defeating WordPress spam head-on might seem like an overwhelming task, protecting your site actually isn’t that difficult. All you need is the right approach and the best tools.
With the many different types of spam attacks happening on WordPress, it’s important to understand the different approaches that spammers take. Then we’ll look at the specific tools and tips that will allow you to take full control of the problem.
WordPress Contact Form Spam Explained
For most websites, a contact form is an absolute necessity. Contact forms help facilitate communication between you and your site visitors in a way that’s streamlined and user-friendly.
However, spammers see your contact form as a way to further promote their agenda.
WordPress contact form spam is different than other types of spam that attack your site. This is because your contact form requires the use of a plugin, unlike site registrations and comments that are natively built-in to your WordPress core installation.
When employing a contact form, you can choose from popular WordPress forms plugins such as Gravity Forms, Ninja Forms, or Contact Form 7. Just as each of these contact form plugins has its own unique set of features, they also employ different ways of eliminating WordPress contact form spam.
The specific features to protect your site from spam will be found in the settings of the plugin you choose. In some cases, you may need to download and install a companion plugin for full spam protection.
More on that later.
How To Stop WordPress Contact Form Spam
While the annoyance factor of receiving contact form spam emails is high, the solution for stopping them dead in their tracks is quite simple.
The first thing you’ll want to do is install a WordPress spam blocker plugin like Askismet.
If you’re using WPBruiser or Akismet, it’s good to know that either one is ready to work in unison with a wide variety of WordPress contact form plugins. In fact, Akismet will work directly out-of-the-box with Jetpack, Ninja Forms, Gravity Forms and Contact Form 7.
Conversely, WPBruiser is a little different in the way it combats WordPress contact form spam. WPBruiser requires a commercial extension in order to work with your WordPress contact form plugin.
With that said, WPBruiser has a much wider range than Akismet for spam protection options on plugins such as Formidable Forms, Fast Secure Contact Form, and the other popular contact form plugins detailed above.
Additionally, you’ll get a free Jetpack contact form extension in the core WPBruiser plugin installation.
No matter the contact form plugin you’re using, Akismet and WPBruiser will use robust spam blocking tools to help keep your contact forms safe from unwanted spam messages.
WordPress User Registration Spam Explained
The WordPress user registration feature is built directly into WordPress core.
The user registration feature is extremely useful for:
Membership sites
Online communities
eCommerce site customer accounts
Unfortunately, spam user registration is an area where spammers can easily focus their bots on malicious spam attacks. To prevent spam registration WordPress issues, it’s important to look at the root of the problem. WordPress stop spam registrations begins there.
A spam user registration consists of a phony site registration by spam bots that intend on spreading their message throughout your site. These spam user registrations will often lead to spam comments in your blog. They can even lead to more malicious attacks involving site security or a cluttered site with an unwanted front-facing membership directory.
What’s more, many WordPress plugins and themes have security vulnerabilities that can allow low-level site users, such as subscribers, to garner access to the administrative settings on your site. This is an important reason to prevent spam registrations WordPress is infamous for.
While the security flaws in themes and plugins typically require a spammer to work in a roundabout method to exploit the built-in vulnerabilities, it’s important to understand that even the most dormant-looking WordPress user registration spam account could be waiting and ready to exploit your site at any time.
Understanding the need to prevent spam registration WordPress attacks is the first step to solving the issue. Then, it’s time to employ a robust spam user registration blocker to put the issue to rest.
The aforementioned WPBruiser plugin will go a long way toward preventing WordPress user registration spam. It’s your first layer of defense in the WordPress stop spam registrations game.
However, there are a few other simple steps you should take in the WordPress stop spam registrations battle. Make sure to read this guide until the end for full details.
WordPress Comment Spam Explained
When you use the built-in WordPress comment section on your website, you’re automatically inviting conversation from users and readers.
Unfortunately, you’re also inviting a bunch of unwanted spam comments. These spam comments distract users from meaningful conversations about your content and severely muddy the overall experience for the user.
As discussed, spambots are constantly looking to exploit vulnerabilities in your WordPress security, which is a major reason to download and install the best WordPress security plugin.
But these same bots also search out and exploiting your comments section in a very malicious way. If you leave your site unprotected, the spambots will litter your entire site with more nonsense comments than you can keep up with. And they can do it in an extremely short timeframe.
WordPress Comment Spam Examples
WordPress comment spam, aside from the obvious blatant advertisements or garbled-up characters that don’t make sense, should quickly stand out to you because they’re highly complementary, but don’t contain any specific information or questions.
For example, you may see WordPress spam comments that read something like:
“Great blog you’ve got here! Beyond that, your website loads quickly and is easy to use. What site host do you use? Would it be possible to get your affiliate link to the host you use? I really wish my site would load as fast as yours. This is great $4/month hosting with a free domain and SSL, if you’re interested.”
“It looks like you’ve really thought through all of what you’ve presented in this post. Your words are very convincing and I think they’ll work. Even still, the posts your write are perfect for newbies. I do think that you should lengthen your future posts a bit. But thank you for this one.”
“I’m a frequent blogger and sincerely appreciate the information you’ve presented. The article really piqued my interest from the very first word. I just bookmarked your site and will check back for new content once every week. I also subscribed to your RSS feed.”
As you can see, these types of comments are very general and don’t address anything specific about your content. Once you understand this very obvious WordPress comment spam technique, they become quite easy to spot.
You may also see lots of question marks in a spam comment. Lots of question marks are a good indicator of spam.
Is Having a Comment Section On WordPress Worth the Trouble?
The easiest and most effective way to immediately put a stop to WordPress comment spam is to simply turn off the commenting function. If you’re not committed to keeping up with user comments, this is the best way to be free from spam comments cluttering up your site.
To turn off comments on individual posts and pages, you can do so from Post or Page settings. Scroll down to the Discussion section.
There are also several comment disabling options from the WordPress dashboard > Settings > Discussion page. From this screen, you can enable additional settings that can help curb comment spam, like requiring users to register to comment.
The WordPress comment moderation field on this page also allows you to set certain words or even IP addresses that will flag a comment to be held in the comment moderation queue, meaning the comment won’t automatically go live on your site.
That said, there are many different types of WordPress sites that have a need for a live and active comments section. This is especially true for blog sites that are content-based and thrive with heavy user interaction.
If your website falls under that category, the first thing you need to do is stop the spam comments from overtaking your little slice of the online world.
Stopping spam comments is going to take a healthy combination of plugins, along with some common sense spam administrative practices.
To start out, the default WordPress settings for the comment section (Settings > Discussion) can easily be adjusted to limit the harm that comment spammers do. When you look under the “Other Comment Settings” heading, it’s important to check the box next to “Automatically close comments on posts older than ___ days,” and “Users must be registered and logged in to comment.”
These are fast resolutions that’ll cut down on your WordPress comment spam immediately.
How to Stop WordPress Spam Comments
If you’ve chosen to make your comments active, the next best thing to do is install a WordPress spam blocker plugin. The plugins you can use for this purpose typically require very little in terms of ongoing maintenance and are quite simple to use.
After the initial setup process, these tools will do their job to keep you from dealing first-hand with the spam that continually bombards your comments.
1. Use a Spam Blocker Plugin like Akismet
Akismet is the first spam blocker to look at for preventing spam comments. It’s one of the few default plugins that come in every installation of WordPress core. Because of this, many WordPress users find Akismet to be one of the best WordPress spam blockers for comment section spam.https://wordpress.org/plugins/akismet/embed/#?secret=2x8NVUsWwL#?secret=Mm1J0eHr1Y
The Askismet plugin works 24 hours per day to filter out any potential spam comments and set questionable ones aside for your moderation. But beyond that, Akismet has a discard feature that automatically blocks out all known spam, which saves you the time and hassle of ever seeing it.
While Akismet does offer a free spam comment blocking feature, it’s important to note that your protection is normally only as good as what you’re willing to pay for. If you’re running a personal site or blog with relatively low traffic, you should be able to get away with running on the free plan.
If, however, your site is for business and pulls in a lot of traffic and comments, it’s best to upgrade to one of the paid commercial protection plans. The paid plans for commercial and business sites begin at only $5 per month. That small fee is more than worth it when you consider the amount of spam that you’ll never need to deal with.
WPBruiser is another option for fully ridding your comments section of unwanted spam posts.
With the WPBruiser application, you’ll get a customizable and free WordPress comment spam blocker plugin that doesn’t rely on any other third-party services. In other words, you won’t need to fumble around with API keys or open your site up to additional privacy or security concerns.
This plugin creates a comment blacklist, which prevents spam bots from even submitting comments at all. You can also set the plugin to clear out your logs after a specified period of time, and it won’t slow down your site like some other spam plugins.
More Powerful WordPress Spam Protection Techniques
To prevent spam registrations WordPress gives us several more options. WordPress user registration spam, comment spam and contact form spam are all enemies of running a successful WordPress website.
1. WordPress CAPTCHA or reCAPTCHA
While we’ve already covered WordPress stop spam registrations techniques and know how to prevent spam registration WordPress is infamously famous for, putting a complete end to spam requires implementing a CAPTCHA.
The best way to do this is by using the iThemes Security Pro plugin to add a WordPress reCAPTCHA to all user comments, user registrations, password resets and logins. This is an incredibly effective tool that determines exactly what a bot is and who your real users are.
To get started using Google reCAPTCHA, enable the option on the main page of the security settings.
The next step is to select which version of reCAPTCHA you want to use and generate your keys from your Google admin.Note: We recommend using reCAPTCHA v3. We cover each of the 3 versions in more detail in the Understanding Different reCAPTCHA versions section.)
Now enable reCAPTCHA on your WordPress user registration, reset password, login, and comments.
Finally, set the number of failed reCAPTCHAs need to trigger a lockout with the Lockout Error Threshold.
Selecting different versions of reCAPTCHA will display different settings.
2. Honeypots
Another helpful idea for throwing bots off your tail is to create a “honeypot field.” This is a form that’s hidden within your page’s code and is invisible to any real people that browse your WordPress site.
However, it attracts spambots.
They view it as another contact form or field to clutter up with spam messages.
The idea with this technique is that the bots will fill out the honeypot field, unaware that it will immediately expose them as spam. The entry is immediately rejected and the message will never land your inbox or cause any other mayhem on your site.
The honeypot technique, in theory, is a simple way to filter spam out of your life. But the reality is that it can sometimes be hit-and-miss. Some of today’s more sophisticated bots may be capable of getting around your honeypot trap.
While a lot of WordPress security plugins and contact form plugins include built-in honeypot features, make sure it isn’t the only solution you use. When you combine it with CAPTCHA and a spam filter plugin, you’ll have robust, multi-layered protection from spam attacks.
It’s also critical to employ a powerful WordPress backup plugin such as BackupBuddy. With the sophistication of today’s spambots, they can wreak all kinds of havoc on your site without warning. If and when that happens, the BackupBuddy plugin will automatically have a fully-functioning backup copy of your WordPress site ready to go, that you can get online immediately.
Make Spam on WordPress a Problem of the Past
WordPress stop spam registrations is a process that none of us want to deal with. However, to prevent spam registration WordPress has given us powerful tools to use.
As we’ve covered in this guide, spam on WordPress comes in many different forms, including emails, comments, and spam registrations. Fortunately, the techniques and tools discussed in this article will give you a strong upper hand on reducing spam on WordPress to an absolute minimum.
Remember, spam is a constant nuisance and, unfortunately, part of our everyday lives. It’s safe to say that none of us, or our websites, are immune to the problem. As such, we have to limit its impact.
Today, many companies are facing the challenge of digitalization, moving their physical commerce to the online world. This is not as easy as it seems, because depending on the type of store and the way it makes sales or contacts with customers, it will need one type of platform or another. Some opt for a classic website, while others opt for CMS functionalities such as WordPress.
In order to make these decisions, it is important to have IT and sales expertise or, failing that, a specialized consultancy.
Many companies recognize that they need to work digitally, but lack the resources to bring in full-time specialists. It seems that the usual format of companies is inflexible when it comes to incorporating this talent that makes periodic rather than daily contributions. To counteract this, the freelance format appears. Thanks to various platforms, it is possible to find different professional profiles and agree on a project-based collaboration, with a fixed and delimited cost.
Table of Contents
What Is The Purpose Of The .Htaccess File?
The necessary aspects for a website to function correctly are content management, programming and files such as .htaccess. This is a hypertext access that serves as a file to configure the software called Apache. It is a widespread server software, but it needs a series of directions to program its behavior to a certain extent.
The .htaccess file indicates the possibilities of action that a user has when entering the web. It can also limit certain actions to give us more control over our own website.
Another use is to configure the server to react to failures in the user’s connection. This will improve the so-called UX or user experience and serve to channel certain user actions.
It also has special relevance when it comes to making a site load better. Optimization is key, and not just to reduce users waiting time. The loading state of a page affects in part the chances of that page appearing among Google’s top results. Therefore, if our website uses the .htaccess file to prioritize load time optimization, it will not only improve the experience of current users but also attract different users.
The .htaccess file is a small document but it can serve as a gateway to an efficient and functional page. According to the parameters and rules entered, when a user enters the site the server directs traffic to the home page that appears in .htaccess. If there are any errors, the server directs the user to a failure page called 404, which is also customizable to some extent. So a bad configuration can be a risk since it will ruin a lot of visits that could be potential customers. This is why it is advisable to leave these files in the hands of professionals.
If there is one aspect that many entrepreneurs need to focus on, it is IT. The shortcomings in this regard have caused many viable projects to stagnate in their digital adaptation phase.
To prevent this from happening, the best thing to do is to have a programmer specialized in WordPress, especially at the start of the project. This professional is used to dealing with the WordPress computer system, programming, file types and promotional options. It is becoming more and more common for companies that do not have their own IT department to hire freelance programmers sporadically for specific periods or for specific actions. This type of contracting is becoming more and more common, as it helps to save costs in small and medium-sized businesses, where sustaining a full-time employee is a significant economic effort.
WordPress And .Htaccess
WordPress is one of the most popular virtual sites among businesses today. Its intuitive website designs and paid promotion options allow many users to do business on the Internet on a daily basis. The .htaccess file also plays a key role in this format.
There are a couple of aspects that are worth relating about WordPress as a beneficiary of .htaccess technology. To begin with, .htaccess files can refer to the entirety of a website, that is, to indicate the desired behavior in any section of it. However, there is also the option of assigning this type of document to each directory, which opens up the possibility of customizing different subsections.
We are talking about a very important element to restrict entry to some server folders, IP addresses, etc. As we can see, these are very necessary protection functions in the current cybersecurity context.
Optimizations For Our .Htaccess File
Different optimizations can be made in this document to take advantage of each and every one of its functionalities. In addition, as our WordPress website is used, it will be necessary to make adjustments that make sense. It is important to remember that, before modifying the .htaccess file, professionals usually make a backup copy. This is because, in case of failure (which can occur even for spelling issues), the page could be out of order. To make things easier, it is recommended to create a duplicate edition and apply the following tips.
Customize The 404 Error Page
The 404 error page is one of the most annoying pages for users because, in many cases, they do not know how they ended up there. Customizing this section allows you to give specific indications or explanations.
Home Page
The .htaccess file allows you to define a default home page, which does not have to be the same as the main page. Many people running personal projects use the “About Us” section as their home page.
Bringing Visitors From Our Old Website
When a client had an old website that has been replaced by another one, it is important to redirect people who enter the old domain. This way they will understand that the content has been moved.
Protect .Htaccess Modification
Parameters must be set so that this master sheet cannot be modified by third parties.
Block Bots And Users
This can be done from .htaccess. It is a way to prevent unwanted access to the website and to protect it from possible attacks.
The security of your WordPress website depends on the systems you implement to protect it and strengthen its security. With the increase in automatic password cracking, your users’ confidential information and access to your site are more at risk than ever.
That’s why it’s so important to further protect your WordPress site by adding two-factor authentication. Because your site is only as secure as your weakest password.
In this article, I’m going to tell you what two-factor authentication or identification is, why it’s so important and how to implement it on your site with easy to use and configure plugins.
Table of Contents
What Is Two-Factor Identification?
Two-factor authentication (2FA) is a type of multi-factor authentication (MFA) and is an additional layer of protection for your website. It is an additional user verification tool, for when someone logs into their account on your WordPress site.
In a standard WordPress setup, a user only has to specify a username and password to log in. Both can be guessed by dictionary attacks or if they are very weak.
When you add two-factor identification to your WordPress site, first, the user will have to enter their username and password as usual, but that’s not the end of it.
Then he will have to provide other information that proves that it is really him who wants to log in. In addition to the password, this information can be one of the following:
Something that only the user knows, usually a password or PIN code.
Something that only the user has, such as a physical device, a phone or a hardware key.
Something to prove that it is you, such as biometric data like a fingerprint or facial scan.
This data can be presented in a variety of different forms, which include:
A text message or phone call that gives a unique code to access.
Biometric proof such as the phone’s fingerprint sensor.
A separate app that users can download that gives them time-based codes that they can enter.
For example, if a user wants to log into a WordPress site, they must first enter their username and password (something only the user knows) . Then, enter two-factor identification, either asking them to verify their identity with a unique code sent by text message or a time-based code in an authentication application (something only the user has).
Or, on a higher security site like a bank might require the username and password (something only the user knows) first. Then, they might require a time-expired PIN code using their card (something only the user has) on a card reader and, as an added benefit, fingerprint scanning if you are logging in via your phone (something to prove you are who you say you are).
Why You Should Add Two-Factor Identification To Your WordPress Site
It’s easier than you think for someone to steal your password. In addition, most of your site users and team members use very weak passwords.
In fact, it probably won’t be news to you that cybercrime is on the rise. In recent years, personal data breaches, data loss and password exposure have been on the rise and are expected to cost the world 5 billion euros annually by 2022.
No matter the size of your website, the rise in automated password hacking means your site could benefit from some additional layers of security.
Enforcing strong WordPress passwords for your users is incredibly important for the security of your website. However, a strong password alone is not enough. One slip of user error could result in a hacker gaining access to your site and could put your customer or user data at risk.
The good news is that this can be stopped by implementing two-factor authentication in WordPress. In fact, even if one of your passwords was breached, the hacker would be stopped at the next stage. Indeed, the second factor would be the last one.
Still not convinced? Here are the benefits of two-factor identification:
Your data will be more secure : A weak password will no longer be the reason for unwanted access to your website.
You will be protected against fraud: 2FA reduces the likelihood that an attacker can impersonate a user.
Your team will have more freedom: Employees can securely access documents and data without putting the information at risk.
You will increase your users’ confidence: Your customers will appreciate that you are taking extra steps to ensure that their data is secure.
Reduce future costs: If your site is protected, you won’t have to spend money to fix it.
Now that we know the benefits of 2FA for your website and your business, it’s time to install it on your WordPress.
How To Add Two-Factor Authentication To Your WordPress Site
The easiest and fastest way to set up WordPress two-factor authentication is to install a plugin.
But as it is becoming more and more complicated to choose among the many plugins for every need, let’s take a look at the easiest 2FA plugins to implement and configure.
What Do You Need To Use 2FA Double Verification?
The only thing you will need, apart from your WordPress web administrator or editor user account and a plugin that includes the activation of double authentication, is a mobile app such as Google Authenticator or Authy, free for iOS and Android, installed on your mobile or tablet.
2FA With WordFence Login Security
Although you already know that I do not recommend it, if for some reason you already use the WordFence plugin, you should know that regarding the two-factor identification this utility is already included, both within the complete plugin and through a plugin that only offers this specific tool, which is recommended in itself: WordFence Login Security.
No matter what you choose, if it is the complete WordFence plugin or the WordFence Login Security plugin, or any of the following, the steps to activate and start using the double identification are exactly the same.
Activate the dual authentication.
Install a two-factor authentication app on your mobile device (Google Authenticator, Authy, etc.).
With the double authentication app, scan the QR code to add the application (your website) to the app.
Save the backup codes, in case you lose your mobile device to be able to log in without the app.
The next time you log in, in addition to the username/email + password, you will be asked for temporary expiration numbers generated by the authentication app for your application (web).
Then the settings:
For which user profiles the double authentication will be mandatory/optional/inactive.
Whether to allow the optional 30-day grace period (so that the user can choose not to be prompted every day).
Require 2FA for XML-RPC connections (recommended)
Also add reCAPTCHA (unnecessary)
Enable NTP protocol (recommended)
WooCommerce integration (optional)
As you’ll see, it delivers perfectly and works flawlessly, so – although I don’t recommend using Wordfence as a security plugin – the Wordfence Login Security plugin is a good option for adding double authentication to your WordPress site.
2FA With IThemes Security
As you may already know, this plugin was one of my favorites until the summer of 2021 when they decided to totally complicate the interface, forcing you to go through a wizard that made difficult what was once simple.
However, if you still use this plugin for the security of your WordPress website, it also includes the option to enable double identification, which you will find in the wizard.
After activating it, and only after completing the tedious setup wizard, you will be able to configure two-factor authentication.
In the settings you will be able to choose the double verification methods:
Mobile App
Email
Backup ID codes
The most common is to choose the mobile app, but if you opt only for the confirmation email method, or only the mobile app, I always recommend activating the backup codes, which are always a lifesaver.
Once you activate them, on the next login, users will be prompted to initiate the login process by double-identification, using the methods you have activated.
Once activated, it is very simple and intuitive.
What is more complicated is how to define for which users to activate double verification, because for this you will have to configure iThemes Security by creating groups of users and, for each one, decide what you activate and how. This is the part that they complicated so much with the damn wizard, and why I currently do not recommend this security plugin.
2FA With SG Security
Another way to enable two-factor identification in WordPress is via SiteGround Security, currently my favorite security plugin, which can be installed on any WordPress site, even if it is not hosted by SiteGround.
The best part is that, like everything in this security plugin, activating two-factor authentication is just one click.
Once two-factor identification is enabled, the next time an administrator or editor user accesses your WordPress site, they will first have to enter their username and password, and then they will be prompted for the temporary expiration numbers generated by the mobile authentication app, and can check the box to not be asked again for it for 30 days.
After logging in, you will be shown the backup codes, encouraged to save them in a safe place, and you will be able to log in.
Subsequently, each user will have the QR code and security code on their profile settings page, as well as the backup codes, in case they forgot to save them on their first two-factor authentication login.
SG Security’s 2-factor identification works with the main double authentication mobile apps, such as Google Authenticator and Authy, and at the moment it is activated by default for administrators and editors, the user profiles with more access and, consequently, more sensitive, although it is planned to extend it to other profiles.
It does not have as many settings as the other plugins, but it makes up for it with simplicity, something that many users value positively, me among them, especially with these new technologies, which tend to be difficult for most users, so although for advanced configurations it could fall short, it seems to me a more than valid option, and above all simple to implement and configure.
2FA With WP 2FA
The last option I will recommend you is a specific plugin for two-factor identification, and that I consider to be the best among the many that there are just for this utility: WP 2FA.
As soon as you install it and activate it, a configuration wizard will start, totally recommended, that will ask you for the methods you want to activate, which users to require the double identification and a few more settings, as you can see in the following screenshots:
As we have already seen before a bit of the terminology of this technology I will not get repetitive, because basically, the wizard settings are the same as in other plugins, so the screenshots are pretty self-explanatory and easy to understand.
Only the screens will change depending on whether you choose identification via mobile app or email.
With this you would have finished configuring the basic settings, but there is still more, because being a specific plugin it has quite a few additional settings, which are not shown in the initial wizard, that you should review.
For this you have a new item in the administration called WP 2FA, with two additional settings configuration pages:
2FA Policies
Settings
2FA Policies
In the 2FA policy you will be able to:
Select the available dual-ID methods
Choose for which profiles to force double identification
Define a grace period or not
Whether an external 2FA settings page will be created for the users or the settings will be in the WordPress admin
Choose where to redirect users to after setting up their 2FA page
Whether users will be able to disable 2FA in their profile or not
WP 2FA Settings
General
In the settings section you will find 3 tabs, namely:
Email settings: Here you can customize the texts and more options of the emails sent by the double authentication system.
General settings: A few technical settings about how the plugin works, which you will normally not have to modify.
White label: You will be happy to know that you can customize the texts that are shown to users in the double authentication process.
As you can see, it is the most complete of all in terms of customization possibilities, there is no possible competition in this regard.
It also has a premium version, payable, but it is not really necessary except for applying double-ID expiration policies, statistics and little else.
What Is The Best 2FA Two-Factor Identification Plugin?
I think it is clear that the most complete is WP 2FA, there is no doubt. The fact that it is a specialized 2FA plugin is noticeable, and beats any of the other options, for customization, for settings, for everything.
Now, should you install a specific 2FA plugin if your security plugin already offers this tool?
Well I think that, unless you NEED some specific functionality offered by the specific plugin and it is not available in your security plugin, I would use the 2FA feature of your security plugin, for not overloading plugin headers in your site, activating more code, having to maintain more plugins, etc. For economy of resources you could say.
