WordPress updates, whether manual or automatic, always raise questions and even fears among webmasters. These updates are necessary for the security and scalability of your site, but they also entail risks. So should you activate WordPress automatic updates? Let's explore the issues.
Contents
Manual updates
Regardless of whether you update manually or automatically, the risks are there.
All in all, no matter whether the update is automatic or manual, you're bound to run into problems sooner or later.
What are the risks of WordPress updates?
From simple bugs to site inaccessibility, here are the most common problems:
Action required : Sometimes an update requires manual intervention to adjust certain parameters or configurations.
A plugin or theme has a bug : An update can introduce a malfunction, especially if the plugin or theme is no longer maintained by its developers.
Version incompatibility A plugin or addon depends on another plugin and may not be updated as frequently, creating conflicts.
How to reduce risk
To avoid these risks and inconveniences, a staging process is necessary: this consists of trying out every update in a test environment before applying it in production. However, this practice requires considerable time and resources, which is not feasible for smaller sites.
Automatic updates
What are the advantages of WordPress automatic updates?
Switching to automatic updates saves time and increases security.
It's just a few clicks from your Plesk control panel. You have the option of disabling automatic updates for any plugins that cause problems.
1. Safety gain
By activating automatic updates, your site is protected against the latest security vulnerabilities as soon as they are identified. This reduces the risk of hacking and keeps your site safe without systematic manual intervention.
2. Save time and energy
Automatic updates reduce the need for frequent intervention. Instead of manually checking for new versions of plugins or WordPress, you save precious time that can be reinvested in higher value-added tasks.
3. More minor bugs
Thanks to regular updates, the bugs encountered will be more minor overall, simply because the changes are more minor. What's more, diagnosis will be simpler: if one plugin is causing a problem, you'll quickly find which of the few recently modified scripts is causing the problem, whereas if all plugins have received an update, you'll have to test them all one by one.
Requirements for automatic updates
With automatic updates, there are even more important prerequisites than with manual updates.
1. Automated and outsourced backups
Backups are essential in some cases. It is therefore important to have regular, outsourced backups with long retention times. These backups must be selectively and easily restorable.
On the LRob web hostingwe perform a host backup going back 1 year.
2. Site monitoring
You should monitor the response of your sites and check them manually from time to time.
You need to react quickly if necessary, to prevent a problem from affecting your site for too long. And you need to have the right tools to diagnose (access to logs, phpMyAdmin, file explorer, deactivation of plugins from the hosting panel - all available on the LRob web hosting). Your LRob support can help you diagnose and solve your problem, by getting involved in WordPress research and diagnostics.
What should I do if I have a problem with a WordPress update?
If an update causes a problem, you need to react quickly and effectively:
View logs Server logs can quickly reveal the source of the problem.
Deactivate the offending plugin If you can do without it, deactivate the plugin concerned.
Adapt settings : Sometimes a simple setting change is enough to solve the problem.
Developer support Contact support for the plugin or theme concerned to report the problem and get help.
Restore a backup If the problem is critical and has no immediate solution, then a backup restore may be necessary. In this case, it may make sense to temporarily suspend (automatic) updates until a solution is found. If you don't have a backup on your side, your LRob support can restore its host backup.
Contact your LRob support We manage a large number of sites, so it's highly likely that we've already spent hours solving a similar problem, or that our experience will enable us to find your solution very quickly. We're always happy to help you save time!
In short: manual or automatic update?
Manual update
By updating manually, you delay the appearance of problems that you'll have to solve sooner or later, while exposing yourself to more security holes.
This choice may be appropriate for very complex sites, subject to potential bugs and requiring more extensive monitoring.
Automatic update
In auto MAJ you risk a temporary bug, so you have to deal with the (rare) problems as soon as they appear.
The exception: complex sites
The exception being large, complex sites, such as WooCommerce with custom dev, where in this case it's better to staging and testing each update (max. every 3 months, or when a known security flaw appears), for an appropriate maintenance fee.
With a professional hosting service, such as that offered by LRobYou can benefit from technical support and extended backups, up to a year in the past, to secure your site against unforeseen events.
Conclusion
Overall, we feel that automatic updating should be your default choice, as security takes precedence over functionality. If you're "agile", then this shouldn't be a problem. After all, it's better to have a bug to fix than a hacked site and all its consequences to deal with. Small and medium-sized structures will often benefit more from automatic updates, while more complex sites require specific, in-depth maintenance management.
If you're ready to embrace automatic updates, make sure you have backups and a monitoring strategy in place to deal effectively with the rare incidents that might arise.
👉 For simplified management of your WordPress site, discover accommodation offers LRob and benefit from our expertise to avoid or solve technical problems and keep your site online, secure and performing.
Discover WPMasterToolKit the essential plugin to simplify your life and lighten your WordPress sites.
This made-in-France plugin, developed by Webdeclic's talented Ludwig YOU, brings together a host of essential WordPress features, each of which you can activate with a single click. All in a single extension: simplifying your management while speeding up your site! 🚀
A truly different plugin
WPMasterToolKit is simple and flexible. With over 83 free features already activated, this plugin lets you replace countless extensions with just one.
What makes WPMasterToolKit unique, apart from being French, is its ability to activate only the features you need, without unnecessarily burdening your site. Where other extensions are monolithic, loading unnecessary scripts even when you're not using them, WPMasterToolKit is designed to be light and efficient.
If a feature is disabled, the associated program won't load at all. In this way, you reduce your site's resource use and improve its performance, by loading only the features you really need.
Other functionalities are in the pipeline, and some are available as premium features to perpetuate the project.
The developer, Ludwig YOU, is very attentive to suggestions and is actively improving his plugin. This includes the recent addition of a tab that lets you see active features at a glance.
Key features of WPMasterToolKit
WPMasterToolkit: Active modules on the LRob.fr website
Here are some of my favorite features so far:
1. Hide WordPress version
Hiding the WordPress version displayed in the source code is an excellent security measure. It reduces the chances of your site being targeted by automated attacks aimed at specific WordPress versions.
2. Limitation of revisions
Managing content revisions is an often overlooked point that can quickly overload the database. WPMasterToolKit allows you to limit the number of revisions per article, which helps keep the database clean and efficient.
3. Disable emoji support
Emojis are useful for some sites, but most modern browsers already natively support these symbols. Disabling support for emojis in WordPress can reduce page load times.
4. Disable Really Simple Discovery (RSD) tags
By disabling the loading of RSD tags (and scripts like Dashicons for offline visitors), you can reduce the loading time of your public pages, especially if your site doesn't use third-party services that require these elements.
5. Disable jQuery Migrate
If your site uses recent versions of jQuery, the script jQuery Migrate becomes useless and can be disabled to improve page loading speed.
Other interesting features
In addition to these favorite features, WPMasterToolKit also offers a host of tools to make the day-to-day management of your site easier. Among the most popular are :
Self-publishing of missed articles Automatically publish items that have missed their planning date.
SMTP management Connects to a third-party SMTP server to relay your e-mails more reliably.
Disabling REST APIs for unauthenticated users REST: improves security by limiting access to data via the REST API.
Email ban Block the creation of user accounts with temporary or unauthorized email addresses.
Maintenance mode displays a customized maintenance page while you're working, without hindering administrators.
Redirect 404s to home page Enhances the user experience by redirecting non-existent pages to the home page.
And many more besides... The best thing is to explore and test for yourself! Who knows, you could replace dozens of plugins!
An essential WordPress toolkit that needs to be better known
With a host of customizable features, you have everything you need to customize and control your site, improve performance and enhance security.
At the time of writing, this new plugin has over 500 active installations. For me, this plugin is a real game changer, and I'm convinced that it will pass the thousand mark well before the end of the year, and that its popularity will then explode.
Finding the best cache plugin isn't easy. You have to test it, measure its performance, find out about its long-term support...
So what's the fastest cache? What's the best cache plugin? Which are practical and complete, which are efficient? Do I need to pay for a good cache plugin?
Today, we're trying to answer these questions with independent measurements that are as objective as possible. The test is a bit "meta" in that it involves testing on lrob.fra showcase/blog created with FSE (full site editing). A standard, lightweight site.
Contents
Introduction
The objective of a cache plugin: to fall below 200ms response time or "TTFB" (Time To First Byte; 200ms is the maximum time recommended by Google PageSpeed Insights).
But not all caches are created equal, as Yoan De Macedo reminds us in his blog post. Some perform better than others, while others may even degrade performance. So to really choose the best cache, you need to test several on your own site and measure the results precisely. Given the variability of response times, it's important to carry out tests over a period of time and average the results. This can be tedious, however, so you may want to use this comparison test as a starting point.
We also remind you that caching isn't everything. Caching can reduce server resources, but your site must be optimized from the outset. Otherwise, it's called "cache misery". So opt for lightweight, well-optimized plugins and themes to avoid unpleasant surprises. The cache will then be the icing on the cake.
Plugins tested
I have based this list of plugins to test on a "top" list of caching plugins as well as on my experience with plugins actually encountered by various hosted customers:
This LRob test is in no way sponsored by any caching plugin. It is intended to be as objective as possible. However, this test is only a reflection of itself and of our opinion, which cannot be perfectly objective and is therefore not intended to produce general truths. LRob is a independent web host specializing in WordPress.
Website details
The test is performed on https://www.lrob.fr/. The WP-Cron function is deactivated and executed directly by the server every 4 minutes. The site runs under PHP 8.3.12 in dedicated FPM behind Apache 2, with MariaDB 11.4. Redis server is also available on the host server (version 5:6.0.16).
Theme
The site is built with FSE and the Twenty Twenty-Four theme.
Plugins
The site has 17 active plugins at the time of testing (not including the cache plugin tested):
See the list of plugins
How to use Blacklist Updater
Complianz | GDPR/CCPA Cookie Consent
Connect Matomo
Easy WP SMTP
hCaptcha for WP
Insert PHP Code Snippet
Optimize Database after Deleting Revisions
Rank Math SEO
Regenerate Thumbnails
Simple Local Avatars
Site Reviews
Social Sharing Block
TranslatePress - Developer
TranslatePress - Multilingual
Update URLs
WPForms Lite
WPMasterToolKit
Measurements and details
Response time is measured with Uptime Kuma on a server at PulseHeberg in Switzerland (Lausanne), which provides this average. The production server is located at Hetzner in Falkenstein, Germany.
Each plugin is tested successively, with a measurement every 20 seconds for 5 minutes or more (sometimes I went for a coffee in between), i.e. a minimum of 15 measurements to obtain a consistent average.
Between each test, Uptime Kuma's recorded values are erased after an initial measurement once the cache is in place; the cache folder is deleted and it has been verified that the .htaccess and wp-config.php are indeed free of any trace of the previous plugin.
Protocol limitations
The test was carried out on a server in production, generating a slightly higher variability of results than that observed on a server with no activity. However, server usage is very moderate at the time of the test, and the variability is offset by a series of over 15 measurements each time, enabling the results to be averaged. The aim is not to get the value to the nearest millisecond, but to obtain an order of magnitude.
Furthermore, the test was carried out on a specific site and cannot be extrapolated to all sites: every site is different and will respond differently to certain plugins (particularly stores). But if your site is made with the Twenty Twenty-Four theme or another FSE (Full Site Editing) theme, then chances are your results will be similar.
Tests and Benchmarks
Baseline - Test control: Response without cache plugin
Without any caching plugins, the site responds in 379ms on average, with little variability. This is a relatively low base value, since sites made with builders can easily take 2 to 4x this response time.
Response time without cache
Let's take a look at how different caching plugins improve response times.
The response time is identical to the site without cache. And for good reason: Autoptimize's caching function is in fact only available with the paid plugin. In other words, you won't be able to speed up your site with the free version. That's a shame.
However, as the developer points out Simon JANVIERAutoptimize, in its free version, is more useful for intelligent concatenation and minification of scripts. In this respect, it can lighten your site, but will not improve its TTFB (response time).
Breeze
Contrary to what I initially thought, Breeze isn't just for Cloudways or Varnish, it also works on a classic system. I therefore add it to this test and thank Michael GOUT for bringing this plugin to my attention.
Breeze 1 settingsBreeze 2 settings
Breeze response time: 98ms
Average response: 98ms
The result is amazing: under 100ms with very stable response times! I'm just discovering this plugin and I'm falling out of my chair!
I have a minor reservation about the plugin's compatibility with all sites, due to the comments on wordpress.org. From these comments, it seems that its use could cause some problems with the most dynamic or complex sites, such as WooCommerce e-commerce sites.
For the rest, it seems an excellent choice not to be missed.
Cachify
Cachify offers database caching by default, and also supports file and Redis caching. We tested the default cache and Redis. Apart from that, very few other settings are available to us.
The results are similar between the "Database" cache and Redis, within the margin of error. However, the results seem to be more stable with Redis. In all cases, the result exceeds the expected 200ms, which is disappointing. This plugin cannot really be recommended.
LiteSpeed Cache
LiteSpeed Cache has been in the news a lot recently for its security flaws. The plugin also claims to correspond to an Apache server. So how does it fare in practice?
A disappointing result for LiteSpeed cache on our test configuration, since the site is within the margin of error of the site's original response time, without cache.
And for good reason, as Louis ChanceLiteSpeed, as its name suggests, doesn't cache anything on an Apache server! You need an available LiteSpeed server. We can't recommend this plugin if you're running Apache, given the performance it delivers and the many recent security flaws.
W3 Total Cache
W3 Total Cache offers a configuration wizard and numerous settings. It's the most complete free plugin I know. It supports various cache types, including Redis. Here, minification has been activated, which may slightly increase the measured response time but offers better performance for visitors with slower connections (mobile, ADSL, etc.).
Settings W3 Total Cache 1W3 Total Cache 2 settingsW3 settings Total Cache 3W3 settings Total Cache 4Minifcation W3 Total Cache settingsW3 Total Cache response time: 159ms
Average response: 159ms
Finally, a result under 200ms! With Redis, so avoiding thousands of cache files. And great control over settings and options like Lazy Load for images, and disabling certain optional WordPress scripts. Its versatile configuration will enable you to adapt more precisely to each site: you can measure the performance obtained with different settings and choose the most relevant for your specific site.
In addition, the other types of cache available also perform well, although not tested today, the results are fairly similar whatever the type of cache chosen.
In our experience, this plugin has never disappointed, so it's highly recommendable. (It's even LRob.fr)
WP Fastest Cache
This plugin offers some interesting options in its free version. However, some of the options offered free with W3 Total Cache are missing.
But the most important thing today: does this plugin live up to its name, by actually being the fastest?
This plugin lives up to its name, being one of the fastest tested! In our test, however, Breeze came out on top.
At LRob, we've seen many diverse blogs achieve great results with this plugin. It has never disappointed, and we recommend it without hesitation.
WP-Optimize
WP-Optimize offers very few cache settings. In fact, its primary function seems to be database cleansing. So how does it fare when it comes to caching?
Response time variability is too high for our liking, with responses oscillating between 132 and 180ms.
Nevertheless, the average remains very good at 152ms. A pleasant surprise.
We're not at all reassured by this variability, and so don't recommend this plugin as a cache. All the more so as we've already observed sites that were slower with this plugin than without... So use it with caution as a cache.
Solid Performance
As a bonus, I'd like you to try out a new caching plugin, Solid Performance, which looks promising. (thanks to Julien ROUSSEL for recommendation).
Although it provides no adjustment whatsoever, its measured response time is among the best in this test. Enough to potentially satisfy those who don't feel like making the slightest adjustment. As the plugin is young, it hasn't yet been tested, but a cache plugin can easily be changed if necessary in most cases, so there's not much risk in trying it out if you feel like it!
Summary of results and conclusion
Plugin
Average response (ms)
Percentage (lower is better)
Baseline (no cache)
379
100%
Autoptimize
379
100%
Breeze 🥇
98
25.8%
Cachify Database
257
67.8%
Cachify Redis
263
69.4%
LiteSpeed
376
99.2%
W3 Total Cache Redis 🥉
159
41.9%
WP Fastest Cache 🥈
123
32.4%
WP-Optimize
152
40.1%
Solid Performance
155
40.9%
We have no hesitation in recommending Breeze, WP Fastest Cache and W3 Total Cache which are all excellent. They offer very good response times with sufficient settings, even in the free version. It should be noted, however, that Breeze may cause a few problems on some sites. Also, W3 is a little more complete in the free version than WP Fastest Cache, which is why it has been chosen for WP Fastest Cache. LRob.frbut Breeze could potentially replace it in the long term, as it provides almost as many functions while being simpler to use.
In summary, according to our test :
Choose Breeze for maximum performance, rather for showcase sites
Choose W3 Total Cache for the highest level of customization, or if your host supports Redis (as is the case with LRob accommodation)
Choose WP Fastest Cache for excellent performance without configuration
A mention for WP-Optimize, which despite its lack of settings and wide variability in response time, shows a perfectly decent average response time. Mention also to Solid Performance which, as a newcomer, lives up to its name and looks promising without revolutionizing anything, as it stands, due to its lack of settings. Cachify's settings and performance are inferior to those of other plugins. We can't comment on LiteSpeed in our Apache configuration (except to say that its usefulness is very limited in this type of configuration). Autoptimize, finally, offers no improvement in loading times and is therefore totally useless for this purpose, according to our measurements, but could be used in conjunction with a caching plugin to reduce the number of files.
Given the good results obtained with these free plugins, it doesn't seem essential to pay for a cache plugin if you don't need the additional functions offered. We may, however, test the paid versions in a future article, if you're interested.
It goes without saying that high-performance hosting is essential to achieve the best response times. To achieve this LRob accommodation are here to serve you (in every sense of the word)!
Specialized WordPress hosting
Convenient, free, fast and secure
WordPress, Best CMS for 20 years
Much more than traditional hosting: benefit from simplified management and security tools for WordPress. With expert support included!
The world of WordPress websiteswhich powers more than 40 % of the world's websites, is in turmoil. At the center of the conflict are two major players in the ecosystem: Matt Mullenwegfounder of WordPress and CEO of Automattic, and WP Engineone of the leading hosting companies for WordPress.
This confrontation, which has taken on legal proportions, raises crucial questions about control of the WordPress brand, open source, and the governance of one of the web's most influential projects. Here's a detailed analysis of the case and what's at stake.
Background: WordPress and WP Engine
WordPress and Automattic: a complex relationship
WordPress websiteslaunched in 2003 by Matt Mullenweg and Mike Little, is open source software for creating and managing websites. It's free to use, and enjoys the support of a large community of developers who contribute to its continuous improvement. However, the project's governance relies heavily on Automatticthe company founded by Mullenweg. Automattic manages WordPress.com and other popular products such as WooCommerce and Jetpack.
Although WordPress is open source, Automattic owns a exclusive license for the use of the WordPress websitesThis gives the company a central role in the ecosystem. This includes protecting the brand against perceived misuse or deception.
WP Engine: a major player in WordPress hosting
On his side, WP Engine is one of the largest hosting services specializing in WordPress. The company offers hosting solutions optimized for WordPress, making it easy for millions of users to manage their websites. It has experienced rapid growth, attracting leading investors such as Silver Lake.
However, WP Engine is not directly affiliated with Automattic nor to the WordPress Foundationeven though its name and business model are closely linked to WordPress.
The Beginning of the Conflict: Mullenweg vs WP Engine
In September 2024, Matt Mullenweg published a blog post in which he openly criticized WP Engine, calling the company a "cancer for WordPress. It criticized WP Engine for disabling the article revision history feature by default, a practice which, in its view, compromised the user data protection.
Mullenweg also denounced WP Engine's use of the "WP"We felt that this was confusing users, leading them to believe that WP Engine was part of WordPress or had an official link with the WordPress Foundation.
WP Engine's reaction
In response to these accusations, WP Engine sent out a cease and desist letter to Mullenweg and Automattic, demanding that they withdraw their statements. WP Engine defended its use of the "WP" trademark, claiming that it was a matter of fair use of the name, in accordance with trademark law. The company also accused Mullenweg of threatening to adopt a "nuclear approach against WP Engine unless it agrees to pay a substantial royalty for the use of the WordPress trademark.
Legal escalation: cease-fires and counter-attacks
In response to WP Engine's letter, Automattic issued its own cease and desist letter, claiming that WP Engine violated the rules for use of the WordPress and WooCommerce trademarks.
The conflict reached a new climax when Mullenweg has taken the radical decision to ban WP Engine from WordPress.org resources. This ban blocked WP Engine-hosted sites from accessing plugin and theme updates, exposing many sites to security risks. This measure has been widely criticized within the WordPress community, as it has left small businesses and independent sites without a viable solution.
WP Engine denounced this decision, accusing Mullenweg ofabuse of power and endanger the entire WordPress ecosystem.
Matt Mullenweg, CEO of Automattic, has misused his control of WordPress to interfere with WP Engine customers' access to https://t.co/ZpKb9q4jPhasserting that he did so because WP Engine filed litigation against https://t.co/erlNmkIol2. This simply is not true. Our Cease &...
The interruption of WP Engine services has had a major impact on many users. Although WordPress plugins and themes are licensed open source, hosting providers like WP Engine have to manage infrastructures so that their customers can use them. The temporary ban revealed the fragility of certain technical dependencies and highlighted the importance of a balanced management of open source resources.
However, Mullenweg asserted that conflict was strictly linked to trademark issues and not to the overall management of WordPress. The ban was temporarily lifted at the end of September, but the incident sowed doubts in the community.
Automattic too dominant?
More and more voices are being raised to question Automattic's dominant position in WordPress management. John O'Nolanfounder of the open source CMS Ghostcriticized the excessive centralization around Matt Mullenweg, asserting that "40 % of the web should not be controlled by one person".
On his side, David Heinemeier Hanssoncreator of Ruby on Railshas accused Automattic of betraying the principles of open source by requiring WP Engine to return 8 % of its revenues. For him, this practice could have repercussions far beyond WordPress, threatening the entire open source community.
Legal and commercial implications
On October 3, 2024, WP Engine decided to go on the offensive by filing a complaint against Automattic and Mullenweg for abuse of power and anti-competitive practices. WP Engine accuses Automattic of failing to respect its commitments to open source and of harming the interests of developers and users.
This case is still ongoing, but it could have far-reaching far-reaching consequences on how open source brands and projects like WordPress will be managed in the future.
A special message when you log on to WordPress.org
When logging in to the WordPress.org forums, a new checkbox appears:
✅ I am not affiliated with WP Engine in any way, financially or otherwise.
Unusual message that prompted me to look this up and discover this case.
Questions raised for WordPress
This mainly affects two large American companies that are exploiting WordPress commercially (in models that are, in my opinion, too modified from the original version of WordPress). The original version of WP is truly free, and you can host it wherever you like (and hopefully, you'll choose a host that's as free as possible). LRob hosting).
For the time being, independent web hosts such as LRob are totally unaffected by this conflict. There are no alarm bells ringing for us, even if we remain vigilant.
In any case, this conflict underlines tensions possible when managing a large-scale open source project. While WordPress remains an essential technology for millions of sites, the debate surrounding the brand ownershipthe governance and theopen source ethicsraises a number of questions.
In particular: how far can open source remain free when it is closely linked to massive commercial interests?
Imagine the drama: only 1 chance in 10 that your requests will reach you!
Contact forms are essential for acquiring customers. Yet a number of these forms are poorly configured and fail to forward prospect requests...
What's more, forms are supposed to be designed to save you time... And a few tricks can help you do just that... For example, by not receiving spam or by being able to reply more quickly.
Today, LRob saves you time and leads!
1. Do not set the customer's email address as From
The most frequent error when configuring contact forms is to consider the customer as the sender of the e-mail.
It may seem logical to put your email address in the "From" field, but this causes a major problem: mail spoofingor identity theft.
In this way, your website pretends to be your customer's email address (for example : john.doe@microsoft.com). If your customer's domain is secure (which is often the case), it will refuse to let your server send an e-mail on its behalf. The message will then be silently blocked by your email provider, or considered spam... 9 chances out of 10 that you'll be considered a spammer.
The solution is very simple: the e-mail sender must always be an address linked to your own domain. For example, use an address such as : site@votredomaine.fr. This ensures that emails sent from your form will not be rejected or classified as spam.
2. Protect your forms with a Captcha
Don't forget to add a Captcha to avoid spam.
Captcha isn't there just to annoy people: it's a simple, effective solution for filtering robots and preserving the quality of messages received.
Without this protection, you'll receive dozens or even hundreds of unsolicited messages a day, wasting time sorting through them and missing out on genuine requests.
To respect the privacy of your users, I recommend hCaptcha.
3. Configure SMTP on your site
Your website should have a dedicated e-mail address with a real SMTP login for your mailings. As a reminder, SMTP is the standard protocol for sending e-mail.
If your mail is with Gmail or Microsoft, this will be more complicated to apply because you pay for each mailbox and SMTP is disabled by default... But if it's with your preferred host so don't worry!
Default mailings via the php mail() function are sometimes disabled to prevent involuntary mailings and preserve server reputation (blocked by default at LRob, authorized on a case-by-case basis).
This ensures that the email is sent from a real email server, rather than from the website server when these two servers are separate.
SMTP will improve email deliverability thanks to email headers (meta-information) that are generally cleaner than php mail().
In the event of problems with the form (e.g. massive spam mailings), SMTP can be used to limit mailings to an hourly quota.
In the event of deliverability problems of any kind, if your host provides support for this (as is the case with LRob), SMTP dispatches are much easier to trace in the logs, which simplifies diagnosis.
In short, using SMTP is bound to improve your deliverability and avoid problems. So use it!
4. Check the deliverability of your form emails
Make sure your messages are well received by testing them with tools such as mail-tester.com.
Mail-Tester lets you measure the quality of your mailings.
Enter the e-mail address that appears when you visit mail-tester.com as the recipient of the form, take the test, then check the score.
A score of 9/10 or higher is recommended to ensure that requests are received correctly. This score should also be achieved for your regular email dispatches. If this is not the case, contact your email host for more information (or come and see us!). host at LRob !).
5. Run your tests in private browsing mode
When you test your contact forms, do so by private browsing.
If you're logged into your site, certain features such as Captcha can be disabled, to name but a few. This could distort your tests and give you the wrong impression of the quality of your form.
6. Use a recipient address linked to your domain
Make sure the receiving address (form recipient) belongs to your domain (vous@votredomaine.fr) and is not redirected to another address.
In the event of a problem with your form, for example if you receive spam via the form and the recipient is a major e-mail provider (Gmail, Orange, Yahoo, etc.), you could be considered a spammer.
Using your own domain as a form recipient means you can protect your e-reputation and reduce the risk of emails being blocked or mishandled by email providers.
7. Avoid confirmation emails
Sending a confirmation email may seem like a good idea, but beware.
If this message contains the text submitted by the user, then your form can be exploited by malicious people to send spam to any e-mail address via your site. Even if the text is not included, this can still generate unsolicited mail to third parties, which is never good.
This can tarnish your domain's reputation and expose you to penalties. It's best to avoid this practice.
8. Use the "Reply-To" field to facilitate your answers
Even if you don't have to put the customer's email address in the "From" field, you can still add it in the "From" field. "Reply-To.
In this way, you can reply directly to the e-mail form: your prospect's e-mail address will automatically be the recipient of your e-mail.
A simple, time-saving solution!
9. Save requests on the
Consider saving form requests in the site database.
WordPress plugins like " Contact Form 7 Database Addon "These services are available free of charge. You can then check from time to time that you haven't missed a request.
To find out more...
If you have any doubts about the configuration of your forms, or would like a personalized audit, please don't hesitate to contact me. contact.
So the advice on email deliverability is included in LRob support for all customers.
I just have to wish you every success with your new top forms! 💪
On August 19, 2024, a critical vulnerability was identified in the LiteSpeed Cache plugin, used by over 5 million WordPress sites. This flaw allows an unauthenticated attacker to impersonate an administrator, compromising the site's full integrity.
It affects all versions of the LiteSpeed Cache plugin up to version 6.3.0.1. By exploiting a bug in the role simulation function, an attacker can use a hash to impersonate an administrator. Once this hash has been obtained, he can create an administrator account via the WordPress REST API, enabling him to take control of the site.
The hash used is only six characters long, making it vulnerable to brute-force attacks. What's more, if debugging logs can be accessed, this hash can be easily recovered by an attacker.
What to do?
Don't underestimate this vulnerability. Threats of this type can quickly turn into disasters if not dealt with in time.
The solution is simple: update LiteSpeed Cache to version 6.4.1 or higher. This update corrects the flaw.
If you use Wordfence Premium, Care or Response, a firewall rule was deployed on August 20, 2024 to protect you. Users of the free version will receive this protection from September 19, 2024.
How do you stay protected?
With the WordPress Toolkit on LRob accommodationyou would have been automatically alerted by e-mail of the vulnerability and the update could have been automatic 😎. Backup is complete and daily at LRob, with a full 1-year retention! A good way to stay one step ahead of security threats.
When it comes to managing a WordPress site, you need to find a pro, a webmaster who knows what he's doing. A webmaster who knows what he's doing, who can turn an online journey into a joyful cruise!
But how do you choose the right one, or even the best one? WordPress Webmaster ?
Discover the 10 most useful qualities when choosing a WordPress specialist at the top!
1. WordPress culture
A good WordPress webmaster obviously needs to know WordPress inside and out.
First and foremost in its technical structure, but also in its functional and practical aspects. Indeed, among the thousands of themes and plugins, a good WordPress specialist needs to know the most popular scripts and, above all, their most common problems and solutions. While he'll never be able to know everything, his knowledge will enable him to adapt to new developments.
2. Proactive WordPress security
Safety is everything! Yet very few people master it. WordPress is a very popular site, and you need ultra-strict security to avoid hacking!
A good specialist has a security policy that he can provide.
It puts in place a whole host of transparent measures for you. For example, daily security vulnerability checks, automatic updates, hacker bot blocking and robust firewalls to protect your site.
It should also be able to advise you on any action you need to take to stay safe.
As a result, the risk of piracy is virtually nil. But beware: perfect security doesn't exist, it's an illusion, and anyone who claims otherwise is either ignorant or a liar! But don't worry: we can get pretty close to perfection, and that's the direction we should be heading in.
3. Managing WordPress backups
Regular, outsourced backups are a must!
Daily backups and 12-month retention guarantee peace of mind. Backups should be outsourced from the site and even from the main host, and managed directly at server level, for greater reliability. In the event of a problem, restoration must be rapid. With your back-up thus assured, you'll be able to work on your site yourself, without the fear of breaking it!
4. System administration
A good specialist must master the entire web hosting chain. He or she must have system administration skills.
So, he understands the challenges in terms of the chain of operation of a web server that hosts the site, he understands the issues of performance, security chain, he also manages emails, DNS and domain names without worry. He'll be at ease in any context, so you can manage your online life seamlessly.
In fact, he literally has to be passionate about IT to have a vast and broad culture of all the tools and knowledge that enable excellent management of your WordPress site.
5. He must accommodate you
If he doesn't host your site, your webmaster will be ineffective and won't be able to guarantee its security.
Your webmaster needs a secure server with WordPress-specific management tools.
In terms of security, we know that the first link in the security chain is the server. If your webmaster uses a silly shared hosting solution with no WordPress-specific security measures, security can't reasonably be guaranteed.
And in terms of efficiency, if your WordPress specialist has all the server access and centralized management of the sites he manages, then he'll be much more efficient at solving your problems. With access to backups, access to the terminal, access to logs (history of actions and errors), this makes for efficient, high-quality work. The most demanding (like me) will say that you can't do a good job without these tools.
6. Responsive, efficient human support
Support must be fast, efficient and human.
He or she must be able to resolve bugs efficiently, thanks to a well-thought-out methodology. Available by phone, e-mail or ticket, your specialist must respond quickly and effectively to your (reasonable) requests. If your site is critical, then an on-call service must be available for emergency interventions outside working hours.
7. Flexibility and customer freedom
You have to stay free.
Adapting to each customer's needs is essential. You need to be free to access all your data and intervene on your site yourself if you feel like it. Conversely, you can choose to delegate everything. Either way, the choice must be yours, and you must be free to leave whenever you like, for whatever reason.
8. Self-taught and adaptable
You're looking for a true genius.
Because WordPress evolves extremely quickly, your specialist needs to be able to constantly acquire new knowledge and adapt at lightning speed. Because it's impossible to know everything, even for an expert, you need to be able to learn quickly.
Thus, the self-taught person who has already learned successfully on his or her own initiative is often better able to maintain an excellent level over time.
9. A good environment
He knows how to direct you to the right person.
Tomorrow, you may have specific web-related needs. For example, you may need to launch a webmarketing campaign, increase your presence on social networks, redesign your graphic identity, or even create a physical event.
The right WordPress specialist can't know all of these topics because he's specialized in WordPress; on the other hand, he should be able to redirect you to trusted providers to fulfill your ambitions.
10. Sympathetic and outspoken
Aim for a relationship of trust.
Your webmaster is your best ally, and you need him to accompany you on the Internet just as much as he needs you to take pride in his work and earn a living. It's important that the conversation flows smoothly and without filters.
The best part: he has to be able to tell you the hard-to-hear truths when you need them to move in the right direction!
Where can I find my ideal WordPress webmaster?
If you want to check all these boxes, I'm your man.
As the owner of one or more sites WordPress websitesYou should be aware of just how much practical, high-performance, reliable and secure web hosting can revolutionize your approach.
You have no idea how much you can revolutionize your WordPress management.
Revolutionize your management with the WordPress Toolkit
Whether you're an expert or not, managing and maintaining a WordPress site can be tedious and time-consuming. If you have several sites, it becomes even more complex.
Fortunately, with the WordPress Toolkit included with LRob hosting, maintenance becomes child's play! You'll save an incredible amount of time! The WordPress Toolkit totally revolutionizes the approach to WordPress management, making it much more efficient and scalable.
ℹ️ Unlike other tools, the WordPress Toolkit is non-intrusive: there are no plugins to install, and your WordPress installation remains perfectly standard!
✅ Install WordPress in just a few clicks, customize the installation if you like. No more having to create a database by hand. ✅ Check at a glance that all is well, and connect to your sites' back-office with a single click. ✅ Change your administrator password or email in 3 clicks ✅ In 1 click: enable/disable indexing, debug mode, server execution of wp-cron!
✅ Automatically update your sites, themes and plugins and check for security vulnerabilities at a glance (and be alerted by email when a new vulnerability is detected). 🔒 Apply a dozen security enhancements in just a few clicks. 🔨 Has your site crashed after installing a plugin? Deactivate this plugin in 2 clicks with the WP Toolkit! 🔨 Clone your site simply with the wizard
ℹ️ If you have several sites, then they are isolated from the system, but you can display them all on the same screen, so you can manage all your installations efficiently!
This makes complex, time-consuming tasks extremely simple. It's a revolution that will enable you to manage a large number of sites very easily.
Maximum performance for your WordPress sites
The speed of your site is critical to user experience and SEO. It also determines whether you'll be wasting your time in a slow WordPress back-office.
As a site manager, you certainly have a role to play in choosing well-optimized plugins. But that's not all: performance measurements before and after the switch to LRob show an improvement in performance by a factor of 2 to 15 compared with traditional hosting providers!
Here are the gains measured before (left) and after (right) migration to LRob.
LRob loads between 3 and 15x faster and load times stabilized10x faster loading at LRob and stabilization of loading times
How is this possible? Are the classic web hosts pulling our leg?
Conventional web hosts often sell you old, saturated server "clusters", which add latency at every stage of processing your site's pages and requests. Also, there's often no easy-to-use, high-performance caching solution directly on the server.
The LRob secret: simple, high-performance, well-managed servers!
A simple, state-of-the-art infrastructure Dedicated servers: physical dedicated servers perfectly OVER-SIZED so that everyone benefits from maximum performance whenever they need it. With local NVME SSDs for ultra-fast access to your files and MySQL databases, state-of-the-art CPUs for fast processing and huge performance margin, with far more RAM than you need.
Unique, intelligent management Exclusive anti-robot protection to avoid unnecessary server saturation, while protecting your sites. And optimized configuration of every web server software component.
A Redis cache in server RAM No more thousands of cache files stored on your site: Redis lets you store your site cache directly in server RAM!
Native security for your WordPress sites
Your site's security is paramount. Yet securing a WordPress site is often a headache that nobody really understands. Security plugins aren't very effective, they waste your time and hinder your site's performance.
A website hack is always a tragedy. That's why you need to do everything you can to protect your site. And that starts with a secure, native configuration of the server hosting your sites.
A specialized WordPress host drastically improves the security of your site over any plugin, thanks to rigorous server configuration.
Here's everything provided "out of the box" by specialized WordPress host LRob :
Application firewall customizable to block hacking attempts
Automatic blocking of pirate robots to prevent their queries from reaching your sites
WordPress-specific security enhancements in just a few clicks with the WordPress Toolkit.
Security alerts If a vulnerability is made public on your site, you'll be alerted directly by e-mail, so you can take effective action!
SSL Certificates Wildcard Let's Encrypt included to secure your site communications and related services such as email.
Daily outsourced backup with one-year retention period. Made at the highest level, i.e. directly by the server. More reliable than a backup made by your site, this backup can withstand the worst disasters! What's more, it's never sent to a GAFAM, and remains in LRob's private infrastructure, ensuring the confidentiality of your data. You can also configure your own backups to the FTP of your choice.
Simplified management with Plesk
Managing your WordPress hosting has never been easier than with Plesk.
This intuitive control panel lets you manage all aspects of your hosting with just a few clicks in an extremely well-presented panel! Good old cPanel is a poor substitute for Plesk's excellent presentation and practicality!
Whether you want to create email addresses, manage FTP access, configure your MySQL databases or modify your DNS zone, everything is at your fingertips. Including the WordPress Toolkit, which we'll talk about next.
You can even access web logs to quickly diagnose and resolve problems on your site.
Passionate WordPresss support and assistance
By choosing a specialized WordPress hosting provider, you also benefit from expert and passionate support that will do everything to help you, without reading a dumb script or blaming the customer.
Whether it's configuration advice, access problems or technical questions, LRob is always happy to help, sharing its knowledge and experience to help you achieve your goals.
This quality assistance is a complete game-changer for your day-to-day needs.
By the way: each of our hosted sites is monitored 24/7 all year round! In other words, if your site crashes following an update, we let you know as soon as possible, before you even notice! And we'll help you understand the problem and get it back up and running!
Outstanding options for dealers
Do you have several sites? Save even more time (and money)!
With the Plesk reseller panel, centralize and simplify your management, and become a hosting provider!
The more sites you have, the more economical the solution becomes. For example, at 2024 LRob rates, if you have 8 sites, hosting costs €47.5/year per site. If you have 128 sites, it's €15.5/year per site.
Become a single point of contact for your customers, create access for them when they need it, and offer a more reliable and efficient service.
You save time, you get a better margin on hosting... And you offer a better service! With expert support to back you up every day.
Treat yourself to peace of mind with dedicated WordPress hosting
Opting for specialized WordPress hosting means choosing serenity and performance for your site. You benefit from a secure, easy-to-manage service optimized for WordPress, and the best expert support when you need it most.
LRob offers performance beyond what you could dream of, even on a dedicated NASA server, with perfect management included, at an ultra-reasonable cost!
So don't wait any longer, put your trust in an expert WordPress host like LRob and give yourself the peace of mind you deserve.
WordPress is without doubt the most widely used CMS in the world. Its popularity makes it a prime target for hackers. Owning a WordPress site therefore requires constant vigilance when it comes to security. But why is it so important to have a WordPress site security audit? What are the risks involved, and why is it particularly important for companies whose website is central to their business?
Safety risks: an unavoidable reality
Cyberspace is riddled with potential dangers. For a WordPress site, threats can materialize in a variety of ways:
Fraudulent redirections Your site can be hijacked to redirect visitors to malicious sites.
Blacklisting Your site may be marked as dangerous, resulting in a loss of trust and traffic.
Spam and data theft Hackers can use your site to send spam on your behalf, or steal the e-mail addresses of your users and customers.
These situations can cause irreparable damage to your business, damaging your reputation and directly impacting your sales. Imagine the cost and loss of credibility if your customers were to receive spam on your behalf, or if their personal data were compromised.
The importance of auditing for companies
For businesses, especially those whose website plays an indispensable role, security must be a top priority. If your site generates revenue, collects sensitive data, or serves as the primary showcase for your products and services, a WordPress security audit becomes indispensable. A hacked site can lead to significant financial losses, legal disputes and brand image damage.
Beyond the CMS: The importance of server auditing
It's important to understand that securing the WordPress CMS alone isn't enough. A website relies on a complex infrastructure where every link in the chain counts. The server hosting your site plays a key role in its overall security.
The final safety level is equal to that of the weakest link in the chain.
A comprehensive safety audit should therefore include server security analysis:
Evaluation of server configurations
Access control
Checking open ports and active services
Software version and security vulnerability assessment
Assessment and recommendations for maintenance policies
Protect your site, protect your business
A WordPress security audit is much more than a simple examination of the CMS. It's a comprehensive assessment of the entire infrastructure that supports your website. By taking proactive steps to secure your site, you protect not only your data, but also the reputation and viability of your business.
Don't let pirates get the upper hand. Invest in a WordPress security audit and ensure that your site remains a valuable asset for your business, not a vulnerability exploited by cybercriminals.
When a product stands out from the crowd to the point where it blows away the competition, like WordPress, it's often due to a marketing strike force, and sometimes by luck. But WordPress is far from having stolen its place, and here's why.
Open-source
The open-source nature of WordPress has worked in its favor. The project has won over the community, and because the code is open to all, one of the largest developer communities has formed, contributing to its continuous improvement. This not only enables regular updates and feature enhancements, but also creates a rich ecosystem of free and paid themes and plugins. As a result, users can customize their sites ad infinitum, meeting almost any specific need within their budget. So you can build exceptional sites without buying a single paid module, and have confidence in the WordPress code, which is reviewed by a large community.
Easy to use
WordPress offers an intuitive interface that enables even beginners to create and manage websites without in-depth technical knowledge. While secure maintenance and advanced use require professional intervention, basic WordPress management remains very accessible to all. This opens the door to a wide range of users, from individual bloggers to small businesses and large corporations.
An extraordinary community
The worldwide WordPress community is a major asset. It offers an endless source of information and support to users through forums, groups, educational blogs, YouTube channels and meetups. This dynamic community fosters the exchange of knowledge and experience, making learning and problem-solving more accessible to all.
Robust and versatile
WordPress' robustness and versatility make it suitable for a wide variety of web projects. From personal blogs to complex e-commerce sites, WordPress can handle a variety of site types, making it attractive to a broad spectrum of users.
WordPress' dominance of the web market is no accident. It's the result of a combination of ease of use, openness, flexibility, scalability and exceptional community support. WordPress also sets itself apart by letting you own your website, which can then be hosted by any web host.
Together, these elements have created a platform that not only meets the current needs of web users, but is constantly evolving to anticipate and integrate future trends in the digital world.
Looking for secure hosting with expert WordPress support? This is the this way !
Many wonder how WordPress can be vulnerable to attack despite its popularity and following. Others are completely unaware of the risk. Analysis.
What is a vulnerability?
WordPress is programmed using the PHP language. PHP code makes it possible to create "dynamic" sites. In other words, content is generated on each page by a PHP program. A dynamic site also enables interaction with visitors. In technical terms, it enables requests to be received and processed.
This strength is also a weakness in that it can leave room for unwanted interactions, enabling a website to be hacked. This is known as a "security flaw" or "vulnerability".
PHP vulnerabilities
Vulnerabilities in PHP code can have various causes. Here are a few common examples.
Unvalidated input: When PHP code accepts user data, such as a form or query, without proper validation, it can be vulnerable to malicious code injection attacks.
Excessive permissions: Assigning excessive permissions to files and users can enable unauthorized manipulation attacks.
Poor error handling: revealing sensitive information in error messages can give attackers clues to further exploit the system.
In addition, there may be vulnerabilities in PHP. The PHP executor itself sometimes contains security holes if not kept up to date. (see image)
Other vulnerabilities not directly linked to PHP, such as XSS vulnerabilities, are also common. These allow malicious code to be executed.
Let's see how this works in practice for WordPress.
WordPress is a robust content management system, but it includes nearly a million lines of PHP code (924,096 lines currently). WordPress is also 59,772 plugins and 11,378 themes available on wordpress.org. Millions more lines of code available for installation on your site. This wealth of code creates fertile ground for security flaws. The more you multiply the code, the more you multiply the risk. So, every day, new vulnerabilities are discovered. They can be found in the core of WordPress, but also in installed themes and plugins.
Detecting, correcting and revealing vulnerabilities
If a party detects a flaw (an individual developer, a "white hat", a specialized security organization), it notifies the developers of the script containing the flaw.
If the developers are reactive, they correct the flaw and publish the patch.
Then, typically 30 to 90 days after its discovery, the security flaw is publicly disclosed. On the one hand, to give credit for the discovery to the whistle-blower, and on the other, to warn script users of the risk involved in failing to update.
Current flaw not corrected
WordPress currently features a uncorrected flaw since version 6.1.1 (i.e. several months ago). This allows you to use a website to execute requests to other targets. It can be mitigated by blocking access to xmlrpc.php and disabling WordPress pingbacks (which was done on all the sites I manage even before this flaw was detected).
When is WordPress vulnerable and what can you do about it?
Vulnerabilities revealed
When a vulnerability is revealed, all installations with the vulnerable script are inherently affected. If this is the case, hackers are likely to exploit the flaw.
There are two types of vulnerabilities:
Your site contains a script (WordPress, plugin, theme) with a known vulnerability that has not been corrected by the developers. Development of this script may have been abandoned. In this case, you should disable the script or replace it with a non-vulnerable script that is better monitored by its developers.
Your site is out of date. You haven't corrected the security flaw. You need to update your site as regularly as possible, and make sure you don't have any obsolete scripts (which could potentially put you in the same situation down the line).
Zero-day vulnerabilities
Sometimes, hackers will find a vulnerability before it is revealed and then corrected. They will exploit it directly. This is known as a zero-day vulnerability.
The more popular a script is, the more likely it is that hackers will look for zero-day vulnerabilities in it. It's rare, but it happens. Here's another reason to design simple sites: the more popular plugins you multiply, the more vulnerable your WordPress site becomes. Not just to zero-day vulnerabilities, but to vulnerabilities in general.
To protect against 0-day vulnerabilities, the server hosting your site needs to be secure. This can be achieved by blocking suspicious requests from hackers using an application firewall. Then block attacking IPs with fail2ban, for example. This is not generally the case with shared hosting packages. With the exception ofHaiSoft with whom I've pushed these security measures, which has greatly reduced the number of hacks. But this can lead to false positives: Requests blocked when they are legitimate, especially with WordPress builders (Elementor, Divi, WP-Bakery and others). The technical support required is then higher, which is why most service providers don't implement this type of security. Security is always more complex than no security.
Despite all the security measures in place, it's important to bear in mind that some hacker requests can slip through the net. There is no such thing as zero risk, and anyone who claims otherwise is either ignorant or a liar.
So, since perfect security doesn't exist, assume that your site could be hacked tomorrow. If this happens, what do you do? You'd better have an up-to-date, easily restorable backup that's not stored on your site.
Conclusion
Hacking doesn't just happen to other people. On a regular basis, owners of WordPress sites come to me with a problem. hacked website to repair.
Every computer system is potentially vulnerable, including your WordPress site. The challenge is to minimize the risks of hacking by applying all preventive measures. This starts with an up-to-date, secure server capable of blocking attacks. It also means regularly monitoring your WordPress site, updating it as often as possible, constantly checking for known security vulnerabilities, and taking swift action in the event of a problem. In all cases, an automated, external, independent backup of your site must be carried out on a daily basis. This is precisely the set of services you'll find in my Webmastering WordPress.
If your site is important to your business, don't wait to be hacked. Be proactive and have your site checked by a WordPress security audit or go directly to my Webmastering.
It's sometimes hard to tell the difference between a malfunction and a hack. But there are signs that your site may have been hacked. Today, let's take a look at the 8 most common signs to spot a hack on your WordPress site.
❌ Warning: if in doubt, it's best not to connect to the site administration. Indeed, if your site is hacked, this may allow the hacker to recover your password. What's more, the hacker may trigger certain actions automatically when you act on the hacked site, which would make the situation worse.
✅ If you think your site has been hacked, you need to suspend your hosting until your site's files and database have been dealt with directly. Repairing a WordPress site requires respecting a scrupulous protocol like the one I offer in my repairing and securing hacked WordPress sites. If you have any doubts, contact me and we'll be happy to advise you. free assessment and immediate safety measures.
1. Unauthorized advertising and redirections
Unwanted ads or redirects to third-party sites appear on your site.
Cause and explanation
The hacker was able to penetrate the site's files and/or database to insert these ads and redirects. His aim is to steal your traffic to generate revenue.
2. Unable to log in as administrator
Your administrator password no longer works or seems to change unexpectedly after each reset.
Cause and explanation
The hacker has introduced a backdoor (code hidden in your site) enabling him to change all your passwords at will.
3. You receive notifications of rejected e-mails
You receive notifications of bounced e-mails (also known as "mailer-daemons") that you have not sent yourself.
Cause and explanation
The hacker is using your site to send emails, or may have compromised your email password. In some cases, they are simply using a poorly configured and insecure contact form as a platform to send emails to the recipients of their choice, which also needs to be addressed to avoid your blacklisting.
4. Google Safe Browsing or antivirus security alert
When you visit your site, your browser displays a "Dangerous or malicious site" alert, either via Google Safe Browsing or via your antivirus software. The blocked URL displayed belongs to your site or to a third-party site.
Cause and explanation
Your site contains URLs from phishingmalware, or redirects to malicious sites. Google maintains a database of these malicious sites, which all web browsers use to protect visitors.
5. Unwanted content and foreign languages
You see additional or modified articles or pages on your site. Often in a foreign language. And often with suspicious links to other sites.
Cause and explanation
The hacker controls your site. Either by adding an administrator account, or by using a backdoor to inject code into the database. This allows him to insert any content he wishes.
Not to be confused with "spam" comments. This concern must be addressed, but does not necessarily mean that your site has been compromised.
6. Unknown users
You see one or more unknown administrator users in your WordPress user list. Sometimes you notice that your existing admin account details have changed. NB: As you don't want to log in to the site administration, you can also see this in the database table wp_users (via phpMyAdmin for example).
Cause and explanation
The hacker controls your site. Either via an administrator account added or compromised, or (and this is the most common case) via a backdoor enabling him to inject code into the database. In particular, this enables him to control the site's users.
This is not to be confused with unwanted users registering on your site. This concern must be addressed, but does not necessarily mean that your site has been compromised.
7. Phishing pages
You may notice that some URLs or files (often .html) resemble pages from well-known sites, either through a statistics tool or when exploring your site's files.
Cause and explanation
This is called phishing. The hacker has taken control of your site and can write files of his choice into it, or write to the database. Phishing allows the hacker to lure visitors to your site whom he has previously sent bogus e-mails, in order to use it as a gateway to his victims' personal information.
8. Intruder files
To do this, you need to browse your site files via FTP or your hosting panel. You may even notice an intruder file or folder in your WordPress files. Sometimes these are ".zip" files, and sometimes they're in the underlying folders. If in doubt, compare with the archive on wordpress.org.
Cause and explanation
The hacker has been able to send unwanted files to your site and now has complete control. He can read existing files and add new ones. He will usually have taken care to hide "backdoor" files throughout the files in an attempt to retain access to the site even if you clean up the content.
Further information
Ideally, you should host your site on a secure server, as I propose in my hosting and webmastering packages. In this way, hackers are automatically blocked, drastically reducing any risk of piracy. Also, malicious files are regularly scanned at server level, which is the most reliable way of proceeding.
If there are no special security measures in place on the server hosting your site, you can start by using the WordFence which, while cumbersome and slowing down your site, will at least scan your site for malware and protect you from some basic attacks.
Let's put ourselves in the shoes of hackers attacking WordPress sites. Let's understand how they think and operate, to better protect ourselves.
The pirates' goal
Hackers are generally motivated by money. Although their attacks are often stupid and nasty, you shouldn't underestimate them, because some of them are clever.
To generate revenue, pirates will do anything. They distract visitors pirated sites via sponsored links or redirections, or add inopportune advertising of which they reap the rewards. They also sometimes add links to other infected sites in an attempt to get them listed on Google.
Often without limits, they even host phishing on your site. In other words, copies of institutional sites. This enables them to refer victims to whom they have previously sent fake e-mails pointing to these links, and thus to retrieve their personal login details for these real accounts. In some cases, these may be bank or health accounts.
In the targeted hackingmotivation is ideological or political.
More marginally, we can also observe hacking competitionsometimes taking place at events such as "hackathonSometimes, on the other hand, the site is completely defaced. However, I haven't observed this type of hack for a few years, so it seems that this practice is being lost for the time being.
Why attack WordPress sites?
WordPress is widely used, with 43% websites worldwide. This makes it a target of choice for hackers. Attacking WordPress allows them to maximize their results in their attacks. It's exactly the same principle as with Windows, which is the most popular operating system and therefore the most attacked.
Also, WordPress is very rich in terms of code and functionality, as well as documentation. So much so that numerous vulnerabilities are regularly made public. It is important to note that vulnerabilities also and above all concern numerous plugins and themes from WordPress.
Hackers' modus operandi
It is relatively easy to identify bulk WordPress sites on the Internet. Pirates therefore create WordPress site listings.
They will then cross-reference these lists with the known security vulnerabilities from WordPress.
They then have to write or find pirate communities "exploitsi.e. queries or code to be used to exploit these vulnerabilities.
Once they have found their "exploits", they program robots which automatically attempt to use them on all these sites. These bots are often set up on previously infected servers and personal computers. Together, these bots are known as "botnet.
To attack more effectively, some more skilled hackers will first list the plugins and themes installed on each site and their versions. By knowing the version of the scripts, anyone who may be aware of the security holes in each version. In fact, this is one of the actions carried out during a WordPress security audit. Hackers use this method to find and exploit vulnerabilities in each site much more effectively.
Some pirates are even more gifted plan their attacks in advance, sometimes targeting numerous sites of a particular host, in an attempt to saturate user support and keep their hack going as long as possible.
This is how we see waves of piracy. Note that some waves of hacking also occur because a new flaw has been discovered by hackers before it has been corrected by developers. This is known as a "zero-day vulnerability.
Targeted attacks
Your site doesn't have to be specifically targeted to be hacked. Because, as we've seen, hackers attack thousands of WordPress sites a day in an automated fashion. This means that even very small sites with just a few dozen visitors a day, or the sites of small associations or local authorities, can be hacked.
Nevertheless if your site has a security flaw of any kind, a targeted attack, operated and directed directly by a hacker, will very quickly result in the complete hacking of your site.
Targeted attacks are relatively rare (less than 3% of hack cases in my experience). The targets of choice in this case are mainly political, media or ideological.. In other words, targeted attacks tend to be aimed at institutional sites or sites with ideologically charged content. If this is your case, don't wait until it's too late and treat yourself to a WordPress security audit.
Please note that this service is included in my Webmastering Critical. WordPress scripts are updated on a daily basis, I receive an e-mail in the event of a vulnerability, and I monitor obsolete scripts. I also manage to detect the activity of hacker bots on my hosts and automatically block hundreds of them every day. Manual attacks are also blocked; for example, during an audit of a site I host, a major security group asked me to unblock them so they could continue their tests, as all their IPs had been automatically blocked by my security systems.
Page builders for WordPress have been all the rage for years. These are visual editors designed to facilitate site layout.
Elementor, Divi, WPBakery: Web agencies, webmasters, everyone's using their own builder. WordPress revolution, or monumental mistake, what does the "WordPress expert" have to say?
The promise of WordPress builders
Builders are popular because they promise to create rich, complex pages without touching a single line of code, thanks to visual editors. And they generally deliver on this promise.
But then, Jamy, what evidence is there to question the wisdom of using builders in this perfect world of ours?
WordPress "Builders" imprison you
Builders are generally available on an annual subscription basis. Having paid for your builder, you have no intention of backing out and will do everything in your power to make it work.
But one day, fate will strike: you'll have a really blocking problem with your builder and you'll want to go back to native (without a builder). Or choose another builder.
And then the drama begins.
No standards, no interoperability between different builders. And above all, no display if the plugin is deactivated.
Without its builder, your site is out of order and you'll have to completely rebuild it.
So, have you really saved time and money by using a builder to shape your site?
Builders go against the WordPress grain
Builders modify the native operation of the WordPress CMS.
How builders work
A builder will generate hundreds of tags which must be interpreted and dynamically converted into HTML code (the final display language sent to visitors) by the server before being sent to the visitor.
Some builders will also generate scripts (js) and style sheets (css) on the fly, depending on the page.
Native WordPress operation
Previously, to change the appearance of WordPress from a given theme, you either had to have chosen a highly customizable theme, or get your hands into the site's code. In both cases, page content remained native, so a change of theme didn't break the whole site.
From now on, WordPress pushes Gutenbergits block system. It allows you to edit all the content of your site natively, without any modification to WordPress: pages, articles, but also the global display thanks to "full site editing". Like a builder in fact...? Yes, except that the code generated is HTML and therefore has no cost in terms of performance or loading time.
The impact on performance... And ecology.
Extreme slowness
In my experience as a web-hosting outsourcer, I've been approached by numerous WordPress customers complaining about the slowness of their sites. The servers weren't saturated, but their sites had one thing in common: they used WordPress builders.
During tests with/without builder, I observed a slowdown of between 10 and 40 with their builder activated. In other words, a site that takes 0.3s to load natively takes more than 3s, or even more than 10s in the most extreme cases.
But the slowdown also affects visitors. The many heavy scripts (js) and style sheets (css) generated by builders take time to download, and then have to be interpreted. In the process, they take even longer.
Time is energy
Load times are calculation resources and therefore energy consumed by the server and your access device (smartphone, PC). The more CPUs are occupied, the more energy is wasted.
While the situation is improving with builders' optimization patches, or caching plugins (which avoid certain server consumption), performance is still generally not up to scratch compared to a native site.
Impact on site success
As we all know, visitor retention on a site depends on its speed. And there's good reason to believe that search engines favor the best-optimized sites.
Undeniable ecological impact
WordPress powers over 43% websites worldwide. Many of these sites include builders, generating an overconsumption of server resources on the order of x10 (or even x40). Builders therefore have a considerable carbon footprint that it would be interesting to measure objectively. I wouldn't be surprised if this increased Internet energy consumption by 10% or more.
Reliability and safety
A large proportion of the failures observed on sites during updates are due to the builder. You'd better have a good backup. All this is additional maintenance, lost for the webmaster and/or the customer.
What's more, as builders are popular, security flaws are regularly discovered. So if you update, you risk breaking the site, and if you don't update, you risk a hack. What's your choice?
Builders galore
Some people have a systematic builder reflex. Even on an extremely simple site. But is it really necessary?
In many cases, using a builder is like killing a fly with a flamethrower.
The #1 rule of optimization: use only what you need. A little minimalism never hurt anyone.
Do we need to think for 2,000 years to shift an image by one or two pixels? It only pleases web designers. Users and site owners couldn't care less. In the real world, it's not the content that counts for a site's success.
What you need is a site that's easy to maintain, reliable, secure and quick for visitors to view, and above all, that contains the useful information your visitors are looking for, for good SEO (on Google and other search engines), and with the lowest possible carbon footprint.
Alternatives
Many native themes, often free of charge, are capable of offering a clear and pleasant visual experience, and already allow an excellent level of customization.
What's more, with Gutenberg, WordPress now offers the " Full Site Editing "With compatible themes, you can arrange each part of the site as you wish.
In the near future, this should mark the beginning of the end for builders.
Personally, I've always refused to go against WordPress' native way of working, and I adopted Gutenberg as soon as it was released, despite the bugs and limitations.
Manage your cookies
This site uses cookies for functional and statistical purposes. All statistics are anonymized and self-hosted on a private Matomo server in Europe. This helps us to understand what you like to find on this site and to perpetuate the professional activity proposed. Non-acceptance may break certain functionalities. For a better experience, please accept cookies.
Features
Always active
Some cookies are required for the basic functionality of this site.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
Allow this site to collect anonymized and preserved statistical data from third parties such as Google.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
