Blog

10 Things to Know about WordPress Content Organization

WordPress is an awesome tool right out of the box, but for those of us that have been building sites on WP for years, there are some things that we always seem to change, update, or modify (because we what works). Even though WordPress is now a fully qualified CMS (content management system), it’s roots go back to when it was popularized because of it’s blogging capabilities. Because of that, some aspects of content organization still lean torwards those roots – leaving you to figure out how to make things work. Hopefully, these 10 points can help you better understand some options you might not have known about before.

This post is part of the:
100 Things you Need to Know about WordPress Series given by Anthony Montalbano and myself at WordPress Ann Arbor.

1. Update “previous” and “next” post links to standard pagination

At the bottom of most WordPress archive pages (with a list of posts), at the bottom there is a link on the left and/or right with “next” and “previous” post links. We have found over the course of time, that only people that know WordPress know what these links really are. In addition, most users find it really annoying that if they want to go 5 pages back into your archives, that they have to click “previous” 5 different times on 5 different pages.

Installing a plugin such as Lester Chan’s WP-PageNavi will replace those nasty links with Google-like pagination (1,2,3,>>, etc.). Everyone uses Google, everybody knows what those numbers and links mean. Another good plugin to try for this is WP Page Numbers.

Also, to use these plugins read the installation info first, you may be required to actually remove the PHP and HTML code from your theme pages you want pagination on – and replace it with the PHP code snippet for the plugin you use. Also, many themes are already customized to use either of these pugins.

2. Add Breadcrumbs to pages, posts, categories, and tags

Breadcrumbs are the “trail of links” at the top of most web pages telling you how to get back from where you came from (or how to get to main sections in you entered on that page). For instance, if you went to a home page and then clicked on “Widgets” and then the “Red Widgets” page, the breadcrumb of links would say “Home -> Widgets -> Red Widgets”, and you could click to “find your way back” (just like the fairy tale!).

Breadcrumbs were standard navigation features back in the days of static HTML, and now that so many people are using content management systems with themes (like WordPress), some standard usability features (like breadcrumbs) have been left out. Funny – you still see them on most large ecommerce, news,and publishing web sites. Breadcrumbs are also good for SEO, any time that you link to other internal website pages, you build up your internal backlinks.

You might like to try any of the following WordPress breadcrumb plugins:

Breadcrumb NavXT
Yoast Breadcrumbs
Breadcrumb Trail

3. Pages are meant to be “static” (infrequently change), Posts are frequently added

So many people seem to have a mis-conception of that WordPress posts and pages actually are – I thought that it would be good to explain it here. In WordPress “posts” are what’s referred to as “blog posts”, or what appears on the home page (be default), or any archive page (category, tag, date based archives, search results, etc.). Most web sites use posts for frequently changing content.

Pages in WordPress (often referred to as ‘paged pages’ or ‘static pages’) would be your “About” or “Contact” pages – which generally have information that infrequently changes.

4. Pages can have heirarchy (children), Posts cannot

Again, keeping with the last point, it’s helpful to know that pages can have a heirarchy, and posts cannot. You could make a WordPress page called “Services” and then create a new page called “Rentals” and assign “Services” as the parent. You could then create a new page called “Cottages” and another called “Flats” and assign “Rentals” as the parent. Now you have a heirarchy of “Services -> Rentals -> Cottages / Flats”. You can’t do this with posts.

5. Posts can be assigned to tags and categories (and sub-categories), Pages cannot

Posts on the other hand, can be assigned and sorted into both “categories” and “tags”. Categories can have a parent/child relationship, but tags cannot. When you write a post you can assign (or create) new categories, and tags. Generally you should try to use less than 12 categories for all posts you will ever create. Categories are usually high level descriptors. The use of tags, however, is limitless – because they are low-level descriptors.

There are plugins that allow you to assign tags and categories to WP pages, just be aware that if the plugins becomes non-supported in the future (or breaks) – you lose all your tags and categories.

6. Posts can be grouped and sorted (custom post types like blog / products / services)

With WordPress 3.0 we saw the introduction of the ability to build a taxonomy (an ordered list of things) with posts with “custom post types”. Custom posts types are the ability to groups posts in “types”, so you could have blog posts, product posts, services posts, etc. Then you can even assign custom attributes to these posts (far beyond simple tags and categories) for nearly any application.

This is why WordPress is NOW a fully fledged CMS (content management system), because you could build a recipe site, move review site, shopping cart or e-commerce site, or corporate site with ease. Read more at the Official WordPress Post Types Page.

Justin Tadlock wrote one of the first Custom Post Types tutorials back in 2010.

Pro blog design has 2 great custom post type tutorials:
Events List with Custom Post Types and Taxonomies
Make a Template for Taxonomies and Post Type Archives

Also, if wrangling code really isn’t your thing, you can create Custom Post Types using the Custom Post Type UI plugin

7. Organization plugins exist (PageMash, Category Manager, Custom Post Type UI)

There are some great plugins that can help you organize WordPress content. One is the Custom Post Type UI just mentioned.

Pagemash: helps manage pages

CMS Tree Page View: adds a tree of all your pages or customm posts (with drag and drop functionality)

Category Manager: gives you extensive category management capabilities

Table of Contents Creator: does just what it says

Kalin’s PDF Creation Station: Allows you to create PDF docs from any combination of pages and posts

8. Provide relevant content options for visitors (related posts, tags, categories)

When you are writing content for your visitors in your WordPress web site, you want to give them as many options as possible once they read the post to keep them on your web site. One way is by automatically providing “related posts”, and of course there are already great plugins for that:

Effecient Related Posts
Better Related Posts
Related Posts Picker
All Related Posts
Related Posts by Category

Using the previously mentioned tips for learning to edit and modify your own WordPress theme, you can also add/remove/edit the placement of both tags and categories assigned to posts and in post meta by knowing what the functions are that display them in your WP theme PHP code.

the_category function
the_tags function

9. Redundant navigation is good (header / sidebar / footer)

This point is more of a principle than code or a plugin. Many website owners (WordPress or not) put their navigation in just one place. Header, sidebar(s), or footer. Usability studies show that even if the “heatmap” (where people click most) is the top left of every page – they will click on things “where they are at”. The last thing you want to do is clutter your pages up with so much garbage that it’s literally “too busy”. But having some redundant navigation in your header and footer, and sidebar – is a good idea. Pages, recent posts, recent comments, categories, tags, etc.

10. You can schedule, update, and re-publish posts

Even though this feature has been around in WordPress for some time, I still run accross people that don’t know about it (or how it works). Every WordPress post (and page) has a “publish” box in the top right sidebar. Where it says “publish” you can click “edit” beside immediately and get a form where you can change the day, month, and year. So, you could write 3 posts at once, and them schedule them throughout the week.

Another feature this provides is the ability to go back and take old posts and re-publish them by simply (adding content and) updating the date to today! We often “bring things back” from the archive using exactly this method.

CHH2ZXEMXEM5

10 Things to Know about WordPress Theme Modification

I think any WordPress website owner that’s ‘tech curious’ should start doing their own theme modifications. You don’t have to be a PHP coder, you just need to know some basic HTML and have a little problem solving common sense.

Download a copy of your WordPress theme to your local desktop, and start opening the files and figuring out how everything works, using the tips and guidelines below – in addition to the WordPress Codex.

This post is part of the:
100 Things you Need to Know about WordPress Series given by Anthony Montalbano and myself at WordPress Ann Arbor.

1. Widgets enable drag and drop functionality for content or plugins (usually sidebar / footer)

This is a bit basic, but I still find that a lot of people don’t exactly know what widgets are – or how they can use them. Your WordPress theme has to support widgets, but if you go to “Appearance->Widgets” in your WP dashboard admin, you’ll see that areas that you can drag and drop widgets to. WordPress natively has some core widgets available (like pages, categories, tags, recent posts), and a lot of plugins have their own widgets as well.

2. A WordPress theme can have unlimited “widgetized areas”

The concept of widgets is simple, and most people are used to seeing widgets in the sidebar(s) or footer. What you may not know is “widgetized areas” are added by the theme developer, and you can (literally) add a widgitized area “anywhere you want”, and you can have as many as you want. The WordPress Codex page for Widgetizing Themes is a great reference.

Let’s say (as an example) that your footer wasn’t widgitized, and you wanted to be able to drag and drop widgets to it.

You would edit the ‘functions.php’ file of your theme to contain this code to register your new footer widget (of course the before and after values may vary depending on your theme):

# Footer Widget
if ( function_exists('register_sidebar') )
    register_sidebar(array(
		'name' => 'Footer Widget',
        'before_title' => '
<h2>',
        'after_title' =&gt; '</h2>
',
		'before_widget' =&gt; '
<div>',
        'after_widget' =&gt; '</div>
',
    ));

Then you would add this code to your ‘footer.php’ file to find and show the appropriate widget(s) when the footer is called for a page:

3. Widgetized areas can be “conditional” (for specific conditions or pages)

Sometimes you may want widget(s) to be displayed only under certain conditions. Like a widget just for the homepage, or just for specific posts or category or tag pages. This when you use WordPress Conditional Tags.

In this case you would use the same code in your ‘functions.php’ file to register your widgetized area, but then you would add the conditional statement(s) code to the area where you are calling the widgetized area in theme code. Using the previous example, if it was the footer and you only wanted to display that on the footer widget on the homepage, this would be the code:

  } else {
  }

4. WordPress 3.0+ adds custom “menu” functionality (like widgets, but for navigation)

WordPress menus (navigation menus) were introduced in WP 3.0+. Here’s the Navigation Menus page in the WordPress Codex. Much like widgets, menu areas can be added anywhere inside a WordPress theme by first registering them in ‘functions.php’ and then adding them to theme page code. You can also “conditionally” add them using the exact same methods presented in the widgetized area examples.

5. Core theme files are index.php, single.php, page.php, header.php, footer.php, style.css

Some WordPress themes are really complex, and others have but a few files. If you are ‘tech curious’, it behooves you to dig a little deeper inside your WordPress theme and see how it works. For those of you that tinker a bit, here are some brief details about some of the most important files within every WordPress theme.

index.php: The ‘index.php’ file is the default of all WordPress themes. When loading your theme, if WordPress can’t figure out which theme file to use, the default is always index.php. For instance, when WordPress loads your homepage the first file it looks for is ‘home.php’. If you don’t have one ‘index.php’ is used. For archive pages WordPress looks for ‘archive.php’ – if your theme doesn’t have one it defaults to ‘index.php’.

single.php: The ‘single.php’ file is what is used for all posts within your WordPress web site. If you want to permanently add something to all posts sitewide, this would be the theme file to edit.

page.php: The ‘page.php’ file is the one that is used in your WordPress website to display all static paged pages (like your About page, Contact page, etc.). If you wanted to modify all your static pages sitewide,this is the file you would edit.

header.php: Generally speaking the ‘header.php’ file is for the basic HTML code that starts all webpages in your site, in addition to the display of the top portion of your page. You could modify the header of all pages sidewide by editing this one file.

footer.php: The ‘footer.php’ is the reverse of the header, it’s for the bottom of all pages and also the closing HTML code for each webpage. You can modify the footer of all pages sitewide by changing this one file.

sidebar.php Your theme may have more than one ‘sidebar.php’ file (or it could be called something slightly different), but generally speaking the sidebar is for your right/left sidebars within your web pages.

6. You can create custom headers, footers, and stylesheets to be used in certain conditions

Once again I’ll take you back to WordPress Conditional Tags. Using a conditional tag statement in your WordPress theme code, you could actually create and use multiple headers, footers, and even stylesheets in your WP theme code.

Let’s say as an example, you wanted a different header for the homepage than the rest of the site (like we do).

This is very simple, in your index.php do something like this:

Then all you have to do is save your 'header.php' file as 'header-home.php', make the changes you want, and upload it to your theme directory. You can do the same with your footer, sidebars, stylesheet, etc.

Then upload this file to your WordPress theme folder, and edit any static page from your dashboard. On the right side under "Page attributes" you'll see a dropdown that says "Template", and it should have a new entry called "Test 1". Select it and update the page, and when displayed that theme template file will be used.

You can make as many theme page templates as you want for specific pages, and then assign them to different pages on the edit screen.

8. You can control how many posts "the_loop" shows

Most people with WordPress websites are just used to the fact that nearly every archive type page (homepage, category, tag, archive pages) all list "10" posts at once. First you should know (if you don't already) that "the_loop" is the chunk of code that gets these posts in all WordPress theme pages. View the WordPress Codex page on the_loop.

What you may not know is that you don't have to specifically have the_loop on these pages (or a template page) - you can instead use the 'wp_query' function to show any range of specific posts you want like this:

//retrieve only specific pages

 'page',
	'post__in'  => array( '595', '33', 44 )
);
$the_query = new WP_Query( $args );
?>

//display posts by author

$query = new WP_Query( 'author=123' );

//display posts by several authors

$query = new WP_Query( 'author=2,6,17,38' );

//posts from a specific category

$query = new WP_Query( 'cat=4' );

//posts for a specific tag

$query = new WP_Query( 'tag=cooking' );

You can also use wp_query to just show a portion of your last posts (like we do in the header of this blog) like this:

query('showposts=3');
?>

have_posts()) : $recentPosts->the_post(); ?>
	<li>
   
   </li>

9. You can control the display of each post (content or excerpt)

Each WordPress theme page that has the_loop in it has a function that gets the actual listing of posts. When you see the function the_content that means show full post content. You can just change that to the reference the_excerpt (change the word content to excerpt in the code), and those pages will show excerpted posts instead of the full post content.

If you want to change to excerpts, for example on your homepage - change this in index.php. If you want to change this on your archive pages, change this in archive.php. If you want to change your search results to excerpts change this in search.php, etc.

10. Small modifications can alter meta info and navigation for posts

Don't be afraid to start altering your WordPress theme. Download a copy to your local desktop, and the go to "appearance->editor" in your WordPress dashboard and start mucking around!

Check out this portion of our theme code for this site:

            
            
<div class="the-loop">
<h2 class="title">
                
                </h2>

Filed under:
                
                | 
                0) Comments','(1) Comment','(%) Comments'); ?&gt;
                

<div class="post-content">

                

                  </div>
</div>

Can you tell what's what? Here's some helpful links that you can get started with in the WordPress codex while reading the code above and figuring out what's what:

the_post function
the_permalink function
the_category function
the_title function
comments_number function
edit_post_link function

10 WordPress Plugins to Install by Default

Having installed and configured thousands of WordPress web sites over the years, our list of WordPress plugins to install by default changes from time to time. This particular list however has been pretty much the same for a very long time, except for the addition of 2 new official WordPlugins for 2011.

This post is part of the:
100 Things you Need to Know about WordPress Series given by Anthony Montalbano and myself at WordPress Ann Arbor.

1. Akismet Akismet is the world’s most popular anti-spam plugin, created specifically for fighting “blog spam”, “comment spam”, etc. It’s an official WordPress plugin, and to use it all you have to do is signup for a free WordPress.com account and use the free API key to register it. You can download Akismet here, or just install from the “Add Plugins” dialogue of your WordPress dashboard.

2. Hotfix Hotfix is also an official WordPress plugin (which is awesome). It allows you to update core WordPress files without actually having to go to the next version. Case and point, let’s say you’re stuck at WordPress 3.0 because one of your plugins isn’t compatible with WordPress 3.1 (yet). You could use the Hotfix plugin to update the WordPress core files and get the security patches you need to make you safe, without upgrading fully to 3.1. Then you can upgrade to WordPress 3.1 once you know all your plugins work properly. You can download hotfix here, or just install from the “Add Plugins” dialogue of your WordPress dashboard.

3. Jetpack JetPack is an official WordPress plugin that gives you several services at once. Visit the official JetPack URL and you’ll see that once JetPack is installed you can use WordPress.com stats, a twitter widget, gravatar hovercards, wp.me shortlinks, sharedaddy, and even the “After the Deadline” plugin! You can also use LaTeX markup, and special shortcode embeds for videos and stuff from YouTube, Vimeo, Slideshare, etc. You get ALL this functionality just by installing Jetpack!. You can download JetPack here, or just install from the “Add Plugins” dialogue of your WordPress dashboard.

4. Revision Control WordPress has a great revisioning system, but it’s endless. Meaning if you update a post or page 100 times, you have 100 revisions stored in the database. There’s no way to limit them natively in WordPress at all. With the Revision Control plugin installed, you can limit revisions to any number you would like (personally I use 3). You can download Revision Control here, or just install from the “Add Plugins” dialogue of your WordPress dashboard.

5. Subscribe to Comments Subscribe to Comments is probably the most famous plugin (core WP programmer) Mark Jaquith has ever written. Ordinarily when you leave a comments on a WordPress web site, the only way to know if someone has responded to you or left a new comment – is to either revisit the page or follow the RSS feed. I for one, cannot monitor the RSS feed of every single page post I’ve ever left a comment on. Enter Subscribe to Comments, which (once activated) shows a checkbox to “subscribe to comments” when you leave one. It also has a built in system that allows (from links in comment notification emails) people to unsubscribe at at any time. You can download Subscribe to Comments here, or just install from the “Add Plugins” dialogue of your WordPress dashboard.

6. Contact Form 7 Contact Form 7 has been downloaded more than 3.6 MILLION times from the official WordPress plugin repository. This is the official Contact Form 7 website. It’s definitely the most widely used Contact Form plugin for WordPress, and it has a TON of extension plugins that you can use in conjunction with it. So many, in fact – I’ve written a long blog post detailing them on my other blog WordPress Directory: 11Different Ways to Extend the WordPress Contact Form 7 Plugin. You can download Contact Form 7 here, or just install from the “Add Plugins” dialogue of your WordPress dashboard.

7. Error Reporting One thing about of the more mainstream web hosts is that they don’t save PHP error files. And when they do save them – you probably have no idea unless you find them in FTP by accident in different directories. Error Reporting is a WordPress plugin that saves an error file every time an error is generated in PHP, and you can view the errors from the WordPress dashboard plugin settings page. In addition, you can limit the errors to be saved for the last XX days. I install this plugin on every client’s web site, so if they have problems in the future and call me – I’ll have something to go by to track it down. You can download Error Reporting here, or just install from the “Add Plugins” dialogue of your WordPress dashboard.

8. Login Lockdown When a hacker or spammer is trying to break into your web site, they will often use automated tools that try and do it via ‘brute force’ (over and over again) until they break your password and get in. Once you install the Login Lockdown plugin – you can limit the amount of failed logins that are possible before their IP address is locked for a period of time (before they can try again). Also all failed logins are logged by the plugin for review later. You can download Login Lockdown here, or just install from the “Add Plugins” dialogue of your WordPress dashboard.

9. Secure WordPress Secure WordPress is great plugin that offers some “set it and forget it” security features. You can deactivate tooltip and error messages to the WP login page, and remove the “version of WordPress” in all areas. You can also remove update messages and links for non-admins, and it even helps block bad queries. You can download Secure WordPress here, or just install from the “Add Plugins” dialogue of your WordPress dashboard.

10. All in One SEO Pack / Google XML Sitemap / Robots Meta To get your WordPress web site listed in the search engines and ranked well, you have to have the foundations of a good SEO plugin, a robots.txt file (and management for what pages get indexed), and an XML sitemap that’s registered with search engines webmaster tools. To accomplish this we use All in One SEO pack, Google XML Sitemaps, and Robots Meta.

Although slightly advanced (due to all the setup and features), we give honorable mention to another plugin you might want to check out WordPress SEO by Yoast. The WordPress SEO plugin combines some of the features found in All in One SEO and Robots Meta in one plugin. I did want to mention that a lot of people like this plugin for the Google search preview (showing what your page or post will look like in actual search results). You should know that this is only accurate if Google uses your exact Post Title and meta description (or first 135 characters of content). Google used to strictly use these, but now (because people game the search engines for rankings) Google is using random text from the web page as much as 50-60% of the time, rendering this feature a little more useless everyday. The rest of the features, however, are great! All of these plugins can be installed by going to the “Add Plugins” dialogue of your WordPress dashboard.

10 Things to Know about Choosing a WordPress Theme

This post is part of the:
100 Things you Need to Know about WordPress Series given by Anthony Montalbano and myself at WordPress Ann Arbor.

1. Never search Google for Free WordPress themes

The bulk of the “free” themes in Google are full of spam links or infected with malware. Only use free themes from the offical WordPress repository, or reputable theme directories (linked by highly regarded members of the WP community).

2. The more professional your layout is, the higher your conversion rate will be

Usability studies show that the more professional your graphics and layout, the higher the perceived value and “trust” will be by visitors to your web site. When choosing a theme be sure that your design is as professional as possible.

3. If you like a theme google the name + conflict, broken, and help

Sometimes themes are released a single time, and never revised be developers. To mitigate future problems and fixes, google the theme name in conjunction with keywords like conflict, broken, and help – to see if others are having problems that you might not know about (until it’s too late).

4. Premium themes generally come with more mature code, multiple revisions, and support

Premium themes cost money, but if you have problems you can usually get support from the developer, or their community. Because their living depends on the themes, they also revise them more frequently, and provide more features. Generally premium themes are more mature as well (and better coded). If you were going to put new siding and a roof on your house, would you call a bunch of college kids – or a real contractor?

5. In most cases rely on a theme for design and layout – not functionality

The more functionality that’s built into your theme, the harder it will be move off it in the future (if you need to). If you keep as much functionality as possible in plugins, then if you need to migrate themes in the future, it won’t be so hard.

6. Some themes excel at functionality: directories, auctions, classifieds, video, magazine

Some developers have premium themes for specific functions, like directories, auctions, classifieds, video and magazine layouts. Some even make specific themes for realtors, auto dealers, etc. This type of functionality is different because it’s normally something that a plugin doesn’t provide, and odds are you won’t want to switch the theme in the future (because it provides a services you need and is supported long term).

7. View admin functionality before choosing a theme; make sure you’re capable of customizations

Some themes look great, but once you download and install them you need to “be a mechanic under the hood” to setup. Always be sure to try and view the admin screenshots of the theme to determine if you have the technical capabilities necessary to set it up once purchased (or if you’ll need to hire someone).

8. Use “Maintenance Mode” or “Theme Test Drive” plugins when switching themes

If you’re going to be doing a lot of customization, or don’t want a lot of down time to your web site when switching a theme (or before launching a site), use these plugins:

Maintenance Mode plugin

Theme Test Drive plugin

9. Test in Windows, Linux, Mobile, and Mac beore launch

Your web site may look one way on your local PC, but different on a Mac, or in Safari, Chrome, Firefox, Internet Explorer, Opera, or mobile devices. Test as many different ways as you can before launching a new theme.

If you don’t have an iPhone try iPhoneTester.com

Also try the IE Renderer

You can also test in nearly every browser (that matters) from one site at Browser Shots.

10. Always be aware that design changes always affect search rankings

Even if you change only visual elements, anytime that you switch a theme (and change placement of text) you will affect your search rankings. In most cases expect a “setting period” in search rankings of 30-60 days. Some drastic changes to theme design might require on-site SEO work to retain some search rankings.

10 Things to Know about Web Hosting + WordPress

This post is part of the:
100 Things you Need to Know about WordPress Series given by Anthony Montalbano and myself at WordPress Ann Arbor.

1. Choose a web host by reading complaints in official support forums

If you want to find out what web hosting company is the best, the last thing you want to do is look for “reviews”. All web hosting review sites are paid an affiliate commission if you click and signup through their link.

What you really want to do is see if they have an skeletons in their closet. Most web hosting companies have official forums for support, and most are public (and indexed by search engines). See what the most common complaints are, and if support is responsive. You could also Google the name of the web host you’re interested in with search terms like “issues”, “problem”, “broken”, “horrible”, or even “sucks”.

2. Unlimited Web Hosts aren’t really unlimited

Unlimited web hosting is a lie. They may say unlimited web sites, unlimited bandwidth, unlimited databases, but it’s simply not true. Every web host has controls in place to make sure you don’t use too many resources, too much memory, or too much CPU. If you do – they lock your web site until you fix the issue.

For example, most web hosts will allow unlimited web sites, but your account can’t use too many “processes” at once. Let’s say you have 100 web sites. If they have only 100 visitors per day you might be ok. But if they each get 1,000 visits per day you’re probably going to use too many server resources and get your account locked up.

Most web hosts have an “inode” limit. In your web hosting account filesystem, each file or directory is a single inode. A common inode limit is 250,000, and once you have about 100 web sites installed in a shared web hosting account – with all the plugins, themes, and core WordPress files, you will definitely go over your “inode limit” and get your account locked.

You can fully expect to only be able to host 50-80 web sites in an “unlimited web hosting” account, and most of these sites will have to be ones that get <1,000 pageviews per day. In most shared web hosting accounts you can have up to 5,000 pageviews per day (uncached) before you start to get notifications of too much memory or CPU usage (depending on how many and what kind of plugins you're running). Depending on certain variables, a cached site (or one using a CDN, content delivery network, can get up to <10,000 or more pageviews).

3. Keeping domain registrations separate makes it easier to move in the future

It’s popular for web hosts to allow you do register your domains with them and keep them in the same account. It’s not a very good practice to do this, and keeping the domain registrations separate (like at GoDaddy) is a better idea for several reasons.

The first is cost. GoDaddy (and some other registrars) run sales where you can bulk renew your domains and save lots of money. Most web hosts don’t do this (and charge more for domain names).

The second is security. If your web hosting account gets hijacked, the hackers have access to your domain names. How easy would it be for them to transfer authority to themselves, and how hard would it be for you to get it back?

The third and last reason is if you need to change web hosts – they can make it more difficult by holding up your domain name transfer. If you have the domains with a separate registrar, you control when you move and when DNS changes – not them.

4. Backing up off-site is best for disaster recovery

Web hosting companies say they do nightly backup, but typicall use a hard drive (RAID) “array” for all the servers. So, if a hard drive goes down they can pull it out and replace witha new one (hot swappable) without turning anything off at all. But what happens if the array controller (computer chip) goes bad? The array goes down and the data on the disks is corrupted – potentially losing all backups and the data of every single web site they host. This actually happened to one of the largest web hosts in 2010, and nearly all data was lost.

Backup your web sites “off site”, either yourself locally, or using a service such as Vault Press or Backup Buddy.

5. Change all passwords every 30 days

Use strong passwords, and change them every 30 days – especially WordPress admin and web control panel login. Changing your database password isn’t a bad idea either. There are too many ways for people to gain entry, either a web hosting employee gone bad, a compromised PC, connecting via public wifi or mombile. Changing your passwords ensures that if someone has your password (and you don’t know it), they won’t have it for long.

6. Directory indexing should be turned off

Many mainstream web hosts still have “directory indexing” turned on by default (as if it’s a feature). This allows hacker scripts and spambots to troll your domain looking for directories so they can figure out what you have installed (and how to break in). It’s like giving criminals the blueprints to your house to figure out where to go in advance. It’s a simple setting in most web hosting control panels, turn “directory indexing off”.

7. Minimize resources by caching your site as much as possible

Your want your web site to load as fast as possible because Google uses site load speed as a ranking factor, and users stay longer on fast loading sites. WordPress has to “look up” information in the database every time a page is loaded. If you “cache” your WordPress install to static pages, you minimize (and in some cases eliminate) the database queries. You can also “offload” content loading to other sources as well.

Here are the best 2 WordPress database caching plugins:

W3 Total Cache

WP Super Cache

You can also use a CDN for WordPress, in conjunction with a caching plugin.

You can upload video to YouTube and use a plugin like Smart YouTube.

You can offload some content loading by using Amazon S3 for WordPress or similar plugins.

8. Keep other software up to date so WordPress doesn’t get hacked

If you install forums, other CMS systems, or scripts in your web site – keep them updated! Much like WordPress, over time all software developers security holes and vulnerabilities. If you abandon a software install in your site, and hackers or spambots get in, the will attack your WordPress install as soon as they get there!

9. Optimize your database tables automatically

Database tables get “overhead” over time, and “optimizing” them keeps them running smoothly. You can install a plugin like WP-DBManager and automatically “optimize” your database at specified intervals.

If you have the technical ability to use phpMyAdmin in your web hosting control panel, it’s also a good idea to remove all database tables that are leftover from plugins you once used, but no longer have installed.

10. Externally monitor your website’s uptime yourself

Never rely on your web hosting company to tell you what your server uptime is. Use a free external monitoring tool to notify you as soon as your site goes down or isn’t available. Here’s a Mashable list of 10 Free Uptime monitoring tools.

Local SEO Ranking and Keyword Help

If you landed on this page, I’m hoping to give you some “local SEO help” based on a conversation I had with a client today over the phone. Sometimes the Internet is not so obvious to small business owners, and it’s hard to figure out how your web site fits into your marketing strategy, or how it could be used to bring you leads, and sell products and services. There are many misconceived notions (that I’ve come across) – and sometimes a tiny bit of information can go a loooong way!

Small Business Perception of the Internet

I often run across one (or more) of these notions with small business clients…

1. It can’t do anything for me
2. It’s too technical for me
3. It’s not like I’m going to get any business from Facebook or Twitter
4. I heard you could buy links or Google rankings?
5. My kid/friend/relative/employee runs/built our web site
6. We’re #1 in Google for [bla, bla, bla] keywords
7. I paid a guy [insert amount here] for our crappy web site
8. We paid [seo company/link builder/spam email] $$ and got nothing from it

Sometimes it’s bad dealing with clients who aren’t technical. I feel bad for people who have been taken by shysters, and there’s so much BAD information out there, and under-educated people (selling services) – there are days when I feel like it’s a losing battle. But I never stop trying to help people, and make them more self-sufficient when it comes to their business and web sites.

How the Internet CAN work for Small Business

The Internet is woven through the fabric of our lives in such a way that now instead of technology being “present” in our daily activities – to some degree they just are our daily activities. They are so ubiquitous that we no longer think it’s weird to use a cell phone to pay for something, an iPad to write a term paper, a computer to watch a TV show, or an iPod to play a game or browse a web site. People use technology constantly now, and that’s how they find, pay for, and recommend things. It’s how they get directions, read reviews, get new choices, AND connect with colleagues, friends, family, schoolmates, business associates, and the community.

If you want people to find your business in all that noise – you MUST:

1. Understand how people look for things
2. Form a plan to be in the appropriate results when people do the looking

How Search Works

I read some analytics last year that said “80% of every search entered in Google daily has never been entered before”. Can you believe that? It’s true, and I’ll tell you why. Everybody treats Google like a magic oracle, and they do searches in question, and revisionary format. People do searches like “what does bright green poop mean”, and “where can I find the best prices on a party tent rental?”. When the search doesn’t yield good results, they revise it like “party tent rental North Atlanta”. I’ve seen people change the search a good half dozen times before they get what they want. People learn over time how to “narrow it down”

Google takes search keywords and attempts to find the “best match” at any given time based on a number of factors (they use over 200 signals to rank web sites for keywords). A new factor is social activity, in addition to local or personalized results for you based on your browsing habits, and web sites you’ve liked or visited.

Google has 3 ways they match keyword phrases to results:

1. Exact Match: matching an exact keyword phrase from a search to an exact keyword phrase on a web page. People use quotes around the keywords in Google search to do this. Like “detroit tattoo shop” (and nothing else).
2. Phrase Match: matching an exact phrase with other keywords. People use quotes around keywords in a sentence of group of words for this, like ["detroit tattoo shop" grand river]
3. Broad Match: matching keywords in any order from a search to web pages. Like if you search for [detroit tattoo shop] and the google result was from a web page that had the phrase “in Detroit looking for a great tattoo shop? We are…”.

In google, broad match is used most because most people don’t use quotes in search – they just keep typing in different words to see what they get. The funny thing is, even when I take the time to explain to small business owners the types of search matching – they still think they can come up with the best keywords to use.

Local SEO and Basic Keyword Research

You may wonder why I bother to explain the 3 types of keyword matching to a client or business owner. Here’s why:

“They need to know how to figure out how many people search for their products and services in their market, and what keywords are used most often…”

Basic keyword research for local markets is easy….

Go to the Google Adwords Keyword Tool (it’s free)

Type in phrases that YOU think people use to find your products and services, and then see what comes back for results.

These are the keywords I entered for this example (based on the client conversation earlier today):

and these are the results it brought back:

So, google is telling us how many people search for the keyword phrases we entered (in bold), with other suggestions and combined phrases. First off, while talking to the client over the phone I told him “nobody really searches for [detroit tattoo shop], there are better keywords to use”. You can see that in the results. It looks like the best keyword phrase to go after (for him) is [detroit tattoo] (and variations of it).

But wait, there’s more!

I do come across more and more business owners who have “been reading blogs” (lol), and they know about the Google keyword tool, and they’ve done research on their own (and therefore they are experts and know the best keywords to use already). Guess what…the image above shows a basic keyword suggestion and activity report based on broad matching.

Let me show you a little trick most people don’t do (but should).

In the left hand sidebar are checkboxes for the different types of keyword match types. By default what you see is “broad”. Let’s see what happens when you check the “exact” checkbox and the results reload…

In these search results the broad match terms are as they were, and the exact matches sare the ones enclosed in brackets. I show them both at the same time for comparison. We see right away nobody is searching for [detroit tattoo shop]. Now we’re looking for the best terms this client can use, and some of the broad match numbers were pretty good, but now the exact matches are a small percentage of those – why?

I’ll tell you why – because this is how people search!

From these results you can clearly see:

3,600 people per month search for the keywords: detroit tattoo
320 people per month search for the exact phrase: [detroit tattoo] (with no other words).

What about the other 3,280 searches per month? Well, they’re BROAD MATCH (combined with other phrases)! And guess what – Google’s NOT telling you what (all) those phrases are!

Local SEO Best Practices

For this client – the best I can do is tell him we can optimize his campaign for the exact match “detroit tattoo” and at most expect 8 people per day from that phrase (even if he had the #1 spot in Google). But (in my experience), the best thing he could do is optimize for the exact match phrase, and then mix long tail keywords with it throughout the site. In other words, you optimize for one phrase, and then combine it with lots of matches in regular original content, images, titles, headings, etc.

How do you figure out what words are best to match with?

Start with location matching: Use zip code, area code, suburb, country, regional, township, or landmark locations in combination with the phrase (as people would in searches).

Use refinement words: add keywords like best, top, cheap, quality, award winning, certified, licensed, inspected, etc. with the phrase.

Look at Competitors: Look at competitors web sites, and pay close attention to the keywords they’re using in their content, headings, titles, and search listings

Watch the Ads: Do sample searches in Google, and watch the paid ads on the top and sides of the page. Open the ads (in a new tab by right clicking – don’t click just to cost them money, that’s just in poor taste – AND it’s bad karma!), and look at the keyword used on their landing pages.

Get Basic Metrics: If you still can’t figure it out, run the competitors web site, or use the keyword phrase at SEMRush.com to get as many basic free stats as you can about what keywords a web site is buying in Adwords through PPC, or getting organic traffic for.

When Do I Use These Keywords?

Organic SEO: Well, if you’re going for organic SEO results – you want do some on-site SEO work to put the main phrase and it’s matches in strategic pages you want to get ranked for – and then build links externally to get to the first page of Google. If you’re a business owner and reading this, you may need to hire an SEO for his services. I can attest to this strategy working, we’ve been optimizing for a main (broad match) phrase for about 3 weeks for a client site, and along with the first page broad match, we’re also getting traffic for about 40-50 phrase match keywords based that include the target keyword phrase (we’re getting what is referred to as “the long tail” of that keyword).

Pay Per Click: If you’re running a PPC campaign use all the matching phrases you came up with for best results. Some campaigns run best with exact or phrase match keywords, others with broad. Start with all, and narrow down the best converting ones. You’ll find you’ll get the best quality score when the exact same keyword phrase (of the ad) is in the page title and heading (and content).

External Link Building:

If you’re running an external linkbuilding and SEO campaign to get better rankings, optimize for your main keyword phrase, but use the match variations you came up with to strengthen it. Use the main phrase 70% of the time, and the variations say 30% of the time.

Google and Yahoo Local: When you setup your Google places account or Yahoo local (or Yelp, etc.) – be sure to use your main keyword phrase in your description, in tags, in bio, etc.

Social Networks and Other Channels: Use your main keywords in your social networks (description, bio, tags, and content) like Facebook, Twitter, LinkedIn – as well as Channels like YouTube, other profiles, and even forums you may participate in (in your signature if allowed, and your profile page bio and description)

Do you need Local SEO Help?

We can make your Online Marketing campaign effective with tangible results you can see.

Click here to contact us now

75Q7V2KU29WT

It’s ironic in a way that Google is now literally begging people to block bad search results. The official Google blog officially published today “Hide Sites to Find More of What You Want“. All I can say is “wow”.

Now when you visit a web site in Google, the next time you go back to the search results page beside the “cached’ link will be a “block all results” link for that listing. If you make a mistake blocking listings, you can manage your blocked sites in your google account. They actually act like this is a “feature”.

Remembery McCarthy-ism back in the 50′s, when the US government asked citizens to turn in fellow citizens that they thought were communists? It was a literal witch hunt, with thousands of people accused of doing things that had no part of. People actually bought into the mob mentality of “turning people in” at that time. Is this the same, or is this different?

This is less than a month after the Google Chrome Spam Extension was released (right after the JCPenney paid link debacle). AND just weeks ago, the largest update to Google’s search index since they first came online, the “Farmer” update changed more than 11% of results for the entire index worldwide.

Google has been humming along nicely now for more than a decade. Thanks to AdWords (and Adsense) Google is a billion dollar money machine. Search results = money. Valuable keyword searches have the top sponsored ad spots auctioned daily for incredible amounts of money on the first and second page of results. Organic results are just as valuable, and people spend large amounts of time and money to get first page rankings, because (once again) search results = money. If this weren’t the case, JCPenney wouldn’t have hired an SEO company to get them ranked for so many keywords just in time for the holiday buying season. It turns out in recent weeks, Overstock.com has been found to have been doing the exact same thing quietly over time.

Is it fair to blame JCPenney and Overstock for what they did? Are they the same as a spam site? Really, what JCPenney and Overstock did was wrong because they attempted to “game the search results” by building links in unethical ways, and buy outright paying for links to their pages. Ok, so google doesn’t like you to buy links. But in this latest update to squash low value “content farms” Google’s focus is to remove sites with little or no original content. I understand that problem completely, and their need to fix it. But asking users to police the results is (if you ask me) a bit of a witch hunt.

When Google did the Farmer update they had about a week’s worth of data from the Chrome spam extension. The spam extension allowed people to “block” sites they didn’t want to see in search results, the same as the new link next to “cache” in search results pages. Google says that they didn’t use any of the spam extension data at all, but when they compared (the 11% of results they were changing) to what users were actually blocking – it was about the same.

I was just explaining to a colleage the other day – the issue with this new “block” feature for me is two-fold. First of all, search visitors are (for the most part) not tech-savvy at all. The majority of people won’t even know that this new feature exists anyway. But those that do might “uber-react” to it.

Let me ask you – what is spam? What is a spam web page or web site? What is web spam?

Is an Amazon.com product page spam?
If I copy an Amazon.com product page (without adding anything to it) – is that spam?
Is a shopping comparison site spam?
Is a blogger post that reviews a product spam?
What if that blogger has a great 1,000 word review, but links to the product with affiliate links – is that spam?
Is wikipedia never spam because they have no ads and they’re human edited?
Are Yahoo Answers and eHow almost always spam pages?
If Craigslist added relevant eBay auctions to all free posts – would that be spam?

Most people would agree that if you get a web site that lists every zip code, every phone number, every street address, every email address, every domain name, every whois lookup – ok, that’s almost always spam. Sites that just aggregate other people’s RSS feeds (scraper sites), almost always spam. But some people feel that any page that uses an affiliate link is automatically spam (which is nuts). There may have been a time when blogging was “righteous”, but it takes time and money to blog – and if you’re giving others knowledge and expertise online (about anything), monetizing that content IS NOT WRONG. If fact, in Google’s webmaster quality guidelines they say using affiliate is ok “as long as your pages have original content”.

I watch what people look for, seach for, and click on. I see that it’s hard for them to discern between original content, good reviews, and spam. Most people can barely keep from clicking on spam emails that have bargains that seem too good to be true. I think that Google asking us to be “web inspectors” and help police the search results is ironic, futile, and just wrong.

Remember back in 1998 when Google started, the reason you were willing to ditch the other 30 search engines online was becuase “Google had the best results”? Remember when google was “cool” and their mantra “don’t be evil” was kind of like thumbing your nose at Microsoft and other big software companies a little? Now Microsoft is smaller than Google, and Google is the 800 lb gorilla in the room. They can say “don’t be evil” all they want, but now they are a billion dollar cash cow that can’t seem to fix their own search results (without asking YOU to help). Just like Google completely slaughtered all search engines online over a decade – they are now SO big that even they could fall by someone inventing something “that much better”.

I think it’s ironic that Google is asking us to help them make search results better, like the Google index is public park or something, and we’re all on a community project to “help keep our Google clean”. Until Google starts giving out stimulus checks for all the cash they’re printing every day, everyone’s gonna keep complaining about bad results – and asking what they’re going to do to fix them. Honestly, is it that hard to filter the results better? Instead of having a few dozen people working on the problem – shouldn’t you have a team of a few HUNDRED? Offer a bounty, hired 1,000 interns, get some (more) genius coders – DO SOMETHING!

Come on Google – you can do better than this. If you don’t, somebody is gonna eat your lunch (and soon). Facebook is already bigger than you, and you didn’t seem to see that coming either, did you?

Fixing a hacked WordPress blog isn’t easy if you’re just a blogger with little technical experience. In my experience with clients, web hosting companies usually aren’t much help – because their experience with WordPress is limited (whether they’re ‘WordPress friendly’ or not). Their experience fixing a compromised or infected WP site and hardening security is usually non-existant. Like most technical support personnel – their job is to close your ticket as quickly as possible, not to get to the “root cause” of your infected and hacked blog. Without actually figuring out how your site was hacked, odds are you’ll get re-infected again, and again, and again.

Consider this a 4,000+ word tutorial / lesson / guide to help you fix your compromised WP site on your own. If you still need help – feel free to contact me, but I’m hoping that this article will help a LOT of people deal with their broken site on their own. You don’t have to be a coder or developer to be able to use these techniques, but you’ll need a decent understanding of WordPress, FTP, and possibly phpMyAdmin.

This article will help:

• prevent your web site from getting hacked, jacked, infected, injected, exploited, etc.
• fix your hacked blog or WordPress site from any one or more of the following…
• spam links in your theme footer
• spam links only found google’s cache of your web pages
• eval base64 decode hacks (eval(base64_decode)
• iframe hacks
• .htaccess hacks
• malware code
• evil 301 redirects
• injected or compromised wordpress database
• give you tips and tricks to keep your site from getting compromised in the future

What Your Web Hosting Tech Support Will Try

Usually web hosting technical support will ask you to try techniques similar to computer tech support…

• Reinstall WordPress
• Restore from Backup
• Clean infected files

The problem is, they usually don’t know how to do any of those things right – and even if it does fix your broken site, it doesn’t find the “root cause”. I’m going to try and give you enough tips and tricks in this article to do a better job than any web host tech could ever do, based on my own experience of fixing hundreds of hacked blogs myself for clients over the last few years.

What Causes A WordPress Site to Become Infected or Hacked?

An Automated Army of Spammers and Hackers is Out to Get You…

First let me clear up the misnomer that web site are hacked literally by “people”. I say this, because I get emails from people saying “they got in again…” or “I don’t know how they got into WordPress…” 99.9% of all web site hacks and infections are done by automated scripts and software.

Here’s how it works…

Some clever little programmer finds a security hole or exploit that is either very recent, or very old. Recent security holes are easy to find, older exploits are harder to find – but easier to hack. They write a web “crawler” or software robot to trawl the web and comb through hundreds of thousands of sites – looking for ones that meet the right criteria (that have the hole). Once a site has been identified, the automated software performs the break-in, and then follows it’s programmed routine for infection. It’s very uncommon to have your web site hacked or infected by an actual live “person”.

Why was my web site a good target?

• Footprints: The software robots look for “footprints”, that’s the first way they find and target your web site. It may be as simple as the text “powered by WordPress” in your footer, or the WordPress version in your HTML code.
• Server Vulnerabilities: Hackers specifically seek out servers with “directory indexing” turned on by default to search for backend scripts and files not indexed by seach engines (for more exploits and holes). Most of the hacked blog clients I get have directoy indexing turned on (and it shouldn’t be). Having directory indexing turned on is like giving a hacker an x-ray machine to see inside your site.
• Plugin Exploits: A hacker script may automatically try different directories on your site just to find out if you have different plugins installed, what versions they are, and if they’re exploitable. It doesn’t matter if WordPress is up to date – if all your plugins aren’t. I have had multiple clients get hacked through an outdated WordPress plugin.
• Bad Web Hosts: Most modern web hosts use some kind of web site control panel software. Hackers look for out of date installations of cPanel, Plesk, etc., to break in. Some web hosts code their own control panels – which may eliminates a “footprint” but sometimes opens up even more holes. Your web host is also responsible for keeping your server up to date – so they are additionally responsible for the other points of server vulnerabilities, and operating system. I have had LOTS of web hosts over the years (still have multiple acconts), and even though I’ve written articles about WP security – I’ve had WordPress sites hacked through bad web host configurations.
• Other Outdated Software: This is something I actually learned first hand – in addition to having clients that had this problem. Let’s say you have WordPress installed (and up to date) on your web site. Then one day you decide to install “Simple Machines Forum” in a sub-directory of your site. Maybe you didn’t like it, and just left it there. Maybe you installed Drupal, Mambo, Pligg, or Joomla, or some other scripts. The biggest mistake you could make is to install something and forget about it, because over time it becomes outdated and easily exploitable. Case and point, a few years back I actually did install Simple Machines Forum in one of my shared hosting accounts and forgot about it for 2 years. It was a shared hosting account with 30 web sites installed, and hackers got in and infected EVERY ONE of my WordPress sites through the backdoor in the forum. Just because hackers broke into your WordPress site – doesn’t mean that the got in that way.
• Public Vulnerability: People have no idea how easy it easy for hackers to steal your credentials when you’re away from home. Public wifi is great, until you realize how many things you do on a daily basis that send usernames and password in plain text with no encryption (email, FTP, WordPress admin login, social media sites, etc). I don’t care if you’re in Starbucks or a hotel on vacation – you need to make sure that absolutely everything you do is encrypted at all times. That means using https:// secure logins, SFTP (secure FTP), etc. It also means routinely changing all your login passwords once back home.
• Operating Systems: This actually falls under 2 other points, but I thought I’d mention it alone as well. Your web sites run on a server at a web hosting company, and that server has it’s own operating system (Linux, Windows, or Mac). If it’s not kept up to date by the web hosting company with current patches and proper security, hackers will break in. I personally don’t prefer Windows web hosting, and last year I believe Godaddy had their Windows hosting servers broke into not once, not twice, but three times. I had to move several new clients that got hacked during that time from Windows to Linux.

What to do if your WordPress Web Site is Hacked

Alright, now that you know what causes sites to get hacked, let’s get down to business. What you really want to know is what to do…and that really depends on what your symptoms are. I’ll try to give answers for every scenario that I can think of…the most important thing is to know whether you have access to your wp-admin dashboard login or not.

I can’t get into my WordPress web site…

This section is for people that have a hacked or infected WordPress site, and they’ve been locked out in some way. If you can at least access your wp-admin dashboard login, move on to the next section.

If you can’t login to your WordPress admin dashboard, you probably have one of the following symptoms:

• When I try to login to wp-admin I get a white screen of death (blank screen)
• When I try to login to wp-admin it redirects me to the homepage or “page not found”
• My admin username or password no longers works
• also…my web hosting control panel / FTP / email password no longer works

The first order of business is actually getting into your WordPress dashboard admin. There are many reasons why you might not be able to login to your dashboard, and the hacker scripts accomplish this in many different ways depending on how they broke in – and what they want to accomplish. I’ve fixed so many hacked sites that I’ve developed techniques to quickly be able to login – no matter what the problem actually was. So keep in mind that the steps I’m about to tell you won’t actually figure out why you couldn’t login – but rather provide the most direct path to be able to allow you to login.

Steps to regain entry to your WordPress dashboard:

1. Change your web hosting control panel password – NOW
2. Download a backup of your ENTIRE wordpress site in FTP to a folder on your desktop
3. Login to your web control panel, go to the database section, and click on phpMyAdmin. Once it loads, find the database for your wordpress site in the left sidebar and click on it (look in wp-config.php file in the root of your site if you don’t know what it’s called)
4. Click on the “export” tab on the top right
5. Under the “View dump (schema) of databases” section click “select all” to select all the tables (if they aren’t already)
6. At the bottom of the page make sure the “save as file” checkbox is checked and the radio button for “zipped” is selected for compression
7. Click the “go” button to the right, and when the popup appears, save the file to your desktop. Now you’ve saved a copy of your WordPress database
8. In FTP delete the “.htaccess” file in the root of your site. This file exists for every working WordPress site – if you don’t see it in FTP, just change the options of your FTP program to “show hidden files”, so you can find and delete it
9. In FTP go to your /wp-admin folder in the root of your site and make sure there isn’t an .htaccess file there – and if there is, delete it
10. In FTP go to /wp-content/plugins and delete all the plugins (don’t worry, you downloaded a backup of them earlier)
11. In FTP go to /wp-content/themes and delete all the themes except default wordpress (you also have a copy of all themes)
12. Download the latest version of WordPress, unzip it on your desktop, and then manually FTP the new files over the top of your WordPress installation. If you were really concerned about about your site being infected you could delete ALL files in the root of the site except for /wp-config.php, all files in /wp-includes, and all files in /wp-admin. Keep /wp-content because you want to preserve anything you uploaded in /wp-content/uploads
13. With the new WordPress files uploaded in a browser go to www.site.com/wp-admin/upgrade.php. Click the db upgrade button if necessary, and then try to login your site at www.site.com/wp-admin. You should be able to login. If you can’t, then your admin account or database has been compromised. You’ll either have to reset your password manually in the database or have your database cleaned. For 99% of the sites I work on the steps up until this point fix the issue, because getting locked out of your site or white screen of death is almost always caused by a plugin or theme conflict, .htaccess problem, or failed upgrade of some kind. If you think you have a database issue – move on to the next section below.
14. If your issue was fixed, now you have to get at the root cause. Normally at this point I start re-uploading the plugins and activate them one by one – checking to make sure that one of them wasn’t the issue. Often I find one that is, and have to find a replacement.
15. If you get the plugins all uploaded and activate, then re-upload your theme. Before I do this I carefully check the footer for bad code or links, especially encoded stuff like gzip eval statements (hackers put these there so yo don’t know they’re spam links). I check the functions.php file and make sure there isn’t any rogue code there. Last I check all the main PHP files for bad code too, like index.php, search.php, page.php, archive,php, etc. – all by hand in a text editor. THEN, I re-upload the theme, activate, and check the front end web site to make sure everything is ok.

My WP site has been hacked or compromised, but I can get into my dashboard admin…

Well, if you can login to wp-admin to get to your dashboard, the process is pretty similar…

1. Download a backup of your ENTIRE wordpress site in FTP to a folder on your desktop
2. Login to your web control panel, go to the database section, and click on phpMyAdmin. Once it loads, find the database for your wordpress site in the left sidebar and click on it (look in wp-config.php file in the root of your site if you don’t know what it’s called)
3. Click on the “export” tab on the top right
4. Under the “View dump (schema) of databases” section click “select all” to select all the tables (if they aren’t already)
5. At the bottom of the page make sure the “save as file” checkbox is checked and the radio button for “zipped” is selected for compression
6. Click the “go” button to the right, and when the popup appears, save the file to your desktop. Now you’ve saved a copy of your WordPress database
7. In FTP go to /wp-content/plugins and delete all the plugins (don’t worry, you downloaded a backup of them earlier)
8. In FTP go to /wp-content/themes and delete all the themes except default wordpress (you also have a copy of all themes)
9. What you’ve done is completely removed all the plugins and theme files – which 90% of the time are the problem. If this fixes your problem – then re-upload and activate the plugins one by one, checking each time to make sure one of them isn’t the problem.
10. If you get beyond all the plugins then move on to the theme that you were using at the time of the problem. You need to re-upload your theme, but before I do this I carefully check the footer for bad code or links, especially encoded stuff like gzip eval statements (hackers put these there so yo don’t know they’re spam links). I check the functions.php file and make sure there isn’t any rogue code there. Last I check all the main PHP files for bad code too, like index.php, search.php, page.php, archive,php, etc. – all by hand in a text editor. THEN, I re-upload the theme, activate, and check the front end web site to make sure everything is ok.
11. If you get through all your plugins and the theme files, my next steps are search the site for any weird looking files or folders. It really depends on what the problem was. If the infected site had spam links in the footer and I found the bad code in footer.php and removed it – then of course I would know I had removed it. If the footer links were still there after going through the plugins and theme – then I’d keep looking. In my experience if I didn’t find the problem in the plugins or theme, then I usually have to move on to the database.
12. I could give you all kinds of ways to search and fix the database – but it takes both experience and time to find a database infection – and even then you might miss something. Over time from experience I’ve concluded that it’s much easier to export everything from the dashboard, start with a new database, and then re-import all your data. Move on to the next section for those instructions.

I need to fix a WordPress database infection – what do I do?…

So, if you’ve gotten this far in this “fixing hacked blogs tutorial” you should at least have access to your dashboard, and you’ve already gone through your plugins and themes – and what’s left is the database. As I previously mentioned – I could show you how to search for and clean infections out of your database, but it’s much easier to take the route I’m about to tell you.

Here is the easiest way I’ve found to completely remove a WordPress database infection:

1. If you performed the steps earlier, you already have a full database backup that you exported from your web control panel using phpMyAdmin. If not – go back and do it now
2. Login to your WP dashboard admin and go to “Tools->Export” and export the contents of your site. With this standard WordPress tool you can export all your posts, tags, pages, categories – ALL of your content. The only thing you cannot export are your (previously installed) plugins settings. The only thing you can do in that regard is export them from various plugin pages (which most don’t have options for), write them down, or export the records from your wordpress wp_options table one by one. You might want to take note of your general wordpress settings as well, exporting content will not export those settings.
3. Next, you want to visit your web hosting control panel and create a new blank database. Write down the database name, database password, and database username.
4. Now open download the wp-config.php file from the root of your site and open it in a text editor. Remove the old db name, password, and username – and replace with the new blank database ones. Upload the updated wp-config.php back to the root of your site. Depending on whether or not you suspect your wordpress files were infected, if you haven’t already you could additionally at this point is delete all the root files (except wp-config.php), an everything in wp-admin and wp-includes and then upload a fresh copy of all core WP files. Then you truly know you’re starting with fresh WP files AND fresh clean WP database.
5. Now just visit your site in a web browser, and what should happen is it gives you the dialogue and button to run the WP install for the first time. Click the button and run the install for wordpress, and login for the first time with your admin account
6. Once you’re logged in go to “Tools->Import” and import your previously exported posts, pages, tags, categories, etc.
7. Activate your plugins
8. Activate your theme
9. Now you should have a completely clean wordpress database, and if you followed the first two sections you should now already have clean plugins and a clean theme. As I mentioned, you might have to setup your plugins settings and options again, but that’s a very small price to pay to ensure you have a 100% clean and fresh WordPress database

The biggest mistake that anyone can make is to find and fix an infected WordPress web site, and then not take any preventative measures to ensure that it doesn’t happen again. Be sure to go through the next section and take the preventative measures to ensure that it doesn’t happen to you again. I can’t tell you the number of clients that have come tome because they were able to remove the infection from their site by themselves, but then it kept getting infected over and over again (and they didn’t know why). So – they would pay me to fix their site and ensure that it never happens again.

How do I prevent my WordPress site from getting hacked again?

So, at this point in the tuorial you’re site should be clean. If it’s not – quick reading this section, and got back and remove the infection. Now your job is to do preventative maintenance for the future – to ensure it won’t happen again.

You may have removed some kind of site infection or malware, but you probably have no idea how it happened. I’m much better now when working on sites at figuring out exactly how somebody broke in. But there are times where I really don’t know – but once I get done with the preventative maintenance and harden the security, I’ve never had a single time after doing this (and hundreds of fixed sites) that the site got infected again. That’s because when it comes down to it, the break in’s are almost always automated by scripts and software (and predictable).

To prevent your WordPress site from getting hacked, infected, or broken into again – these are the steps you should take:

1. Logins and Passwords: It’s time to take charge of your passwords. Most likely – like everyone else you’ve been using passwords that are easy to remember. In addition, most people tend to use the exact same password for everything – and the exact same username. That means if somebody gets the login to one site – the get them all…and your facebook, twitter, online banking, email accounts, etc. The #1 source of entry for spammers and hackers into your web site is by going directly through your login account – and here’s how to stop that…
• Use different login usernames on all your accounts. NEVER use the same login across all sites, and always try to use login usernames that have some numbers AND letters
• Use STRONG passwords with numbers, letters, and special characters. You can use www.strongpasswordgenerator.com if you’re in doubt. Also, the LONGER a password is, the harder it is to break. Most people are forced to use an 8 character password with most site – I use 15.
2. b>Failure to do Maintenance and Upgrades: If you have shared web hosting, make sure that EVERY WordPress web site and plugin in ALL the sites you have are up to date. If someone breaks into one – they gain access to hack them ALL. If you have software OTHER than WordPress in your web hosting account (forums, other CMS systems, scripts) keep THEM updated in ALL sites. Neglected and unmaintained code is one of the #1 ways hackers can compromise your site!
3. Intercepted Logins: Be very aware of HOW and WHERE you are connecting to your WordPress site, your web control panel, and FTP. Use encrypted wifi at home, never use public wifi for connecting to your wordpress dashboard, FTP, or your web control panel unless you can use an “https://” secure connection.
4. WordPress Security Plugins: Use a few free WordPress security plugins, such as Secure WordPress, and Login Lockdown
5. Google Webmaster Tools: Signup for Google webmaster tools and it’s “automated alert” feature – so if your web site is broken into (for malware) you’ll get an email alert. You can also keep track of your rankings and any indexing problems easily here as well
6. Other WordPress Security: Read my free WordPress Security Guide for even more free preventative maintenance and security hardening you can do with your WordPress web site

Additional Help for Infected Blogs

If this article was too technical for you, or you just need your site back up and running quickly and require someone to do it for you just contact me with your issue, and I’ll respond as quickly as I can.

Has Google failed in search? If you haven’t been reading about Google’s search fails recently – either you don’t read much about trending topics, or you don’t do much with SEO and web ranking. Search and search results are on the mind of everyone who builds web sites and works with people that want good rankings and more traffic. For the most part Google is very quiet about their work on their ranking algorithm because it’s possibly the most valuable tech asset in the history of the world.

Think about it, there are a billion Google searches performed per day. A BILLION! Per day! The value of being in the #1 spot for keywords easily translates to money. The amount varies only by the number of people searching for a given keyword phrase. In the last few years, I think it’s become a little more predictable on how to get ranked in Google for keywords – and that’s why we’ve seen some much talked about stories relating to Google and SEO.

I predicted something was going on last year in my post No More Google Pagerank Updates. I knew that since last year Google only fully updated pagerank a single time, and all years prior (that pagerank existed) it was 3-4 times – they were trying to indicate that they were placing less emphasis on PR number. Or at least, that’s what they “wanted” people to think. I mean, come on – all SEO’s just hung on PR updates, especially those buying and selling links (because the PR number indicates how much they can charge). I think Google waited as long as they could to take a little of that power away, and to show everyone that they can update PR whenever they feel like it.

Let’s recap the last 8 weeks or so in SEO news, shall we?

Nov 26th: NY Times Story about Online Complaints Boosting Authority in google
This was an unbelievable story about a Brooklyn web site owner that started up a site to sell designer eyeglass frames. He would take orders for stock he didn’t have, order it off ebay – and ship it out. He literally stalked people that complained and asked for refunds – to the point where he’s now looking at criminal charges. People that complained online in ripoffreport.com and other online customer service forums unknowingly boosted his web sites search rankings with each bad report, because the consumer sites had such high authority themsevles. This was basically a loophole in Google because they have no way of determining whether links to a site are good or bad, they just know whether the site linking has high or low authority. To make matters worse, the web site owner boasted in the NYT interview that the more complaints he got – the more sales his web site made. This was an unbelieveable thing for the average person to comprehend, but for those of us that do SEO – we’ve always known this.

Jan 28th: SEOMoz blog Posts Proof of Highly Organized Spam in Google Results
I believe this page first had the title “Organized Crime” (and not spam), because the permalink still has it. I have long said that the efforts of most online hackers and spammers stemmed from organized crime. This article shows that the mob has figured out how valuable search results are in general – and getting ranked for key terms (like high profile jewelry and clothing) means money. Many of the sites they put online don’t even sell anything, they just scam people out of money. A large marjority don’t even bother to pay for links, they just pay hackers to break into sites with high authority and place links where they want at will. I fixed many hacked blogs per year, and I always tell these clients that most hackers don’t want anything more with their site than too place links in the footer, or to spam their google cache results (which is harder to find).

Feb 1st: Google Officially Accuses Bing of Copying Search Results
This was kind of a shocker (for about 5 seconds). Google announced on the official Google blog that they had set a trap and caught Bing.com red handed outright copying Google search results. It made the jaw drop of quite a few people, but then when you start to think about it you say – why did Google come out on the defense like that? Do they really see Bing as that much of a threat? Are they trying to divert attention from their problems with search results lately? You don’t really start publicly trashing other companies unless you see them as a threat – do you?

Feb 12th: NY Times posts “Dirty Little Secrets of Search
This article surprised a lot of people – personally I just figured it was a matter of time before something like this came out. As it turns out, JC Penney had thousands of blackhat links built to be one top for the Xmas season (PAID links) for things like dresses, area rugs, bedding, skinny jeans, home decor, comforter sets, tablecloths, and more. Things they were never ranked for before they were suddenly #1 for in Google. The NY Times turned the info over to Google, who admitted they new JC Penney was up to no good last December in terms of links, but they never “circled back” – so the retailer dominated those search for the entire holiday season (and then some). Now Google has dropped them from those searches, while JC Penney denies they knew about it and works to remove all the links – the bulk of came from seedy sites with absolutely no relevance to the retailers market at all. Looks like their SEO company (SearchDEX) is F-I-R-E-D.

So – what does all this mean? For one, the public perception of “SEO” is definitely different right now – with views ranging from alchemy to criminal. There’s a lot of finger pointing going on too, and many think that it’s very strange for the NY Times to have posted so many recent articles specifically about SEO. I mean, it was the NYT that “turned over the JC Penney search results to Google”. Some cry “conspiracy”. Why would a newspaper do that? What did they stand to gain? Was a seed planted by a JC Penny competitor?

On the one hand the NY Times “exposed the truth”. But on another they took advantage the information by doing a little “SEO” themselves on the page copy. They called the heading of the page “The Dirty Little Secrets of Search”, but the HTML title is called something different: “Search Optimization and its Dirty Little Secrets”. Why would they do that? It’s a no brainer – they knew this story would get THOUSANDS of links world wide from SEO’s and people working online, so they added “Search Optimization” as the first 2 words of the HTML title to get ranked for that keyword phrase in Google. Is it as dirty as what JC Penney did? No, but a little ironic to say the least. That NY Times web page has Google adsense links on it, one in the bottom of the right sidebar, and the other directly beneath the article. What do you think they’re showing right now? Ads for SEO! They’re not stupid – they’re gong to use the opportunity to out somebody else as their own opportunity to rank for something, and make some good cash on ads in the process.

Am I crazy? No, the Search Engine Watch blog seems to be asking all the same questions. Mike Arrington bemoans Google results as still sucking, while commenters accuse him of potentially spamming his own links (for gogobot and Blekko), while Matt Cutts himself sees fit to jump into comments and correct some “mis-information”.

My Opinion on Google and SEO

When you see a site like Huffington Post go from political blog, to supposed “breaking news” site getting deliberately ranked for things like “sex” and “funny cats” – you begin to realize how much money is at stake in search. The NY Times actions show even more vividly how much large media outlets are now realizing that controlling search terms is like dredging in dollar bills with a net. There was a time when I wondered when news and media outlets would figure out how to use SEO in their web sites. I just figured it would be a web guy that was behind pushing it – not their controller.

The bigger you are, the easier it is for you to fail and fall. The only thing (at this point) Google has in it’s favor is about 500 billion dollars. You would think they’d allocate a half-billion to better search results and relevance, but may believe that’s not even in their best interest (because of Adsense and Adwords). Google has money to burn for years, but just 2 years ago it NEVER would’ve guessed that Facebook would be the world’s most used and largest web site. If Facebook is able to install some kind of “more relevant” search – google is screwed – period!! If another company comes along that is faster, more nimble, and can somehow gain a foothold with technology users (like Firefox did), within a few years they could be as big as Facebook or Google.

My only point is – do not bet on Google, or ANYONE for that matter. It doesn’t matter what changes to SEO may come, as long as you are putting out relevant quality original content and building an audience. No matter what is on top in future – you can take your following with you. There is nothing wrong with ethically using SEO to build online authority and links, and Google actually encourages that in it’s web quality guidelines.

Would you like to know how to get “targeted traffic” to your web site? Usually a loaded question like that would be followed by some ridiculously long sales copy for some ebook or software – wouldn’t it? Don’t worry, that’s not what this post is about. I sell things through affiliate links when I find stuff that works – but I’m like what I call the “anti-Guru” when it comes to all that hyped garbage.

The most common question I get from people is how to get traffic to their web site. They really mean “targeted traffic”, but usually say “How do I get Traffic”?

Then usually the first thing I ask is “What is Your Web Site Ranked for?”, and then I get a blank stare back.

I can’t teach you everything in one blog post, and I will write more about this in the future. I can give you some very basic advice to set you in the right direction…

What is Targeted Traffic Anyway?

Targeted Traffic is:

- getting your web site ranked for specific keywords

Let’s talk about this in basic brick and mortar business terms – ok? Let’s say you have a hardware store and you rent carpet cleaners. If there were no Internet at all – and you wanted to promote the fact that you rent carpet cleaners out, your #1 way to do this would be the yellow page and the phone book. Because this was where you did a quick “search” for the business you needed, and then you would call and find out how much is costs.

There are lots of other types of media, such as using the local newspaper, television, radio, or an independant classified paper. You might be able to also use coupons in the mail, or telemarketing. For a small business owner, sometimes the yellow pages was not only enough – it was all you could afford (because it was expensive).

This is the online age – and “google” is the new yellow pages.

If I need to find you – I would go to google and type something like:

“carpet cleaner rental [mycity]“
“rug doctor [mycity]“
“carpet shampooer [myzipcode]“

If you want to get targeted traffic:

A. You MUST know what words people will use to search for you

B. You MUST use those words in the right places of your web site

How do I find Good Target Keywords?

Well, do some very basic keyword research. The Google keyword Tool is FREE. Type in what you think people would actually use for keywords, and google WILL TELL YOU what actually get’s typed in. Make a basic list of good keywords to use.

The image above shows a basic keyword search I did for the example we’ve been talking about. If you want to know “what to do with those targeted keywords”, or – where to place targeted keywords on your web site, you might want to read my free presentation “Best Practices for WordPress and SEO” that I gave at WordPress Ann Arbor last week.

What is Your Web Site Ranked For

Ahhh, back to the original question I ask when people ask me “How to I Get Traffic”? I always ask “What is Your Web Site Ranked For?” because that determines if you’re going to get targeted traffic or not – and how much you get.

Taking our example further, let’s say your business is “Bob’s Hardware” and your domain name is “www.bobshardware.com”. When people type in Bob’s Hardware by itself, or with your city, zip code, or state – odds are pretty good you’ll be the #1 result. But what about all the things that “Bob’s Hardware” might offer?

What if Bob’s Hardware wants to be found for:

Bob’s Ace Hardware
Bejamin Moore Paint
lawn mower repair
blade sharpening
pellet stoves
outdoor grills

or dozens of other keywords – all combined with your city name, state, zip code, etc.?

If you want web site traffic – and specifically “targeted traffic” – your web site MUST contain the keywords you want to get ranked for somewhere. Having a professional SEO (like myself) help you is good, but believe it or not – you can do a LOT of this work yourself. You just need to know what your keywords are, and then methodically use them in your web site (mixed with a bit of online marketing), and you’ll start getting “targeted traffic”. The more specific keyword phrases you get ranked for (by building individual pages for services), the more traffic you’ll get.

Having no Content is a Mistake

Is your web site an online business card or brochure? Not having content with your target keywords is the biggest mistake you could make. If you have 50 products, you need 50 product pages (maybe more). You need good quality descriptions in titles and headings (and imges) using your “target keywords”. If your homepage is the only source of your organic keyword driven traffic – you’re missing opportunities each an every day for customers.

Going back to our example for this post (the hardware store), your homepage is going to get easily ranked for your business name and/or location in most cases. Specifically and deliberately create inner products or services pages for your business – or don’t expect to get ANY traffic for them at all.

Meaning, in the “carpet cleaner” example – if the hardware stores want to promote their rentals, they have to specifically target a page for that for the search engines.

Again – one last real world example. If the hardware store was still using the yellow pages, it would probably get listed in multiple categories. One for the main business keyword – like the “hardware store” category. They might also get listed in the yellow pages under “Carpet Cleaning”, and “Painting Supplies”.

If you have a web site, the same technique (to get targeted customers) is to create individual pages for your products and services to categorize yourself. Google is the new phone book, and your web site will be used to categorize your business in online search.

How many categories you are “indexed” for – well, that’s up to you and how well you’re setup for “targeted traffic”.