You’ve installed WordPress. It’s free. That’s amazing, and you get to stand on the shoulders of giants with all those great plugins. BUT! Developers need to get paid and a lot of the plugins have paid versions with the full range of features. So what can a fully fedged WordPress installation cost? This is the unspoken secret of WordPress.
These are the plugins I’m using:
Hosting. Not really a plugin. It’s easy to get free/cheap hosting but with a WordPress site taking multiple seconds to load, especially if you have plugins enabled. As a benchmark, the personal purchase on wordpress.com is $39 (£30) per year, but doesn’t really give you that much.
Akismet anti-spam adds better statistics and support for £44 per year.
Cloudflare. You are running this, right? For free it gives you SSL, translation of http to https, DDoS protection, CDN caching (for the speed!), for $20 (£15) you get more as well as firewalling.
With Jetpack you get a load more content stuff and lazy image loading for $9 (£7) per month.
WP-Smush, one of my favrourites which crushes images, for really useful enhancements will set you back $49 (£38) per month.
Updraft plus, the dedicated backup solution, for many, many more features and support will cost you £54 in total.
WP Total Cache with more, possibly useless, caching features will be $99 (£77) per year.
Wordfence security, which bugs me nearly daily to upgrade plugins and also does much more, is $99 (£77) per license.
Yoast SEO which has certainly enhanced my writing for the web, is £79 per license.
And finally something not WP related but which I think is REALLY useful is Grammarly which has also knocked some corners of my writing style. This is £108 per year, and if I were a professional writer, it would be totally worth it.
The AliExpress plugin is worth it if you want a drop shipping store, and who doesn’t? This is $14 (£11) per month.
Therefore in total, we’re looking at £1156 for the first year! Not insignificant, but developers have to eat!
Quite a large proportion of us run blogs, typically WordPress if we want a degree of control or growth, whether for techie stuff or political agitation.
Whenever I work anywhere, I try to make sure the top priority is security. There’s no point doing anything unless you’re secure. The recent Typeform breach shows anyone is liable and their breach exposed data from Monzo bank. In the grand scheme of things, it wasn’t the end of the world: no passwords were leaked.
If you’re running WordPress and therefore relying on somebody else’s software, these are the things you need to do to stay secure:
Install a security plugin. Yes, it’s a pain in the neck getting daily emails to update your site as themes and plugins update but given (1) above, it’s useful. I use Wordfence.
Make sure you use SSL. As well as Google encouraging us to use SSL and gain SEO advantage, being secure is just generally a Good Thing. Worried about SSL certificates? Don’t be. Just hand your DNS management over to Cloudflare and gain SSL, DDoS protection and much more for FREE. My favourite price.
Use strong passwords. Better still use something like Lastpass to generate secure passwords and store them for you safely.
Use two-factor authentication. Make it one step harder to get into your site. Now they won’t get in unless they have your phone. There’s a plugin for that. We use the Google Authenticator.
Keep up to date. 54% of WordPress vulnerabilities belonged to out of date WordPress. You should also keep themes up to date, things like cross-site-scripting exist, and plugins also.
When installing plugins go for the widely used ones, ones with 4*-5* ratings and thousands of satisfied users. Make sure if you go down, LOADS of people go down with you too!
Remove unused plugins and themes. I did that with my personal site and sped it up hugely. Same goes for browser plugins but for different reasons.
Do backups. Second to security. It won’t prevent hacks but it’ll let you get back in the saddle quickly if something awful happens. I use Jetpack which does loads of other stuff too. Make sure you test restoring a backup! Write-only backups are so 90s.
Change the “admin” name”. Trivial but will prevent 99% of brute force attacks.
Limit the number of login attempts. Again, trying to foil brute force.
Don’t let people get at your wp-config file. Put this in your .htaccess file:
order allow, deny
deny from all
And don’t forget, if you find a security hole, report it! That’s how stuff gets better. Finally, make sure you’ll keep the government happy and please don’t provoke GDPR emails.