Tips, tricks, and tutorials for taking your WordPress site to the next level.

How to Log Into WordPress

It’s very easy, you just need to know the name of the standard page for the login screen:

  • Go to your website in a browser.
  • Type in the following after the website name: /wp-admin, so
  • You’ll see a login screen.
  • Enter your User Name and Password.

If You Like This WordPress Tip:

Check out our WordPress SEO book, you can Buy the Book Today at Amazon.

Getting Started With WordPress

A Complete Starter Guide to Writing, Editing and Maintaining Your WordPress Site

Congratulations on setting up your first WordPress web site. This is a guide to writing and editing webpages on your WordPress site.  As you use, update, and maintain your site, you will begin to understand why WordPress is one of the most powerful and free content management systems (CMS) online and how it will benefit your website or blog for a long time to come.

In this guide, we’re going to show you the basics on how to manage your WordPress site, including logging in, posting new articles and pages, uploading images, creating and editing menus and widgets, and some more advanced features as well.

First, How to Log in to Your Website

There is more than one web address (URL) that you can use to access your log in screen.

WordPress Log In

  • The first is to point your web browser to:
  • The simplest, however, is to go to:

You will be greeted with the log in box shown above. Type in your username and password and click the “Log In” button.This will give you access to your WordPress site dashboard; the dashboard is the WordPress “back-end”, the administration area where you work on editing pages, writing new pages, and other administrative tasks. If you’re already logged in,  you will be directed to the WordPress dashboard immediately. If you’ve logged out or timed out of your session, it will automatically redirect you conveniently to the log in screen. If you’ve lost your password, you can use the “Lost your password?” link to generate a new one–that feature is built into WordPress.

The WordPress Dashboard-Your Control Center

WordPress Dashboard

On the left side of the screen, you will see a navigation menu to include Posts, Media, Pages, and other sections of your dashboard that will help you manage the entire back and front ends of your site. Without making any changes or adding anything, it’s good to browse through these sections to get acquainted with them and understand how everything is organized in your admin area.

What You Can and Cannot Edit from the Dashboard

You can’t edit everything on your website from the dashboard–certain elements (the header, the footer) are part of your template files, and aren’t meant to be tinkered with. Your template files are the files that determine the appearance of your website–these files reside on your web hosting server, but aren’t easily accessible through the admin area. To change template files, you can connect to your web hosting via FTP.

This map shows various areas of a WordPress site.

The map above is general: all WordPress templates are different. Some templates have graphical sliders, others do not. Some templates have custom, editable menus, and others do not. Generally speaking, the newer your template is, the more feature it will have, and the more features you’ll be able to edit from the WordPress dashboard. To get to know your website, you’ll want to get to know your dashboard area.

The key to know is that the main content area–the area where the text and images of your Pages and Posts go is ALWAYS editable from the dashboard by following the instructions in this guide.

Posts vs. Pages: What’s the Difference?

In your dashboard, you’ll notice navigation entries for Pages and Posts–these two elements are key in understanding WordPress. Both Pages and Posts display as text and/or images on your site, with a few key differences:

  • Pages are for static content, not organized by date or category. An example, your “About Us” page or “Contact” page.
  • Posts are news and blog entries that WordPress displays in a blog format, along with categories and tags for organization.
  • Here’s a hint: this document you are reading is a Post. If you browse on the top navigation to our “Contact Us” page, you’ll read a Page.
  • If you have a simple 5-page business card site, you might not want Posts at all (although you should always be blogging and issuing news to engage your customers and tickle the search engines).
Why the dual architecture? Briefly: WordPress began as a blogging platform. Some users wanted more from the platform and as it matured, WordPress incorporate static pages to accommodate these users. Keep the distinction between Posts and Pages in mind as you write content for your site.

A post is useful for:

  • Latest news from your business;
  • Upcoming events news;
  • A blog or journal entry;
  • News feeds;
  • Interviews, guest blogs, or paid posts;
  • Anything that doesn’t fit in with pages.

Pages are useful for:

  • About Us sections;
  • Contact Us form webpages;
  • Location, directions, and maps to find your business;
  • Registration and log in pages for your users and visitors;
  • Privacy policies, copyrights and other disclaimers, Terms of Service, and other legal issues.

Writing a New Page

We recommend that your create a Page as the first step in writing content for you site. An “About Me” or “About Us” section is a good first step and is best as a Page, not a Post.

1. Go to the left navigation of your dashboard and click on “Pages.” This will open the Pages section of your dashboard and the additional navigation underneath the Pages menu.

2. On the left navigation, you should see “Add New” under Pages. Click on it.

How to Add a WordPress Page

3. “Add a New Page” will open with a blank form where you can enter a title for your Page (this will be the title and the name given on the Page navigation on your website) and a large text area where you can enter content.

4. Give your Page a useful title that will explain what it is and inspire a visitor to click on it.

5. Start writing! As you write, WordPress will save your Page. Additionally, you can click on the “Save Draft” button on the right side. This will not publish your Page live on your site, but save it in your dashboard for later. Your Page won’t be live on your site until you click the blue “Publish” button.

6. If you want to see what your Page will look like before you publish it, click on “Preview Changes” on the upper right side under the “Publish” heading.  This is not a live link; it is only a preview of what your page will look like once you publish it.

7. If you’re ready to publish, click “Publish” on the right side. To view the live page on your site, click on the “View Page” button located underneath the title section of your page.

If your Page does not appear live yet on your site, you may need to take a second step–adding the Page to your WordPress Menu–which you can read about below under the heading “Creating and Editing Custom Menus.”

Editing an Existing Page

Editing a WordPress Page is as simple as creating one–and you will make your edits in the same interface you used to create it. Here’s how to get to the Page edit area:

1. Click on “Pages” on the left navigation in the dashboard, a table showing all of your existing Pages will appear.

Page Menu

2. Find the page you want to edit and click on the title or “edit” link below it. The “Edit Page” screen will appear and it looks like the following:

Edit Page Screen

3. From this Edit Page screen you can make any changes you like. Editing and writing in WordPress is meant to emulate a simple word processor to the extent possible. When writing or editing, you’ll work principally in the text editing window (the area with the “Web Design Portfolio” graphic above). At the top of the text editing window, you’ll find icons that let you make bold text, select headings, and justify text left or right, etc. You’ll also notice two tabs at the top of that window titled “Visual” and “HTML”. The visual edit area is shown in the graphic above, but if you are comfortable editing HTML directly, you can choose the HTML tab; and, you can switch back and forth between visual and HTML edit mode.  Once you have all your edits the way you lick them, “Update” on the upper right side under the heading “Publish.”

Working With Images in Pages and Posts

It’s easy to add and work with images in WordPress. We’ve got a full, separate tutorial for adding images to WordPress here.

How to Write and Edit Posts

Writing and editing Posts is very similar to writing and editing Pages. The editing interface is exactly the same, there are just a few little  extra features.

Creating a new Post

1. To create a new Post, go to “Posts” and select “Add new.”

2. Follow instructions for writing a new Page, but add the following:

a. Posts allow you to categorize your content. So, create or select an appropriate category for your blog post. By default, your Post will be filed under “Uncategorized,” but you can organize better for visitors if you create a few categories to file posts under. For example, if your blog is about fitness, you may want one category for sports and other category for fitness equipment. If you blog about movies, your categories could be different film genres.

b. Posts also allow you to add “tags” to your content. A tag is very similar to a category–tags serve merely as an independent way of grouping or categorizing your content. Tags are optional! One mistake trashy blogs make is to use too many tags for each post. Keep it simple.

Here’s an example of an appropriate use for tags vs. categories. Say you have a movie blog, and you have 3 categories: horror, science fiction, and silent films. Say you write a review of “Westworld” (with the unforgettable Yul Brynner), you would categorize your review under “science fiction” and you could use tags for the actors “Yul Brynner” and “Richard Benjamin”.

The screenshot below shows the category and tag selection areas highlighted.

3. When you’ve got your Post the way you want it, you can preview, save, or publish your blog post. Remember, you can always return later and re-categorize a Post. Say your blog/site gets big and you want to create a category for “70s science fiction”…you’d simply edit your Post, add the new category in the category selection area, and hit the “publish” button to update your Post.

Editing an Existing Post

Editing your post is exactly like editing a page. If you forgot to file your post under a category or give it tags, you can also select “Quick Edit” instead of “Edit” to quickly add those. The screenshot just above shows what the Post Edit window looks like.

Customizing Sidebars, Footers and Other Areas With Widgets

Widgets are amazing little chunks of content that are easy to edit and move around. Typically located in the sidebar, you can add and edit wonderful little pre-coded snippets such as a list of categories, other sites you want to link to, a great video or image, or social media and RSS feeds.

Most of the widgets you’ll want to use at first are already available and just need to be activated. To do this, go to your left navigation. Go to Appearance -> Widgets. Once on the widgets page, you can select whichever existing widgets you want to use for your sidebars, or you can create your own using the Text or Custom Menu widgets.

To activate your widgets, click and drag them to the sidebar sections on the right of the page. Once there, you can open and edit them and rearrange the order you want them to appear in.

Wordpress Widgets

Create and Edit Custom Menus

WordPress now has built-in menu functionality that is compatible with most themes. To create a menu, go to Appearance -> Menus. From there, click on the ‘+’ tab and you will be prompted to enter a name for your Menu. Now click the ‘Create Menu’ button.

To edit an existing menu, first select the menu you want to edit. To add a page to the menu, look at the Pages area, and find the pages you would like to add. Select the pages, and click the ‘Add to Menu’ button. The pages will now exist in the menu area, and you may drag the entries around to your desired configuration. In order to make one page a submenu item, place it below its parent item, and drag it a little to the right.

Advanced WordPress Settings

Now that you’ve learned the basics and have had time to practice and get to know WordPress, it’s a good time to learn some of the more intermediate/advanced settings in WordPress.

Let’s Zap the Comment Spam

If you’ve had problems with comment spam, you may opt to turn off comments or turn on comment moderation to allow you to read and approve comments before they are published. To do this, click on Settings -> Discussion and follow the directions to disable comments, turn on comment moderation, or limit who can post comments. You can also set up your blog to only accept comments on new posts for a certain number of days before commenting has been turned off.

Make Pretty URLs With Permalinks

WordPress seamlessly and automatically handles the creation of URLs through its permalink feature. A permalink is simply WordPress’ way of describing the URL for a particular page. Because keywords in the URL of a page are a ranking factor, If you want to rank for “WordPress Development,” than this URL: will perform better in search (and it just looks so much nicer) than WordPress’ permalink functionality gives you descriptive URL strings for search engines to follow with no effort at all.

First, you’ll need to turn on Permalinks within the WordPress dashboard—permalinks are not activated in a default installation. To turn on permalinks, log in to the dashboard and follow the left site navigation to “Settings” then “Permalinks”. At the Permalink Settings page, in the section titled Common Setting, click the radio button for “Custom Structure” and enter /%postname%/. This permalink structure will automatically generate URLs from your Page and Post titles—but you’ll still be able to manually change them if necessary.

You now know the basics to operating your WordPress site and can now publish your content for the world to see. Refer back to this How-to Guide if you get stuck and need assistance. It is yours to keep and refer to whenever you need help with posting, editing, or reorganizing your WordPress site.

Happy blogging!

How to Fix WordPress Robots.txt after Googlebot Cannot Access JS and CSS Warning

We’ve been doing SEO for WordPress for a long time. A big part of that has always been controlling the amount, and quality, of indexed pages, since WordPress creates so many different flavors of content automatically. If you’ve read Michael David’s book on WordPress SEO, you’ve seen his ultimate robots.txt file which goes something like this:
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /trackback
Disallow: /comments
Disallow: /category/*/*
Disallow: /tag/
Disallow: */trackback
Disallow: */comments

Unfortunately, we’re in a post-Mobilegeddon world. Google is expecting free access to render every page in its entirety so it can infer the sort of experience a user would have on various mobile devices. A few weeks ago, a significant portion of the WordPress installations in the world received the Google Search Console warning:

Googlebot cannot access CSS and JS files

Some of you may be wondering why we can’t just remove all Robots.txt disallow rules and let Googlebot decide what it thinks is important, and stop being fussy about what’s allowed and disallowed. For security reasons, you don’t want to have deep indexing of your site publicly searchable. For instance, the following search term gives you a list of thousands of WordPress installations which have the highly hackable timthumb.php:

intitle:index timthumb.php

Just something to think about when you assume that Google has your site’s best interests at heart.

It’s possible that you can go through each resource, and allow the precise file paths line by line. But that’s going to be very time consuming.

The solution which has been going around (advocated by the likes of SEOroundtable and Peter Mahoney is to add an additional few lines which explicitely allow Google’s spiders access to the resources in question:

user-agent: googlebot
Allow: .js
Allow: .css

Yes, this unblocks the javascript and CSS resources, you can see it working in the Search Console fetch and render tool. Unfortunately, this also allows Googlebot access to the entire site.

If you haven’t read the Google developers page on Robots.txt, I highly recommend doing so. It’s like 50 Shades of Grey for nerds. The section under “Order of Precedence for User-Agents” states “Only one group of group-member records is valid for a particular crawler . . . the most specific user-agent that still matches. All other groups of records are ignored by the crawler.” By creating a new group for Googlebot, you are effectively erasing all prior disallow commands.
Google search console allowed robots tester
You can try putting the allow directives within the main group-member, but that won’t work either, because of the order of precedence of group-member records. The longest (most specific) rule is going to win, so the following rules would leave the javascript resources blocked:
user-agent: googlebot
disallow: /wp-content/
allow: .js

google search console robots tester blocked

And wildcard conflicts are undefined. So it’s a tossup result for:
user-agent: googlebot
disallow: /wp-content/themes/
allow: /wp-content/themes/*.js

The long and the short of it is there is no simple cut-and-paste solution to this issue. We’re approaching it on a case by case basis, doing what’s necessary for each WordPress installation.

As far as keeping the indexes clean, we’re going to lean heavily on the robots metatags, as managed by our (still) favorite SEO plugin. Expect the role of robots.txt to be greatly reduced going forward.

Is WordPress Good for SEO?

Updated for 2015

We originally wrote this post back in 2010, and now revisit the question. We get asked a lot about WordPress’ suitability for search engine rankings. WordPress’ reputation and having a sound foundation for SEO has certainly seeped into the public’s mind. For the most part, the reputation is deserved. This site, runs on WordPress, and ranks very well for our intended keywords.

There are a few drawbacks with WordPress, but like most things SEO, it’s really about the cumulative effect of everything. Overall, we’d grade WordPress an A- on it’s suitability and power for SEO purposes. But it’s so good at so many things, that it presents a compelling story overall.

First, a summary and then we’ll dig into the nuts and bolts.

Is WordPress Good for SEO?

  • WordPress generates a very search-friendly URL stucture
  • Speed of publishing is superb
  • Built-in Ping services notifies web properties of your new content
  • Plenty of Plug-in and development support for SEO features from the WP community
  • Built-in sharing and commenting (depending on the theme used


Benefit: Search-Friendly URL Structure

WordPress seamlessly and automatically handles the creation of URLs through its permalink feature. A permalink is simply WordPress’ way of describing the URL for a particular page. Because keywords in the URL of a page are a ranking factor, If you want to rank for “WordPress Development,” than this URL:
will perform bet ter in search than .

WordPress’ permalink functionality gives you descriptive URL st rings for search engines to follow with no effort at all. First, you’ll need to turn on Permalinks within the WordPress dash board—permalinks are not activated in a default installation. To turn on permalinks, log in to the dashboard and follow the left site navigation to “Settings” then “Permalinks”. At the Permalink Settings
page, in the section titled Common Setting, click the radio button for “Custom Structure” and enter /%postname%/ . This permalink structure will automatically generate URLs
from your Page and Post titles—but you’ll still be able to manually change them if necessary. Because the titles of your Posts and Pages are relevant to the topic of your content, the permalinks based on your titles will be relevant as well.

In WordPress version 4 and above, you can also simply select the newly included permalink “Post name” instead of “Custom Structure”–but look closely because WordPress will insert a trailing slash at the end of your page URLs. We prefer our URLs without trailing slashes, which you can accomplish with the following:


WordPress SEO Benefit: Speed of Content Creation

WordPress is built to run: it is designed for the speedy and continual publishing of content. Since I have converted nearly all my sites and most of my client’s sites to WordPress, our speed to publishing has increased. On a static html site, the creation of content would generally involve either hard-coding the article, or using a WYSIWYG interface, then adjusting menus–sometimes on multiple pages.

With WP, sites grow big and grow fast. All that content brings breadth to your keyword families quickly, and your large site can quickly become “bait” for inbound links from other websites.

WordPress SEO Benefit: Crawlability

Websites must be crawlable by search engines in order to be indexed properly and appear in search rankings. WordPress’ internal logic and link structure is simple and shared universally among millions of websites–so WP is familiar ground for search engines. This familiarity means that Google’s spiders can find what they are looking for, and index and rank the content with confidence. WordPress won’t generate a lot of duplicate content (although it generates some).

SEO Benefit: Plug-Ins and Support

Because the WordPress community is so large (enormous, really), the variety and number of plug-ins for SEO support has grown tremendously (Plug-ins are small software modules that website owners can optionally install in addition to the default WP installation). The All in One SEO Plug-In, or the Platinum SEO Pack are both quick and easy “one stop” plug-ins that accomplish a basic, but sound set of SEO goals such as manual Title Tags and Meta Descriptions.  These plug-ins extend WordPress’ functionality to rival the control and customization you would achieve under a static site.

SEO Benefit: New Content “Bump”

Another great feature of WordPress, which is also shared by other blogging platforms is the “new content bump”. A new post (generally not a “page” though–WP divides its content into two classes of webpages: “posts” and “pages”) will receive an initial lift in rankings during it’s first few days after publishing. This is logical: blog posts are intended to be topical and current, like a news item–Google treats this fresh content as noteworthy and rewards it with a bump in initial rankings. Ranking position will generally settle down after a few days.

SEO Benefit: Pings, Comments and Trackbacks

Pings, Comments and Trackbacks are interactive features built into WP–these supplemental tools let other blogs and individuals interact with a WordPress site: this brings inbound links and traffic (in the case of pings and trackbacks), and free content and visitors  (in the form of comments to blog posts).

SEO Drawback: Poorly Designed Themes

But it’s not all rosy: I see a lot of poorly designed themes that undercut WordPress’ SEO power. Here’s an example I often see: a theme/template will be designed with the blog’s title bearing a Heading 1 (h1) tag–that’s not the way to go. The h1 tag should speak to the subject/topic of each page or post–to repeat an h1 tag mindlessly throughout hundred of pages on a blog is a waste of a valuable SEO tool.

The fix? Code the Blog Title in a plain old CSS class–and utilize the powerful h1 tag for the on-page title for each post or page.

SEO Drawback: Rigidity in Menu Presentation

The biggest hang-up that WP forces upon us is perhaps the way menus are presented. The Page/Post methodology described above generally means that posts and pages are kept separate in menus. That’s not an insurmountable problem, but excluding individual pages from particular menu locations (like a top bar menu, where space is limited) can require coding the WP template’s core .php files, or inserting page ID’s in Widget boxes ad nauseum. Now, to get advanced: If you want to “nofollow” certain page links, say to a contact page or a privacy policy page (in a static site, this task is a breeze) you can either forget it, or go hunting for a plug-in.

When it comes to menu presentation in WordPress, I have learned “the wisdom to recognize that which I cannot change”. I have adapted, and I got over it. It’s a small price to pay for all this power.

Ultimate WordPress Hacking Recovery Guide

First, a confession: I have had my WordPress sites, and my clients’ WordPress sites, hacked a few times. Most hackers do very little damage, and you can clean and secure your site with a little bit of know-how.

We’ll divide this lengthy guide into several sections:

  • Diagnosing if You Have Been Hacked
  • Cleaning Your WordPress Site
  • Securing Your WordPress site against reinfection or future hacks

What You’ll Need to Clean Your WordPress Site

  • A good FTP program, like Filezilla.
  • All of your web hosting passwords, including FTP and control panel access. If you are on hosting with a separate database password (like GoDaddy), you’ll need that too.
  • A clean backup of your theme and database if you have them.
  • A basic understanding of how WordPress works.
  • A lot of patience and a willingness to do battle with the bad guys.

Diagnosis: How You Know Your WordPress Site Has Been Hacked, the Obvious Clues

In nearly all cases, you’ll know quite clearly that your site has been hacked. The most obvious clue will be when Google throws up a warning page like this one:

Or your meticulously edited could be replaced by a political message:

Or, your site might be hijacked to display a cute ninja turtle (yes, it happened):

The hacks shown in the screenshots above are not serious. These are honorable (sort of) hackers who hack for sport and street cred–they rarely do any damage, and they rarely intend to re-infect your site (although below we’ll discuss mandatory measures you’ll need to take to secure your site headed forward).

Diagnosis: When the Hacking Is Less Obvious and More Malicious

If your site has been taken over by a black hat SEO, the clues may be less obvious, and the danger to your website more serious. If you’re lucky, they’ll fill your site up with keyword gibberish in Turkish:
If you’re not lucky, you may go for weeks or even months before finding the hidden Cialis and Viagra links in your source code.

Another favorite goal of more sophisticated hackers will be to employ your website as a mail server; hackers can then send spam emails. The danger to you here is that your IP address can be blacklisted and you’ll have trouble sending legitimate mail in the future.

From time to time you should open your homepage and press Ctr-A, which may help you spot those sorts of freeloading links. Even though those links might not harm the user experience, they can significantly impact your rankings and might even get you removed from the index.

Diagnosis: Tools for Determining if You’ve Been Hacked

  • Google’s safe browsing diagnostic page can tell you if your website contains malicious software. The tool will even detect which form of malicious software or virus your site might be carrying. To use Google’s safe browsing diagnostic page, you’ll need to enter this long, ugly URL in your browser window and replace “” with your own domain:
  • Check your Google Webmasters account to see if there are any malware warning messages in there. If you’ve got the maroon screen described above, there will almost always be a message in your Webmasters admin area.
  • Try the Sicuri SiteCheck scanner, it’s free and will identify major malware infections.

Procedure for Removing Hack

Find the Extent of the Incursion

Before you start repairing anything, do some sleuthing to find the hacker’s footprints. Login to FTP and search for any files which were altered recently. Filezilla has a feature which allows you to search the entire site by last modification with a touch of a button. Frequently you can narrow down to the hour when your site was compromised.

Things you will be looking for through FTP:

  • Index.php files which were recently modified. An index file in your web root will effectively hijack an entire WordPress installation
  • Any new PHP file
  • Recently modified files in your WP-themes folder. Sometimes hackers will insert hardcoded links into Header.php files and other template files
  • Uploaded media files, particularly of strange file types. Some WordPress features may allow a hacker to upload a script to your server that executes read and write commands
  • PHP files with obscured code. WordPress is an open-source software project. It will never have obscured code, or even poorly commented code.
  • Large, mysterious, suspiciously named files of any type. WordPress rarely uses file names with random-seeming names.

Examine any logs you may have available through either your cpanel or your FTP. Access logs and error logs will give you clues as to what’s going on.

Check your database for unusual activity. Log in to phpMyAdmin and search for telltale keywords like “Viagra” or “Cialis.”

Check your database for users with seemingly random email addresses or usernames. Hackers will happily insert their own contact information into your site so they can use the recover password function to regain access to your site.

See What Google Has Found

Do a site search of your WordPress installation by typing “site:EXAMPLEDOMAIN.COM” in the Google search bar. This will give you a list of all the pages Google currently has in the index. Look for pages which the hackers generated out of whole cloth. These can persist in the index long after you’ve actually cleaned up the hack, and will have to be removed using Google Webmaster Tool’s remove URL function.

Don’t Forget to Check Your Own Computer!

Sometimes the source of a security breach is as close as your own fingertips. Whether you’re accessing your WordPress site from the home or office, there are many ways for a hacker to steal your passwords. Have you recently accessed your site through a wifi network, or from your smartphone? Never save your passwords on your FTP client. It is a simple matter for malware to read those passwords off your hard drive. The passwords for Filezilla aren’t even encrypted. Consider how easy it would be for a virus or other malicious software to grab your passwords, through keystroke capture or any other method. It’s vitally important to maintain a secure connection to your site. This would be a good time to run a Microsoft Security Essentials full scan on your computer.

Check the Other Sites on Your Server

It might be that the hack didn’t originate on your own site. Sometimes your hosting may be compromised at the server level, through no fault of your own. To test this out, visit some of the other WordPress sites on your shared hosting server to see if they have the same problem you do. You may not have ever checked out your server neighbors before, but luckily there’s a tool to help you out: the MajesticSEO Neighborhood Checker.

Change ALL the Passwords

There are at least four different passwords which unlock a WordPress site. If one of them has been compromised, the others have been peeled open too. If the hacker has your FTP password they can use that to read the database password which is displayed openly in your WP-config file, and with that they can edit the WP users. If your FTP password is the same as your cpanel login, which is default on many hosting services, then you will also need to worry about email addresses and passwords, database users, and possibly even your domains. Whatever passwords you have, change them, and change them quickly.

Screen Your WordPress Users

It will do you no good to change the passwords if the hackers can recover the passwords of an admin-level user. Make sure that all of the emails associated with your users correspond to an appropriate email address, and not an email controlled by the hacker. If you have a number of admin users and one of them has a compromised email, then you’re in trouble.

Rollback to Backups or Remove the Hacker Code Manually

At this point you should have a good idea of the extent and the source of the hack. If the root directory index.php has been overwritten then you can replace that file with one from a fresh WP installation. If theme files have been overwritten, then hopefully you have a backup. Frequently you can just remove any hardcoded script by hand and be more or less back to normal. Otherwise, if you have a backup of your database and WP-content folder which you know is clean, you can backtrack to those (making sure the old user passwords are secure).

Upgrade Everything

It’s easy to fall behind on updates. Sometimes we’re reluctant to install updates because nothing breaks a site quite as fast as a beta version from a volunteer open source project like WordPress. But sometimes those updates to the WordPress installation or the plugins contain important security patches. It’s not a panacea, but now that you’ve been hacked you want to leave no stone unturned.

Re-install WordPress. This will overwrite most of the critical files in the wp-admin and wp-includes folders and reduce the chance of hidden trojan code hanging around.

Steps You Can Take to Prevent Hacking in the Future

Now that you’ve cleaned up your site, you’re going to want to block attempts at re-infection.

  • Never save SQL backups on any public server.
  • Save frequent SQL backups to your home computer. Having a backup can speed up the cleaning process.
  • Keep your TimThumb.php file up-to-date. This helpful but vulnerable WordPress add-on has been particularly troublesome for WordPress owners over the years.
    Maintain security consciousness with any computer you use to access your site.
  • Add a security plugin like Wordfence. This will prevent brute force attacks from known hacker IPs and plug other security holes you might not have thought about.

Know When You’re Over Your Head!

This article won’t give you a solution to every single hacking problem. We’ll update as we learn more, but hackers are always on the bleeding edge and coming up with new ways to mess things up. If you’re getting repeatedly infected, or if you can’t restore the site to its original state, then it’s time to employ a reputable WordPress expert to lend a hand.

Send Us Your Hacking Stories!

Leave us a comment if you’ve got a hacking story to share. We want to know how they got in and how you fixed it. Show the code if you’ve got it!

How To Delete All WordPress Pending Posts

Have you run a multi-user blog that gone out of control? I had an open blog that over the years accumulated thousands of, ahem, “poor quality” articles in “pending” status. Rather than delete them in batches in the admin, I figured an SQL command that can remove all of them in a few seconds. But before I give you that…

Back Up Your WordPress Database

This is something you should do anyway. You backup your database by logging into your website control panel (hopefully you use cpanel) and clicking the icon for phpMyAdmin. Select “Export” on the top navigation and select SQL format and download the file to your local machine. That file is your database backup.

SQL Command to Delete WordPress Pending Posts

Again, in phpMyAdmin, click “SQL” on the top navigation, and enter the following command and click “Go”. This will also delete pending pages!

DELETE FROM wp_posts WHERE post_status = "pending";

Delete WP Pending Posts

That’s it. Your pending posts and pages will all be deleted.

Setting Up a Single Payment Page for WordPress handles credit card payments at 2.9% (the same as PayPal) and let’s you integrate a single payment page or popup page within your WordPress site. Stripe is setup not as a total ecommerce solution, but rather is a better fit for single payments or donations. It has the advantage over PayPal in that customers aren’t required to sign up for an acount and aren’t taken to a separate gateway to make a payment.

Another option for payment solutions for those willing to attempt to gsayPal and Stripe in terms of price, as it’s only 25 cents per transaction. Dwolla offers the simple integration of a button and a WordPress plugin as well, but it does require that customers go through a signup process.

Stripe works well and is very easy to integrate with the WP-Stripe plugin which allows for installation vis shortcode or template insert. Installation for WordPress

Here we’ll cover the installation of the plugin and how to set up for WordPress.

Lets start within WordPress. Login to your site and navigate to Plugins. Click Add New and Search for “WP Stripe.”

Click Install > Okay > Activate Plugin


Then under the Settings tab of your WordPress admin, select WP Stripe.

Then select the WP Stripe Settings Tab.


In order to start taking payments and test payments, you need to go register an account at

Once you’ve registered and logged in. You’ll be able to grab your API keys at this link: Stripe API Keys.

Take those API Keys (both the live and test keys) and copy/paste them into your WP Stripe settings area within your WordPress Dashboard. Then click Save Changes.


Then you want to create a new page and enter the WP Stripe short code [wp-stripe]

Publish the page and it will look something like this:


One neat thing about Stripe is that it includes a popup form so that you really don’t have to modify any CSS if you’d rather not. Unlike a heavy eCommerce cart, Stripe is a fairly lightweight solution, so other than the plugin, with this particular type of integration, all the heavy lifting is done through which also means better security.

To test Stripe, (highly recommended) before sending clients to the newly created payments page, use the following dummy info.

Card Number 4242424242424242
Card Month 05
Card Year 2015
CVC Number 123

After you run the test, you should see the amount of test money you sent show up both in your WP Stripe area of the WordPress admin and in the Stripe dashboard as well.

Pro tip: If you want to eliminate the optional check box that asks to display recent donations or payments in the payment popup window, simply uncheck “Enable Recent Widget?” in the WP Stripe admin area.

That covers basic setup of WP-Stripe for a WordPress website. For more advanced tutorials and documentation Stripe has a well organized Developers portal. You can find an archive of our WordPress tutorials here.

Author: Ryan Howard is a TastyPlacement alumnus who now runs a digital refinery offering WordPress designs, local search marketing, ecommerce SEO services, and social media strategy.

WordPress Tutorial: Display All Posts on a Page

How to Create an Interior /blog/ Page That Mimics a Traditional WordPress Front Page

We got hung up recently trying to create an interior blog page (i.e.,  for a client’s design. This problem is more common now with full-featured templates and frameworks that employ sliders and carousels on the front page that are triggered by a template’s index.php file.

First, Create a Custom WordPress Page Template

First, you’ll need to create a custom WordPress page template. All WordPress templates have a page.php file as part of the default template–we simply want to vary that file a little bit. Make a copy of your page.php file and name it page-blog.php.

Next, you need to enter a few lines of code at the very top of your new php file:

Template Name: Blog

The code above is a naming tag–the template name, in this case “Blog” will be the name that appears in the template selection box at the WordPress page edit window, which we’ll screenshot below.

The Code

Now, you can’t simply run the regular WordPress loop on our custom interior page, we are going to use the WordPress template tag get_posts to query our WordPress database and grab our posts. The following code accomplishes this:

$myposts = get_posts('');
foreach($myposts as $post) :
  <div class="post-item">
    <div class="post-info">
      <h2 class="post-title">
      <a href="<?php the_permalink() ?>" title="<?php the_title_attribute(); ?>">
      <?php the_title(); ?>
      <p class="post-meta">Posted by <?php the_author(); ?></p>
    <div class="post-content">
    <?php the_content(); ?>
<?php comments_template(); ?>
<?php endforeach; wp_reset_postdata(); ?>

For the purposes of illustration, a greatly simplified version of the preceding code, without any html markup, hrefs, author information, post date data, or comment section would be as follows:

$myposts = get_posts('');
foreach($myposts as $post) :
 <?php the_title(); ?>
 <?php the_content(); ?>
<?php endforeach; wp_reset_postdata(); ?>

How it Works

So what’s happening here? Well, the heart of the whole process is get_posts–this template tag queries the WP database and gets our posts.

Next, the foreach construct processes each post in turn–thus we’ll have all our posts on our blog page.  The setup_postdata WordPress function, well, sets up our data so it’ll display properly (otherwise the_content may not display the text of our posts. Finally, the wp_reset_postdata restores the $post global variable.

Once you’ve created the file, you’ll obviously want to upload it to your template (theme) directory.

Setting Your Blog Page

Your next step is to simply set up your blog page within the WordPress dashboard. From the WP dashboard, go to Pages, then Add New and create a page with a title “Blog” (or whatever is suitable). Remember the custom template we created above under the heading First, Create a Custom WordPress Page Template? You should now see your custom template name appear under the “Template” pull-down in the Page Edit screen, as indicated in the pic below by the green arrow.

Set the blog page by selecting the “blog” template

You don’t need to put any text in the text edit window, you just need a title–you won’t be displaying any page text here, you’ll be bypassing the specific text of this post and grabbing posts from the database.

Some Background on Why This Was Needed

Incidentally, framework and template designers that hijack WordPress’ index.php file to display a homepage slider, while requiring WordPress’ reading settings to be set to “Your latest posts” as shown in the screenshot below are doing a disservice to users (hence mandating this tutorial). The sounder practice is to code sliders and homepage features into a custom WordPress template.

Video Tutorial: All in One SEO Pack to Yoast WordPress SEO Plugin Migration

We’ve seen the light and are converting to the Yoast WordPress SEO plugin on all of our sites. However, when migrating from your existing SEO plugin to the (superior) Yoast plugin, there are a few tricks along the way that will help your conversion go seamlessly and keep your pages displaying properly. This tutorial walks you through the migration from the All in One SEO Pack to the Yoast SEO plugin for WordPress. Watch and learn – you (and your website) will be glad you did.

Video Tutorial: How to Clean Up Your WordPress Head

By default, WordPress prints a lot of extra code to the “head” section of webpages that it generates. For example, it prints a “generator” meta tag that identifies the site as a WordPress site–that can serve as a flag to hackers that specifically target WordPress sites. In this video tutorial we’ll learn a quick and easy way to clean the following items from your WordPress installation:

Here’s code to install in your functions.php to follow the above tutorial:

remove_action('wp_head', 'rsd_link');
remove_action('wp_head', 'wp_generator');
remove_action('wp_head', 'feed_links', 2);
remove_action('wp_head', 'index_rel_link');
remove_action('wp_head', 'wlwmanifest_link');
remove_action('wp_head', 'feed_links_extra', 3);
remove_action('wp_head', 'start_post_rel_link', 10, 0);
remove_action('wp_head', 'parent_post_rel_link', 10, 0);
remove_action('wp_head', 'adjacent_posts_rel_link_wp_head', 10, 0 );