Using WordPress for Business? 8 Things You Need to Know

Powering more than 25% of the web (over 75 million websites), WordPress is the most popular CMS in the world. But if you are (or are thinking about) trusting your business to WordPress, you had better know these 8 things.

Before I get into what those 8 things are, let me fist say this: do I think you should use WordPress for your business? Absolutely. At AdPlugg we work with thousands of sites using dozens of different platforms and CMSs. In addition, the core of our staff are all web developers and marketers. We’ve worked personally with many different types of websites both as users, marketers and developers. WordPress’ combination of high ROI, low cost of ownership, flexibility and ease of use make it a great choice for most sites. Anything from a personal blog to massive news sites like The New York Times and the BBC can (and do) use WordPress.

However, in addition to the often lauded success stories, the web is littered with thousands of stories of downtime, “white screens”, scaling issues, hacked sites, massive revenue losses and more. Before getting involved with WordPress, you had better know the common problems and how to make sure that your site and business are safe.

8 Things You Need to Know About WordPress for Business

So here are the 8 things that you absolutely need to know if you are going to trust your business to WordPress.

1. WordPress is a Major Target for Site Hackers

Malicious hackers target the efforts at the biggest possible sample size to maximize their effect. This is why most viruses target Microsoft Windows. Similarly, WordPress now has the largest share of the web. Hackers scanning the web for sites with vulnerabilities are putting the bulk of their efforts into targeting WordPress. If you were on a more obscure or homegrown CMS before, you may find that as soon as you are on WordPress you have increased risk, simply because of the volume of hackers and scripts that are specifically going after WordPress sites.

As a quick example, we’ve seen access logs of non-WordPress sites showing millions of access attempts at a url of “/wp-admin” (this is the location where the admin page would be if the site were running WordPress).

2. Never Hack WordPress Core

Being able to quickly and safely update WordPress core is essential for keeping your site up to date with the latest security updates. Hacking (modifying) the WordPress core files is a big no no for many reasons but primarily because doing so limits your ability to get the latest updates.

3. You Take A Risk With Every WordPress Plugin You Use

You shouldn’t hack/modify WordPress’s core files but that doesn’t mean that you can make significant customizations to your site. In fact, WordPress’ hook system makes WordPress extremely flexible and customizable. The way that you make modifications is with plugins. However, keep in mind that with every plugin that you add, you are taking a risk. Any plugin that you install is running code on your server and has unrestricted access to your server files and database. Even if the plugin isn’t malicious or poorly designed/coded, plugins can eat up your server’s memory and cpu. They can also cause your whole site to “white screen” or just crash.

4. Your WordPress Site is Only as Good (secure, stable, efficient) as Your Weakest Plugin

Your WordPress site is only as good (secure, stable, efficient) as your weakest plugin. You can have a great site, on premium hosting and with the latest version of WordPress and a premium theme and if you have just one bad plugin, it can compromise the whole thing.

5. WordPress Plugins Are the Wild West

Open source is a great thing. The world would be well behind where we are today if not for the availability of free, open source code. However, not all open source code is created equal. In fact, it’s not even close. While many open source projects are created and run by major software firms, with teams of professional developers, others may be created by one person with no formal training or experience. It’s up to you to vet the code.

With some open source ecosystems, the vetting is done for you. For instance, Linux come in “distros” (distributions). Linux distributions such as RedHat and Ubuntu have picked a bunch of different Linux packages (and package versions), vetted them, put them together and tested them. RedHat tends to be more conservative with the code that it will put into its distro while Ubuntu is much more liberal (putting newer code that has been less battle tested). You can choose where you want to fall on the scale of latest/most stable when you choose which distro you want to use.

No such system currently exists for WordPress. When a WordPress plugin author updates their plugin, it just goes right out and is immediately released. It can then be downloaded and running on millions of sites within minutes. This is great if the code is good but it skips over all of the safeguards built into linux distros. It is totally up to the plugin developer to test the code.

6. By Default, WordPress Sites Are Incredibly Inefficient and Slow

WordPress is designed to be flexible and extendable. It does a great job of this but these very goals are contrary to those of efficient code. WordPress’ use of denormalized database table structures, dynamic code, uncompiled code (PHP), etc mean that it can’t perform at nearly the speeds of other systems (at least not by default).

7. Having Your WordPress Site Under Your Primary Domain, Puts Your Whole Domain At Risk

If you have more than one site operating under a single domain (ie. example.com/intranet and example.com/blog) even with separate hosting and databases, all of your sites may be at risk from bad code in just one plugin of one site.

Sites operating on the same hostname are susceptible to a number of different client side attacks. If your sites are all running at the same hostname, they may be susceptible to Session Hijacking Attacks and Session Fixation Cookie Attacks. Even if you put your sites under different subdomains, you may still be vulnerable to Cross Subdomain Cookie Attacks, Cookie Jar Stuffing Attacks, and Cookie Tossing Attacks.

8. WordPress is Licensed Under the GPL (Use At Your Own Risk)

WordPress is licensed under the GPL (GNU General Public License). This license explicitly states that you are on your own. If things go wrong, there is no one to fix it and no remedies other than those that you come up with on your own.

Solutions and Recommendations

1. Stay up To Date

As soon as WordPress learns of a vulnerability they will patch it. They will then announce the vulnerability in coordination with the launch of the patch. At that point it is a race to see if you can patch your site before the hackers break in.

Use a plugin, script or managed hosting to ensure that you are getting the latest security updates as soon as they are released.

2. Vet Your Plugins

Make sure that the plugins that you use are well coded (and ideally with a software company behind them). Have a developer check the code out. Make sure to check the following:

  • Does the plugin have unit tests?
  • Is the code well organized and look like it was programmed by an experienced developer?
  • How often is the plugin updated?
  • How many support issues does it have? How many are still open? Have their been previous complaints of new releases having bugs?

While it may be tempting to use free plugins from an author that gives the whole thing away for free, keep in mind that if the plugin has no monetization strategy, the author likely built it as a hobby and likely has little to no incentive to fix the bug that is costing your business thousands of dollars a day.

3. Performance is All About Caching

The key to WordPress performance is caching. If your site gets a decent amount of traffic you should have a page level cache (like Varnish) in front of WordPress. Even better is to distribute the cached pages by using a CDN.

WordPress makes thousands of computations to render each page. There is no point in doing this work for every visitor only to return the exact same page. By using a cache, WordPress renders the page once and then it is served to potentially millions of people by the cache. Caches are how the New York Times and the BBC are able to use WordPress successfully.

4. Keep An Open Relationship With A Development Firm or Use Managed Hosting

Things may go wrong with your site and when they do, the best you can do on your own is to post to the WordPress forum.

If you are trusting your business to WordPress, you should have a relationship with someone who you trust to be there to fix it.

You can either use a managed WordPress host such as WPEngine or you can contract with a local web development firm that specializes in WordPress.

Conclusion

While the choice to use WordPress over other CMS’s may seem like an obvious one, you need to understand the risks.

Used carefully, WordPress can help your business achieve new levels of success. Used recklessly, WordPress can quickly become a liability.

Have comments or questions? Please post them in the comments section below.

Bot Filtering: AdPlugg Takes on Bot Traffic

bot_filtering
What do the Terminator, the Star Wars films, the Matrix, and AdPlugg have in common? They all feature epic battles against robots :-).

AdPlugg’s battle is against bot traffic penetrating statistical data. This bot traffic can skew results, show false impressions and even worse, false clicks. This is a major concern and one that we at AdPlugg take very seriously.

So what is a “bot”? Bots are automated programs that browse the web. They might be browsing for all sorts of different reasons but the most common is for creating search indices. Bots that crawl the web are known as crawl bots or “spiders”. Of the crawl bots, the most well known is Google’s Googlebot. Crawl bots read a page and then follow all of the links on the page. The bot then does this again on the next set of pages, creating a spiderweb of linked pages that make up the known web.

This can be problematic for online advertising as online ads aren’t the same as other links. Online ads are designed to be viewed and followed by humans only. This is for two reasons. The most important being that advertisers buy ad space to get impressions and clicks from humans, not bots. Also important is that paying another site to link to yours is a “black hat” practice that can get you penalized or even banned from search engine results.

To combat the issue, ad links are required to include a ‘rel=”nofollow”‘ attribute. This attribute tells bots, “hey this is an ad, don’t follow it.”. Bots that follow the REP (Robots Exclusion Protocol), won’t follow the link. This attribute is included automatically on all ad links that AdPlugg serves.

However, ‘rel=”nofollow”‘ doesn’t stop all bots. Even amongst the largest search engines, there is inconsistent support for the standard. Wikipedia’s Nofollow article reports that while Google and Ask.com fully respect the attribute, Yahoo and Bing both follow the link anyway (but exclude the link from their search rankings).

Other offenders are much less well intentioned. Email harvesters, spambots, malware and bots that scan for security vulnerabilities are unlikely to respect the nofollow attribute.

This leaves it up to the ad servers and ad trackers to identify and filter bot traffic. It’s tricky however, because the links can’t appear broken. If a bot, such as Bingbot, tries to follow the link (even though nofollow is set), the link should work. Otherwise, it’s possible that Bingbot will demote the page (from the Bing search engine rankings) for having broken links.

AdPlugg handles bot traffic by allowing it to pass through but filtering it out of the statistics. This keeps all links working but stops bot traffic from being included in the ad’s impressions and click statistics.

The trick is identifying the bots. AdPlugg now scans for and filters out over 400 known bots. We have systems in place to update our bot list as we become aware of new bots. Similar to the plight of CAPTCHA technology, identifying bot traffic for the purpose of ad stats is a difficult battle. Bots that don’t want to be identified are remarkably good at it.

AdPlugg’s battle against the bots is an ongoing effort and our systems are continually being worked on and improved. We often get asked, “what differences make AdPlugg better than other options such as stand-alone plugins?” Well, bot filtering is a big one.

AdPlugg Scales!

AdPlugg ScalesAdPlugg has been growing like crazy. We now serve millions of ads every day and have thousands of customers who use the service. We’ve regularly been upgrading servers and our backend software to handle the increased load.

AdPlugg uses highly scalable cloud servers and CDNs (Content Delivery Networks) to make this all possible.

In addition to more customers in general, we’ve also added a number of larger and more high profile accounts. This includes the websites of some well known magazines, radio stations, tv stations and newspapers. Some of the more well known ones include the Fiesta Bowl, Wine Enthusiast and the BC Heights (the Student newspaper of Boston College).

As well as scaling up our backend systems to handle the increased load, we just released a number of new enhancements to our front end Ad Manager that make the user interface easier to use for large sites and accounts with complex configurations and a large number of ads.

We’ve added the ability to scroll through the list of ads when choosing your ads for your charts and reports. This feature turns on when you have more than 10 ads so that the list is easier to navigate.

We’ve added the ability to sort, search and filter the Ad, Placement and Zone lists. In addition, we added additional columns to each of these lists so that you can see things like which Placement an Ad is targeted to without opening the Ad.

Sortable

Each list now has a number of sortable columns. The ones that are sortable have blue links in the header row at the top of the list. Simply click the header to sort the list by the entries in the column. Click the list again to sort the list in reverse order. Click the list a third time to stop sorting by the column. If the column is a text column, it will be sorted alphabetically. If it is a number column, it will be sorted in numerical order.

Searchable

The search allows you to enter in any text and the list will be restricted to entries that mach that text. The text that is matched could be from any of the columns.

Filterable

We’ve also added a number of filters for each list. The filters allow you to restrict the entries shown in the list to entries matching the specific filter. For instance you can filter the results to only show active or inactive ads. You can also use a filter to only show ads that target a particular Placement or Zone. This way you can quickly see just the ads that target your top bar for example.

These features were designed to make AdPlugg even easier to use. Have any ideas for other features that we could add or how we could make these features better? Please post them into the comments section below.