When you’re a WordPress blog or website owner, waking up to a bad case of malware mayhem is your worst nightmare, especially because of the devastating consequences to your brand. This is why it’s absolutely essential for anyone with a WordPress site to look into security and recovery options.

One of the most common security measures we’ve all heard of, over the years, has been ‘website antivirus’, ‘anti malware’, or ‘hack remover’ (they’re all the same)… But the big names in the WordPress security field have also started to talk about ‘website firewalls’.

So the question is- WordPress antivirus Vs. firewall: which is better?

Which one suits your need: WordPress firewall, or antivirus?
Choosing between a website firewall and an antivirus for WordPress is an important security decision.

This post’s aim is to help you get to the bottom of this.

 

WordPress Firewalls

The real-world equivalent to a website firewall, would be a bouncer, or a gate-keeper. Website firewalls sit in front of your site to help minimise incoming threats, and reduce the scope of damage to your WordPress website.

How a WordPress firewall works:

  • Whenever a visitor attempts to access your website, their request is sent to the firewall, which uses predetermined rules to check the validity of the request.
  • If the request contains anything suspicious, (such as a weird IP address, or an unauthorised entry in a specific field), the firewall prevents the visitor from accessing your WordPress site.

Pros of WordPress firewalls:

  • They reduce the chances of your WordPress site getting hacked.
  • Since they restrict access firewalls can be configured to act as an intrusion detection and prevention service.
  • Website firewalls could also prevent attacks like brute-force, SQL injection, or even attacks via plugin vulnerabilities (like the attacks carried out through the WordPress Slider Revolution plugin in 2014), if configured to do so.

Cons of WordPress firewalls:

  • WordPress firewalls can not guarantee that your site will never get hacked.
  • They could keep out valid visitors (or requests) as a result of false positives.
  • They need special configuration to set them up. Cloud-based firewalls, for example, may need DNS setup.
  • They do not help scan for, detect, or remove malware from your websites. (This is where website antiviruses help).

(This is only a basic run through, but if you’re looking for more information, check out our article: What is a WordPress Firewall?)

 

WordPress Antivirus

Website antiviruses scan for malware that might have been implanted by hackers through entry points in your WordPress site. They typically consist of two parts: one that detects hacks, and another that cleans hacks. The solutions available in the market either have a combination of both parts, or just either one.

How a WordPress Antivirus works:

  • Detecting malicious files on your website would require analysing your website files and checking for malware. This is done by checking your files for ‘signatures’ of malware, against a database of known threats (a.k.a ‘blacklist’). However, since hackers can build an infinite combination of hacks, signature-based analysis isn’t very effective.
  • Hack-cleaning is another process, that usually involves the removal or repair of infected files on your website. It should be done at the earliest to minimize damage.

Pros of a WordPress antivirus:

  • Website antiviruses helps detect malware that could be spamming your visitors, or even lead to blacklisting your site. Some of the attacks a WordPress antivirus could help protect against are: Malicious Redirects, Pharma spam, or Backdoors.
  • Removing the malicious files as soon as possible reduces the damage to your site.
  • Having a website antivirus that also acts as a hack-cleaner would also make sure that the malicious files are repaired or removed.

Cons of a WordPress antivirus:

  • Website antiviruses do not help detect intrusion, or prevent attacks on your website.
  • They only help you clean out malicious files on your site after they have been deployed.
  • Since they use signature-based analysis, website antiviruses miss a lot of malware.
  • Website antiviruses also generate a lot of false positives.
  • Website hack-scanners and cleaners do not help you find out how a hack originated, so you could get attacked the same way again.
  • A lot of the solutions available require technical assistance and take hours to get rid of the infected files on your website.
  • Cleaning malware from your website is an expensive affair

With cyber attacks becoming more and more complex, there is no foolproof way to make sure your website is safe.The only way is to reduce your vulnerabilities, and up your WordPress security measures. Doing so will make your website less attractive to hackers on the account of how much effort it takes to break in. Over time, hacks have become more complex, and difficult to detect. This is why most of the time, website owners don’t even know that their websites have been attacked, or that they contain malware. Once you’ve been made aware of malicious code on your website, panic sets in because cleaning it up is always a tedious process that takes you away from your business, and requires technical support. It’s best to consider your security options wisely, and choose something that will give you the best value.

Check if your website contains malicious files with MalCare: the first accurate, one-click hack-cleaner of its kind. This website antivirus solution alerts you of malicious files, and gets rid of them quickly, and effectively. The system also learns from the data it’s seen, so it generates zero false positives.

When you’re venturing into the world of WordPress, one of the few things you come across, is the issue of your WordPress website’s security.

Making your WordPress site secure, is a lot like adding reinforcements to a fort. You fortify the walls, add security measures to points of entry, and add strength to the sentry. It’s no wonder that ‘hardening’ your WordPress is probably a phrase you’ve seen a lot.


Reinforcements to cybersecurity should never be taken lightly.  Exploring every option available is an important step to safeguarding your WordPress site.

One of the security measures you can’t get past, when doing your research, would be ‘WordPress Firewalls’.

Since firewalls have been around just as long as the antivirus software for Personal Computer security, the search results you end up with might be confusing, to say the least. This is because there are different types of firewalls, depending on a number of various criteria, including where they’re deployed.

This is why we thought of helping out, by coming up with a beginner’s guide to firewalls, and WordPress firewalls. Obviously this is going to be a long project, so we’re going to break it down into parts. This part of the series is going to give you an introduction to firewalls, WordPress firewalls, what they protect you against, and how you should rely on them as a security measure for your WordPress website.

What are Firewalls?

Firewalls are one of the oldest ways to harden your tech systems against vulnerabilities, but here’s an interesting fact about them:What is a WordPress Firewall_Firewalls continue to contain damage even with cyber security. They do this by controlling access to and from the general internet with regard to your resources; in this case, your WordPress site.

Firewalls fulfill two purposes:

  • filtering incoming traffic from the outside world that wants access to your WordPress site
  • controlling what the computers on your network may send to the outside world

Firewalls act as an extra layer of security, and are considered important, especially since nobody can be too careful when it comes to cyber threats.

What are WordPress Firewalls?

WordPress firewalls (as the term implies), are firewalls deployed specifically to protect your WordPress website. They are customized with rules tailored specifically to thwart attacks that are launched on the particular vulnerabilities and entry points of your WordPress site. Obviously, customizing these firewalls according to the nature and needs of your WordPress website make them that much more powerful. For example, if you configured your WordPress firewall so no one can access the wp-login more that five times in an hour, you could keep specific kinds of attacks at bay.

Types of WordPress Firewalls

Which kind of WordPress firewall you use, depends on the kinds of threats your website might be facing, and where you want firewalls to be deployed.

One type of WordPress firewall is plugin-based. This means it can be installed and configured to your WordPress site just like an ordinary plugin. It intercepts every request made to your WordPress website. Plugin-based WordPress firewalls use predetermined rules to check if the request made is malicious or safe. A couple of examples of plugin-based firewalls for WordPress include NinjaFirewall and WordFence.

Another way to ensure that malicious requests are blocked is by using a cloud-based firewall. Anytime a visitor tries to access your site, the requests are first sent to the cloud-based firewall. This firewall uses a wide variety of technologies to determine the validity of the request. The request is allowed to pass through if, and only if the request is determined to be safe. Some examples of this kind of WordPress firewalls include CloudFlare and Sucuri.

Other than this, your web host provider might have an in-built firewall. The protection of this firewall might extend to your WordPress site, but it’s primarily to protect their infrastructure, and not your website.

So how do you secure your website? Honestly, there isn’t a foolproof way to make your WordPress site completely secure. The best way to reduce vulnerabilities, though, is to use a combination of security measures. Having a functional WordPress firewall included in that combination is useful especially since it’s an extra layer that helps control access.
The best way to be completely at ease about your website even if disaster strikes, is to store all your data in a safe place; that is to backup your website. The easiest, most secure way to do that, would be to use a WordPress backup plugin such as BlogVault.

Fans of Dennis Cooper, the experimental artist and writer, have expressed concern over Google’s removal of the artist’s Blogger account and blog of 14 years. What’s worse, his Gmail account, the medium through which most of his correspondence was conducted was also rendered inaccessible.
The writer’s blog, was a choice destination for followers of transgressive, avant garde writing and experimental art, some of which included ‘Frisk’ and ‘Luster’ (books that later spawned movies in 1995 and 2002), as well as the critically acclaimed book, ‘Closer’. The American artist’s work often depicted graphic violence and savage sexuality.

 

Back to back: Dennis Cooper. The artist might have to sue Google to get his work back. (Image courtesy: http://bbook.com)
Back to black: Dennis Cooper might have to sue Google to get his life’s work back.
(Image from here)

His blog was updated six times a week, with literature, film and music he enjoyed, some of which followed in the same vein. It’s understandable, therefore, that readers would be offended by it. However, the blog contained a warning, stating that it contained mature and violent content. So the question is, whether this was an attempt at censorship.

In a talk with the Guardian, Pati Hertling, an art lawyer, explained that the First amendment rights to free speech, (which any American citizen is entitled to), do not apply to the world of private corporations like Google or Facebook. This is because the amendment only protects you against public censorship. “Because it’s Google, they’re a private corporation, it’s a private realm, they can do whatever they want”, she said.

Dominant technology companies, such as Google and Facebook, have a vested economic interest in controlling content management. In fact, according to a report by Gizmodo, a former news journalist who curated news for Facebook said that the members of the ‘news curating’ team suppressed content that held ‘conservative views’. The problem is that when tech giants like these create ‘walled gardens’ for content, they wield power over what the general public is exposed to. And since these arenas are great to look at, and have great publicity, the trade-off for creators, is between ease-of-use & productiveness; and creativity & freedom. When the reins are handed over to these firms with a click to ‘Agree to terms and conditions’, things don’t look too good for an artist.

Being in complete control of the content you put up is an important thing to consider, when you’re an artist whose livelihood depends on freedom of expression. This is one of the reasons open source projects, that allow you to host your own site have become so popular. No matter which open platform you choose to host on, you’re in control of your content, and there are much lesser chances of forced censorship. WordPress.org currently powers about 26% of the world’s websites, and it continues to attract creators and inspire a community of contributors. One of the reasons behind this is the platform’s mission to democratize and socialize the publishing world.

When Cooper contacted Google over various channels, the response he received said that the blog was in “violation of the terms of service agreement.” Cooper has no confirmation of whether the blog and his email account have simply been disabled, or whether they have been deleted altogether.

The deactivation of Cooper’s account have serious consequences– his contacts collected for over a decade, as well as recent offers to various platforms for his performance art work were all on his email account, and are now gone. Moreover, all of his work, (including his last gif novel,, which he had been working on for seven months), was hosted only on his blog. He had no backups, and no data stored anywhere else.

“As long as you back everything up. I don’t see really the danger,” agrees Dennis Cooper. “But if you’re at the mercy of Google or some place like Google, obviously I’m a living example of not to be blind like that and think that everything is hunky dory.” Open source platforms are a great way to have complete control over your content, but having your resources backed up is an essential safety measure.

WordPress has a number of backup solutions, all of which could help you get back online. These safeguard your work, in case your website gets taken down by a hack, or is offline because of a human error, or because of your web host. Choosing one according to your needs, and your technical expertise, acts as a sort of insurance policy. Solutions like BlogVault offer WordPress backup services that ensure your data’s safety. It also gets your website back online automatically in case your website has been taken down, so you can have peace of mind.

By now you most probably would have come across this story which has taken the internet by storm recently, especially the programming community. The story reads:  How a hosting company lost its entire business because of one line of bad code. Any person even vaguely familiar with command prompt can guess that one line:
rm -rf

(well the actual line of code as per its author was rm -rf {foo}/{bar})

 

The issue first came to public notice when the person responsible for this catastrophe asked for help on ServerFault (question now removed). As per the question and followed thread of comments author intended to run a script that did a few task along with deleting all files/folders inside certain folders passed as variable. Due to an error in the code, the variable got wrong value which resulted in wiping everything on the machine. Unfortunately he ran this same script on all his machines which led to deletion of everything. A complete annihilation!

 

Add to that he ran a web hosting company. He not only deleted his entire company code and data but also wiped clean all customer data. This affected some 1535 customers who were using his service (figures provided by him on serverfault’s thread).

 

Did he take backups?

Whenever a person read such stories, first thing to come across mind is – why didn’t he take backups? Well as per him, he did. He made backups on separate disks, however these disks were mounted to the main machine and hence the contagious script managed to wipe them too.

 

He posted a comment that read:

“All servers got deleted and the offsite backups too because the remote storage was mounted just before by the same script (that is a backup maintenance script).”

 

We often come across users who are trying our service and tell us at the end of trial period, while they really loved our service their hosting company provides backup and hence they may not need our service. It’s difficult to explain why you cannot blindly rely on backups done by your hosting provider but this certainly is a good example to start with.

 

We understand it’s a rare case scenario coupled with human error and probability of something like this happening with your premium managed hosting provider is equivalent to probability of discovering extraterrestrial life. But the important thing to notice here is there is still a probability. There are over 1 billion websites on the internet today, even mere 0.1% accounts to 1 million websites and that’s a huge number. You definitely don’t want to be one in this million group.

 

If something similar happens with the managed hosting provider you are signed up with, your included backups will do you no good. This hosting company just lost all its data. Yes it was because of the carelessness of the system admin but human errors can happen anywhere. There can be another similar case, where a hacker somehow breaks into your hosting company’s server and run similar script intentionally. That will affect you equally. Not only your production site is gone, also the backups.

You should never completely rely on backups by your hosts

Though there are many managed hosting companies that provide quality automated backup to their customers, one should not completely rely on these backups especially when the site in question is your main source to bread and butter. If their system is compromised, so are you and your sites. We cannot emphasise enough how important it is to have backups completely independent from your hosting servers.  


Let’s assume another case where your hosting company is hit by a major DoS attack and it went completely down for 3-4 days. Your site data may be safe but there is no way to access it. There is no certainty how soon they will recover and you cannot let your site just hang around like that. Since your backup belongs with the same hosting company, there is no way to access them either. Like it or not, you’re stuck. If only your backups were independent, you could have hosted them somewhere else meanwhile.

 

These are real world examples and can happen to anyone. A good backup needs to be offsite, robust, completely independent from your main servers and most importantly something you can access and deploy anywhere within minutes. We have seen enough number of times people despite having zip of their backup, running over various tech forums desperately seeking professional help to get their site restored because just unzipping it won’t bring the site back. There are various server configurations that may require fixing/updating in wake of recent disaster. Similarly a good robust backup should have an easy way to validate itself. Consider a situation where you are relying on a backup which is corrupt and you only learn this when you needed it. It’s a nightmare! While most managed hostings do provide decent backup service, these are a few scenarios where they fall flat.

 

Our post is not aimed to scare our readers, we just want to educate people about the importance of an independent automated backup service. One can never take their system for granted. As per the very nature of machines they are bound to crash, hacked, wiped out, melt down etc. One need to have sound backup system not just for their sake, but also for the sake of their users. And we just happen to provide one 🙂

Permalinks, or permanent links, are the URLs that point to specific web pages on your WordPress site, be it individual posts/pages or category/tag archives. They are meant to remain the same, indefinitely. Permalinks are what people enter into their browsers in order to view your web pages, to read your content. They are what search engines (and other websites) use to link to your site. One can therefore say that permalinks are the gateways to your website that play an important role in overall site optimization.

Permalink-icon

The Default WordPress Permalink Structure

WordPress, by default, uses a permalink structure that takes the form of a URL followed by a query string that identifies the pertinent post ID. For instance, if N is the post ID number, the default WordPress permalink structure would be www.websitename.com/?p=N.

This default permalink structure is unreadable to humans, and hence, is termed to be ‘ugly’. Ugly permalinks are neither user-friendly nor search engine friendly. It is therefore recommended that you switch to a more SEO friendly WordPress permalink structure.

Other ‘Pretty’ Permalink Structures in WordPress

In addition to the default permalink structure, WordPress offers the following permalink structures for you to choose from:

Day and Name: Here, your page URL will include the year, month, and date that a post was published, followed by the post name.
Month and Name: In this case, your page URL will be two characters shorter than the previous case, as it includes only the year and month that the post was published, and of course, the post name.
Numeric: Here, your page URL will simply include the ID of the post (again, not very SEO friendly).
Post Name: Here, your page URLs will include the post name alone, making them short and memorable. And so, most WordPress users prefer to use this permalink structure for their websites.
Custom Structure: Here, you get to create your very own permalink structure by making use of one or more of the following structure tags:

%postname% – stands for the post slug
%post_id% – stands for the post ID
%category% – stands for the category the post was published under
%year% – stands for the year the post was published
%monthnum% – stands for the month the post was published
%day% – stands for the day the post was published
%hour% – stands for the hour the post was published
%minute% – stands for the minute the post was published
%second% – stands for the second the post was published
%author% – stands for the name of the author who published the post

Out of the structure tags mentioned above, the first six are more commonly used than the rest.

permalink-options

The above permalink structures are better organized than the default one, making it way easier for both visitors and search engines to navigate to your content. They help optimize your SEO and attract more and more users to your site. These permalink structures are often referred to as ‘pretty permalinks’.

Some Permalink SEO Tips

  • Include the post name in your permalink; it is what matters the most – from both SEO and user perspective.
  • Use simple and short permalinks that are less than 100 characters in length. So even if your article title is longer than usual, remember to cut it short in the URL, so that it falls within the 100-character limit (it’s best to use 3-5 words in the URL slug).
  • While it is advisable to include a keyword in your permalink, refrain from stuffing it with keywords (that’s just shabby).
  • Avoid using stop words (like a, the, is and are) in your permalinks. For instance, if your article title is ‘Stop using stop words in your permalinks’, you can leave out ‘in’ and ‘your’ from your page URL.
  • Use hyphens as separators, not underscores. So, for the article title mentioned above, a good page URL would be: www.websitename.com/stop-using-stop-words-permalinks.

Changing Permalinks on a Live Site

It is wise to choose a permalink structure for your WordPress site at the beginning itself. Changing the permalink structure of a live site, especially one that’s been running for more than six months, can drastically affect your SEO rankings. If you want to change your permalinks and avoid antagonizing users and search engines, here’s what to do:

  • change the page URLs from the back end
  • 301 redirect all the previously used URLs

To ensure that you don’t mess up, it’s a good idea to make a complete list of the previous URLs as well as what they’ll be redirecting to. And if you don’t want to get your hands dirty, you can always hire a professional to setup the redirects for your site. In spite of all this, you’ll still be losing all your social media share counts though, no changing that.

Wrapping Up

A pretty permalink structure is no doubt more user-friendly and SEO-friendly than the default one WordPress provides. It is always advisable to define your website permalink structure right at the beginning of your WordPress journey. However, if you should ever reach that point on the road where updating the permalink structure of your site means better SEO, then go for it! Just make sure to properly redirect your old URLs to the new ones.

And yeah, do remember to keep your site completely backed up before changing the permalink structure on your live site.

 

 

PressNomics is a 3-day conference for the renowned creators of third-party products and services for the WordPress community, organized by Pagely. It’s all set to take place this week, starting from the 2nd of March till the 5th, at the Tempe Mission Palms, Tempe, Arizona. Our founder, Akshat Choudhary, will be representing BlogVault at this event.

PressNomics

More About PressNomics

The PressNomics conference will cover topics pertinent to WordPress entrepreneurs like community considerations, growth hacking, and customer relationship management. Some remarkable speakers attending this event include (but are not limited to)

and many more…

BlogVault at PressNomics

Well, we’ll not be presenting at PressNomics, but we’ll definitely be around to discuss WordPress security and backups (and anything else you might want to talk about). So guys and gals, if you’re there this week, feel free to catch up with us for a chat or drinks. We would love to meet you all!

In an earlier article, we spoke about password protecting wp-login.php with HTTP authentication. There, we came up with this amazing analogy that if your WordPress were a house, HTTP authentication would be a fence to it. Now, imagine deploying a guard at your fence door to further secure your house (your WordPress site). This guard would check the ID (read IP address) of every visitor and allow (or deny) a selected few.

IP address

In this article, we’ll teach you how to provide restricted access through the fence door to only select IP addresses. Of course, for this to work, your internet connection needs to have a static IP address first. If you aren’t sure what your IP address is, you can always Google ‘IP address’.

How to Restrict Access by IP to your wp-admin Directory

To begin with, download the .htaccess file from your wp-admin directory using a third-party FTP client like FileZilla. In case there isn’t already an .htaccess file in your wp-admin directory, go ahead and create a new one. Then, add the following lines at the end of your .htaccess file:

order deny,allow
allow from your.IP.address
deny from all

The above directive allows only a single IP address to access your admin dashboard. This will apply in case you solely access your WordPress dashboard from a single location. In the given example, you need to mention your IP address in place of ‘your.IP.address’.

Now, if you access your dashboard from multiple locations, you’ll need to list out all those IP addresses in the directive. For this, you’ll need to mention individual IP addresses in individual ‘allow from’ lines as shown below:

order deny,allow
allow from your.IP.address.1
allow from your.IP.address.2
allow from your.IP.address.3
deny from all

Blocking Specific IP Addresses

It has been seen that a large number of attacks come from specific regions or set of IPs. To block these culprits at the htaccess level itself, you can include the following syntax in your .htaccess file:

order deny,allow
deny from IP.address.1
deny from IP.address.2
allow from all

Mention the IP addresses you wish to blacklist in place of ‘IP.address.1’ and ‘IP.address.2’. If the blocked IP addresses try to access your dashboard, they’ll get a default ‘403 Forbidden’ error message.

403 error ip address ban

Once you’re done, save the changes and upload the .htaccess file back to the wp-admin directory. In case you make such a change to the .htaccess file in the root directory of your WordPress, all website visitors, apart from you, will receive the ‘403 Forbidden’ error message. Therefore, be sure to make the changes to the .htaccess file in the wp-admin directory of your WordPress alone.

Fixing the Admin Ajax Issue

Limiting access to WordPress wp-admin using IP address tends to break the front-end Ajax functionality. Therefore, if any of your plugins use Ajax in the front end, add the following code to the .htaccess file in your wp-admin directory for fixing the Ajax issue:

<Files admin-ajax.php>
order allow,deny
allow from all
satisfy any
</Files>

For increased security, it is always advisable to use the method discussed above for limiting access via IP address in conjunction with password protection. Also, your IP address will change if you change your internet service provider. So don’t forget to update your .htaccess file in such a case.

A website management platform as flexible as WordPress can be used to create and run numerous different sites for various purposes, blogging being one such purpose. Blogging might start as a hobby, but somewhere down the line, for most people, it becomes more than just that. With quality content and a decent amount of traffic, your WordPress blog can easily become your source of income. Here, we talk about the top five ways of making money with your WordPress blog.

Monetize your WordPress blog

1. Affiliate Marketing

Affiliate marketing involves signing up to an affiliate program and promoting third-party products on your blog by providing affiliate links to products. You can choose to promote products, both digital and physical, that are related to the niche off your blog and relevant to your audience. When a visitor clicks on your link and purchases the product, you get a commission for the sale.

BlogVault has a great affiliate program, where its partners get an affiliate URL to embed on their respective websites upon signing up. When a customer gets referred through the affiliate link on a partner’s website, BlogVault shares 20 percent of the revenue earned with said partner. Amazon Associates and ClickBank are a couple of other well known affiliate link programs.

2. Sponsored Posts/Reviews

Sponsored posts/reviews are content on your blog that you publish for the purpose of promotion of third-party products/services relevant to your blog audience. Here, a sponsor (a company or an individual) encourages and pays you to review his product/service on your blog in order to reach out to your niche audience.

3. Pay-per-click Advertising

Pay-per-click advertisements are one of the most popular methods used to make money off of your blogs. A popular service offering this form of monetization is Google Adsense. Here, all you need to do is sign up for an account with Adsense and follow appropriate steps to place a piece of ad code provided by them on your site. Thereafter, your site will display ads, and whenever a visitor clicks on one of your ads, you earn a payment. There are many WordPress plugins available that help you better manage your advertisements, ensuring that only relevant advertisements are displayed on your blog.

4. Selling Advertisement Space

A simple way to monetize your WordPress blog would be to sell advertisement space on your site. Unlike other means of money-making that are based on pay-per-sale/pay-per-click formats, this one gets you one-time payments for each advertisement space you sell. Although that makes this form of monetization somewhat predictable in nature, it also means that you might lose out on making more money should you later end up with an insane number of clicks on the advertisement.

In case you’re looking to sell advertisement space on your website, BuySellAds is an advertisement marketplace where you can list your website for advertisers to check out and choose to purchase your advertisement space. Once you receive an offer for your advertisement space, it’s upto you to accept or reject the offer. It is always advisable to accept such advertisement offers that are relevant to the niche of your website. Once you accept an offer, the respective advertisement will start to show on your site and your payment will get credited to your BuySell account. BuySellAds acts as a simple, straightforward and reliable middleman to your monetizing venture.

5. Building an Email List

Sending out newsletters to your subscribers’ email addresses, undoubtedly, is an excellent way to keep your audience engaged. But that’s not all you can do with your email list. Email lists also provide a great way to show relevant advertisements and content to your niche audience, providing them with an excellent user experience while filling your purse. However, be careful while exploiting email lists; no one likes spam!

As you can see, there are a number of ways to start making money online using your WordPress blog. Choose a monetization method that’s up your alley and best gels with your blog. And do remember to backup your precious blog with BlogVault before getting started!

Appointments are parts and parcels of all business ventures, from salons and clinics to hotels and consultancy services. If you’re looking for an easy way to allow your customers/clients to book appointments directly from your WordPress site, here’s the perfect plugin for you. Focused solely on appointments and not on other types of bookings, the WooCommerce Appointments plugin from BizzThemes claims to be the best software you can get your hands on right now for scheduling your appointments. Having been built on top of WooCommerce, the plugin lets you readily use all the features and extensions of WooCommerce.

WooCommerce Appointments

Plugin Features

Two-way Google Calendar Sync

The WooCommerce Appointments plugin offers two-way Google calendar synchronization. This means that whenever you add a new appointment or edit an existing one in Google calendar, the additions/changes you make will automatically be synced with your WordPress site, instantaneously. Likewise, whenever you add or edit an appointment in your website admin, it will automatically be synced with your calendar.

Calendar Administration

WooCommerce Appointments lets you view and edit your appointments in a flexible calendar, so that you have a better overview of your schedule. The flexible calendar can be viewed in daily or monthly view, and is synced with both staff and Google calendar, for increased efficiency.

Custom Availability and Capacity

The plugin lets you customize your availability for each calendar date, day or hour; it also lets you set breaks for hours and holidays. Furthermore, the plugin allows you to increase or decrease the number of available places for some appointment slots. This way, you can meet more customers whenever you have the time for it.

WooCommerce Apointments custom availability

Unique Time Slots

The plugin provides you with an option to link time slots to specific dates, letting you have unique time slots for each calendar date.

Staff Management and Availability

The plugin lets you assign staff to each of your appointments. It also lets you manage each staff member’s calendar. Additionally, it allows staff members to login and set their availability as they want.

Custom Schedules and Scheduling Window

With WooCommerce Appointments, you can schedule appointments for multiple days at once, totally skipping time slots. The plugin also lets you decide how much in advance you want your customers to be able to book their appointments. Moreover, if you feel the need to take some time for yourself to prepare for your next appointment, the plugin even lets you specify how much ‘padding’ time you require in between appointments.

Confirmation/Cancellation of Appointments

While the WooCommerce Appointments plugin allows your customers to cancel their appointments, it also lets them make appointment requests. You can accept or decline these requests based on how tight your schedule is at that time. This way, you have better control over your schedule.

WooCommerce Apointments scheduling window cancellation

WooCommerce Integration

Since the plugin in natively integrated with WooCommerce, it allows for the use of all of WooCommerce’s features and extensions. This confers on it a number of bonus features like WC memberships integration, WC follow up emails integration, WC gravity forms integration, WC deposits integration and WC extra product options.

What More with WooCommerce Appointments

Multilingual Compatibility

The WooCommerce Appointments plugin is compatible with popular multilingual plugins like WPML and qTranslate.

Charge for Service Delivery

If you’re required to execute a service at your client’s location, the plugin, thanks to its WooCommerce integration, lets you apply custom shipping/delivery costs in such cases. How much extra you charge will depend on your client’s location.

Country-based Pricing

WooCommerce Appointments lets you charge your customers in different currencies, based on their geological location.

Conclusion

With a clean and beautiful code, the WooCommerce Appointments plugin is easy to use and intuitive. Its configuration process is simple and hardly takes any time. This feature-rich appointment scheduling WordPress plugin is available for just $69. What’s more, it comes with a white label, so you can completely customize it to your brand, leaving no reference to the plugin.

Before installing a new plugin to your WordPress, do remember to keep your site completely backed up using BlogVault!

The WordPress admin dashboard can only be accessed by entering in your username and login password. It is good practice to use a strong login password at all times, as this makes it difficult for bots and hackers to break into your admin dashboard. However, the internet has never been a very safe place, and no amount of security is ever enough. Therefore, it’s always good to have as many layers of security as (sanely) possible, to keep hackers at bay.

Password Protect

While login credentials are a robust security measure at the WordPress application level, we can add further security using HTTP Basic Authentication (BA). HTTP BA is the simplest technique for enforcing selective restriction of access to your web resources, making it a system level security. But well, enough nitty-gritty for now, lets try to understand this with a simple analogy. Imagine your WordPress site to be a house. Although the house’s main door (read login credentials) is a vital part of security, it may not be enough, and you might want to add a fence around your house as an additional security measure. HTTP authentication is one such ‘fence’ for the protection of your WordPress site. Anyone who wants to enter your admin dashboard will first need to go through the HTTP authentication (your fence) and then enter in their login credentials (your main door).

To secure your WordPress site with HTTP authentication, you need to first generate a .htpasswd file, where you’ll list all authorised usernames and their respective encrypted passwords. Following our analogy, think of this as setting up a door to your fence. One can leverage .htpasswd only on an Apache server, since .htpasswd is an Apache password file. Good news is, Apache is the most commonly used web server software worldwide. This makes it highly probable that your site is running on Apache.

Creating a .htpasswd File

You can use the htpasswd command line tool to create a new .htpasswd file. In your command line, use the following code:

htpasswd -c .htpasswd harini

Here, ‘-c’ stands for ‘create’ and should only be used while creating a new .htpasswd file. ‘harini’ is a case-sensitive username for our HTTP BA. On hitting enter, you’ll be prompted to enter the password you would like to use. By default, the htpasswd tool encrypts your password using MD5.

htpasswd 01

In the case that you already have an existing .htpasswd file, and would just like to add a new username to it, you should use the following command line:

htpasswd .htpasswd rahul

htpasswd 02

Note that you don’t have to use the ‘-c’ switch in this command, since you don’t have to create a new htpasswd file here.

A typical htpasswd file looks like this: ‘username:encrypted_password’. For instance, a sample .htpasswd file that contains users harini and rahul would look like:

sample .htpasswd file

If you aren’t able to get your hands on the htpasswd tool, you can easily generate your .htpasswd entry (username-encrypted password pair) using this htpasswd generator.

Now that you’ve successfully created the .htpasswd file, you have a lot of flexibility over where to place it, however it is advisable to store it in a directory that can’t be accessed directly through the web. One such good location would be one level above the WordPress install directory. This will ensure that your Apache password file remains secure, even if your web server software were to get corrupted.

Password Protecting wp-login.php

With the .htpasswd file ready and stored in a safe position, you can now go on to restrict access to your wp-login.php file. For this, you’ll need to specify the following things in your .htaccess file:

  • what file to restrict?
  • where to get HTTP BA credentials from?

Assuming .htaccess file is at WordPress install directory level, adding the following lines of code in the file will do this for us:

<Files wp-login.php>
AuthUserFile /path/to/.htpasswd
AuthName "Private access"
AuthType Basic
require valid-user
</Files>

Here, you need to focus on the following two lines:

AuthUserFile /path/to/.htpasswd: Make sure you provide the correct path to your .htpasswd file in place of ‘/path/to/.htpasswd’.

require valid-user: The ‘valid-user’ keyword tells Apache to provide any user mentioned in the .htpasswd file with access to the wp-login.php file. In case you want to grant selective access to the file, instead of using ‘valid-user’, you can just mention the usernames you’ll like to provide access to. For example, if there are three usernames mentioned in the .htpasswd file, out of which you want to grant access to only two users, say user01 and user02, and not to user03, you’ll use the following require directive:

require user user01 user02

Once you’re done, save the file and upload it to the directory that contains the wp-login.php file. Now, the next time you try to login to your WordPress dashboard, you will find your browser prompting for authentication even before the admin-login screen is loaded, just like the fence we discussed.

http authentication protect wp-login.php