Website Security: This Excites me!

Sitting trying to find my php.ini for my local WordPress multi-install, and getting frustrated that I know I found it, and I changed the value I needed to change, but it isn’t show up as changed, I get an en email. It only contains one thing, but a beautiful thing:

Dear Site Admin,

A host,, has been locked out of the WordPress site at due to too many attempts to access a file that does not exist.

Then I sit back and reflect a little on why I am busting my ass doing this work. All the training, all the classes, and all the reading. On top of that trying to find new clients. All whist dealing with being at the end of a horrendous Chemo and Radiation treatment for Cancer, (did I get the medal yet?) Then the Universe shows up with this. It may not mean a lot to most of you readers, but it means the world to me. It means that I am learning a little about website security, and the things I am implementing are paying off. Happy days.

barbapple studiosI had two such emails yesterday for a client site, and I had no problems sharing it with them. I enjoyed letting them know that they are now protected. This particular client had been hacked badly, her site had been down for 2 months, and she was losing money before she found us. So we fixed her up, and now she can rest assured that things are working on her behalf, and she can get on with focussing on her own stuff, and leave the running of the website to us.

The client in question is hosting with a notoriously bad host that a lot of people use because they appear to be cheap up front, and they are a popular domain registration website as well. So heck, why not do everything in the one place, right? This host has been getting some real bad press lately about it’s inability to stop spammers and hackers, but why would that be an issue for them since they have a product they can sell you for that should such an event occur, mmmmmmm.

There are a few ‘too big to fail’ companies out there doing the very same thing. That is why small personal touch companies such as BarbApple Studios need to band together, and work a little harder at getting through to these clients to show them that there is a better, smarter way to take care of their website.

This hacker was thwarted by two plug-ins, two not so measly plug-ins with I will cover in a minute. A plugin that was correctly installed and configured. Hey that’s what you pay us for, and this is proof that your money is well spent right? It is the desire to do something well, and to keep at it that should drive us. If what you are doing sucks, then do something else. If you can’t stop doing what you are doing, then do that something else at the same time until you can transition over to it.


iThemes Security


WordFence Security

The plug-ins in question are Wordfence, and iThemes Security, and these are in my ‘recommended plug-ins’ article. These are a must install in my humble opinion on every website. They match all 5 of my 5 Step Criteria as to when to install a plug-in. I will post the 5 step below so that you don’t have go to another article to read them.

There are other things I look for, but these are my top 5. Don’t be shy about leaving a comment on what you think is important for a plug-in. I am open to new things.

BarbApple Studios 5 Step Criteria for the Installation of a Plug-in

  1. Do you really need it
    1. Sometimes we do install plugins for a reason other than necessity. That reason, and we all do it, is just because it’s cool. I have nothing against have these cool plug-ins on a website as long as they don’t break my 5 rules. Even a plug-in that I feel my site really needs is not implemented unless it passes the tests.
  2. Does it rate high
    1. This doesn’t help newer plug-ins.
    2. Those ones that have just been born and look like they are going to grow up into something really useful.
    3. This is where you make a choice as to whether or not you think it is worth.
    4. If it works then go and rate it so you can contribute to the rating portion of the 5 Step Criteria.
  3. Is it updated on a regular basis
    1. Does it say “Not tested with your particular version of WordPress” when you look at the details portion of the plugin?
  4. Do they offer a decent free version and a paid version
    1. Does the free version actually have enough features turned on to check out what it can do properly?
    2. Does the paid version offer enough of a change, and add something you can use that would enhance your site even more?
  5. How fast is their technical support
    1. Send an email to support and see how fast the get back to you
    2. Sometimes this can go back to number 4. Maybe the fast technical support is only in the paid version. I have seen that in some plugins.

But even the basic configuration of these plug-ins will help you slow down any attempt at malicious entry into your website. Nothing is perfect, and I am sure there are those of you out there that could do a better job, but what we do here at BarbApple Studios works, and works well. It doesn’t take long to read their installation and configuration documentation anyway if you wanted to tweak them further. So take the time with these plug-ins an you won’t be disappointed with the results.


My Overhead as a WordPress Developer

My Overhead as a WordPress Developer

What is the true cost of doing business as a WordPress developer? As I learned about how to make having a website a better experience for my clients, I realised that the journey I was embarking upon as a website and WordPress developer was going to cost me a lot of well spent time, yet would be sponsored by aspirin. Whist I decided my goal would be how to keep the costs down for my clients, I realized that it would cost me more money with the things that I would need to develop their websites properly.

By this I mean using premium themes, proper hosting, good analytics, and solid security integration, to  name but a few. So I spent some time adding up what I would have to pay per client, although some of the places I have to shell out money to would cover several clients as the fees were not on a per client basis. My main intent was to write a private post on my own website, about WordPress Development, what it was costing me, but keep it for my own information. As I wrote I thought, no, let’s see if I can wrangle my usually scattered morphine addled thoughts into a post that people may find useful. Also it would help me because I know there are those of you out there that may have better thoughts on this process, and help me tweak it with your experiences.

This article isn’t meant as a rebuttal to anything, it is to answer a question that I have been asked many times about why a small business like mine, that has the ability to work anywhere, charges what it does. Yes it is true, while there are perks to being able to work from home, there are also downsides to it, and one of those is is that I can work from home.

Barbbpple Studios WordPress DevelopersSome clients in the past actually believe that I charged too much for my work, when like most of us, I can’t because of competition; which is healthy. Compared to the big developers I may be a little higher on some things, so my intention for this article is to clear up a few things in this area. Larger development companies with a large client base can afford to drop their rates when it comes to their WordPress Development because they have deals with overseas web designers that will work for $5 to $10 per hour. This saves the corporation lots of money to spend on advertising, and the like.

Some of them skimp on technical support, which is also farmed out overseas to people that have little to zero interest in whether or not your website runs efficiently. A lot of the technical support staff have no real knowledge of your project, just that you need help with it, and they have a script in front of them that may or may not get you up and running the way you think. You will end up settling for what you get, and I hear this story time and time again.

While you think you are saving money, you really aren’t, because a local developer can give you the following:

  • Invested service and support
  • Training
  • Faster service
  • Tweaks and subtle changes to your website
  • Piece of mind because we have less clients to worry about
  • Our ability to under promise and over deliver
  • Generally give you more than your moneys worth than a larger development company
  • the fact that we have something to prove

I  know there are probably some benefits in going with larger companies as well, but I always err on the side of the small business person. They are responsible more for our economy than you would think, and are a huge resource for keeping the work, and the money, in our local community. In your business, you would probably hope that this holds true for you too when people decide to shop for goods and services.

“While small businesses may not generate as much money as large corporations, we are a critical component of, and major contributor to, the strength of local economies. Small businesses present new employment opportunities and serve as the building blocks of the United States’ largest corporations.”by J. Mariah Brown, Demand Media

Every WordPress developer or designer is different as far as where their money goes to develop their business or their skills. I can only show you what I have researched on the subject, and my own experiences as to what I have to pay in order to keep up to date with the times, and my clients needs. This is by no means a definitive list, and is based on my experience with it. If you have a place in your business where you are spending money, let me know in the comments below.

Here is a short-list of my over-heads, and why I can justify the fees that I charge a client.

BarbApple Studios WwordPress Developer

Mortgage and bills: This is a given. Keeping a roof over my family’s head is important to me

Food: Keeping my family fed is a big priority for me, as it is with any developer. We are not all sitting in our bedrooms with a bowl of noodles drinking soda, and playing video games in our spare time. I am 55 years old and those were the days, just not todays.

Hosting: This costs me money, because I use hosting services that are designed with businesses in mind. It costs a little extra, but we still manage to keep the cost to you low.

Design time:  You would like to think that everything goes smoothly in a design of a website, but it doesn’t matter how good you are or how long you have been doing it, things will go askew from time to time. If you go with a good developer or designer, like Barbapple Studios, we can sometimes eat the cost of this ourselves.

Classes I take: These are the ongoing classes that make me a better WordPress developer and designer. Any new ideas and innovations, we generally give to existing clients for no charge. You might find your site getting faster, or drawing more business by some of the things we do as they become available to us through our keeping up to date with what’s going on out there.

Travel: Sometimes I have to travel by land and air to go to gatherings of like minded people that I know will help me streamline my business, so I can do the same for you, the client. I know this doesn’t happen that often, but often enough to mention it here.

Payment for software: With every job, there are tools, and these tools are expensive. They are more expensive for designers than they usually are for the general consumer. They are more robust and have pieces to them that only a designer would use. That is why, as a designer, I don’t use consumer tools to build a website, I use proper designer based tools.

Subscription to on-line resources: This brings me more up to date information about what is going on out there, and goes hand in hand with the Classes that I take, and are usually more current. Some of us are actively resourcing, marketing by going to leads groups, writing for advertising, and education purposes. We spend our free time reading other Blogs and websites researching material for ourselves, our fellow developers, and our clients. We are constantly researching, and filling our own Blogs with the information we find, in the hopes that somebody else finds the information useful.

Office Supplies: This is also a given for most people. In every business, there is an office overhead, and I only add it as a part where there is physical product that we use that need to be taken into consideration.

There are other expenses such as initial consults, business lunches, and other meetings with clients that do not get billed, and I try to work them into the price of the site so that there are no hidden charges. That is the last thing that a client wants at the end of the day, is to think they have settled on a price, when all of a sudden there are other charges that they didn’t anticipate or didn’t think they agreed to. At this point i will mention how important it is to me to have a contract signed by you and your developer. I have such a contract, and I will post it for you to look at here.

So as a WordPress developer and designer give yourself a pat on the back for the work that you do if you are making a good living from it, or indeed trying to build a business from it. As a customer, remember that I have these things always following me around. My goal, as the person that creates your website, is to make you happy not undermine you, and to help you to grow your business, not throw it away.

Types of WordPress Plugins I Should Use

BarbApple Studios Web Design

WordPress plugins tree

As you can see from the above chart, it is more like the family tree of plugins off the main WordPress core. The explanation and the presentation of it is my interpretation of the WordPress plugin hierarchy. I know some of you may not agree, some of you will, and even more of you will think it is over simplified, but that’s the kind of thing I meant to convey.

The WordPress core itself is extremely secure, and by that I mean as secure as any content management system, CMS out there can be. Since it is written and updated by developers, and has a whole community behind it helping its validity, it is one of the most secure CMS’s out there today. It has checks and balances because if it.

The WordPress core, (red,) is the most secure version of your site. As it moves to the right and you keep adding more and more things, such as plugins, it gets less secure, (white.) Coming off of the green into the blue area denotes a website that is more vulnerable to breaking and/ or getting hacked. My best advice is to make sure security is in place, and research your vanity plugins thoroughly before installing them.

Must have plug-ins: These are the plugins in my book that I feel no WordPress website should be without. This will definitely vary from person to person, and from developer to developer. These are the plugins that I recommend, and I am totally open to this changing as I learn more or hear better arguments. That can happen a lot in this business, and one of the coolest thing about WordPress. In this area I have the following categories: Backups, Updating, Security, and Anti-spam.

Should have WordPress plugins: These are the plugins that you will install after you have finished installing and testing the plugins on the “Must have” list. This section, plus the previous section will give you a fully functioning interactive site, with the bare minimum of headache when you are trying to keep your site secure. I have included the following categories in this area: SEO, Caching, Responsiveness, and Forms. Personally I don’t think you can do without any of the plug-ins from either of the above areas. This, to me, is a full site if you are looking to have a functional, interactive site, that also has the chance to be discovered in the web.

Vanity WordPress plugins: Believe it or not, this is a favourite section of mine. I do like my Vanity plugins, because some of them are really cool, add value, and most are very well supported. I am not one of those developer that will poo-poo you because you want to add vanity plugins to your website. If I am designing your website you just have to abide by my rules when it comes to any plugins in this category. You just have to be careful how you choose a Vanity plugin, and what purpose it is supposed to serve on your site.

I have created a table for you to look at with specific examples of plugins I use that fall into each of the areas. Also when adding a new plugin directly from the list below, I have outlined the procedure below, and this procedure should work most of the time, but otherwise it is very easy to figure out:

  1. Click the link to the plugin
  2. Download the plugin to your hard-drive
  3. Go back into your “Admin” section of your site
  4. Select “Plugins”
  5. Select “Add New”
  6. Select “Upload Plugin” at the top of the page
  7. Cling the “Choose file” button
  8. Find the plugin on your heard-drive – highlight file and select Open, (usually in your downloads folder.)
  9. Click the “Install Now”
  10. Activate plugin
  11. Re-read documentation on the plugin to know how it sets itself up on your computer
  12. Check that plugin is there and configure it

Video coming soon on how to download and install a plugin


Area Category Specific plugin (* = Best in my book)
Must Have Backup Backup Buddy * No free version
BackWPUp * – Free
Updating iThemes Sync * Free – on-line service
JetPack Monitor Free – on-line service
ManageWP * Monthly subscription – on-line service
Security iThemes Security * Free and paid version
Sucuri * No free version – on-line
CloudFlare * Free and paid version – on-line service
Really Simple CAPTCHA – Free
 Anti-Spam Akismet – * Free and comes with WordPress
Should Have SEO WordPress SEO by Yoast * Free and paid version
Caching W3 Total Cache * – Free and paid version
P3 (Plugin Performance Profiler) – Free
Responsiveness WP Touch * – Paid version
JetPack Mobile theme – Free
Forms Gravity Forms * – No free version
Contact Forms 7 * Free
Vanity Editor WPEdit * Free
Social buttons Floating Social Bar * Free
SumoMe – Free and paid version – On-line service with plugin
Widgets Display Widgets – Free
Media Library Enhanced Media Library – Free
Typogrphy Google Font Manager – Free
Hide Title – Free
No Page Comment – Free
Yet Another Related Posts Plugin – Free

There are definitely tons more plugins than this, but this will give you a basic idea of the areas that you will most likely need to fill first. Whatever you are looking for can be found by following the steps above the table for finding a plugin or a type of plugin. Let’s say you have an idea and you want to see if there is a plugin exists that might help, then type it in.

Remember that a bad plugin has the potential of crashing your site. So when you install a plugin, always check that your site is working after EACH install. Don’t install 5 or 6 plugins, and then check your site. If it isn’t working, then there is no way to tell which plugin was responsible. So take your time and test, test, test as much as you can. Try and limit the number of plugins you install, and delete the plugins that you are not using. Also delete any themes that you aren’t using as well. This can help the possible chances that a hacker can get to your website, but all of this is discussed in another article with this site, when I talk about how to tighten up, or lock down your site.

WordPress Theme Resources

WordPress Themes:

These are the resources that I use or ones that come highly recommended to me. Each organization that designs their own themes can also have a framework that they work under, and I will do a blog on frameworks later on. So if you are going to use a Rockettheme template, for example, you would do better using their framework as well which comes in the form of a separate plugin called Gantry, but this can be a good thing. Woothemes has its own framework as well, so shop around if you are “Geeky” enough to want to spend the time.

Most of these sites have both free and paid themes. For a really good theme for your site, you can find free ones that will fit your needs, but beware, they are what they are. They may not be updated often enough, and could break down after a few updates to the WordPress main core.
Some great free themes here. Some will already come bundled with your installation of WordPress. There is a better chance that these themes will be supported although a lot of these are also designed by third party designers. The difference is that they have to be approved by WordPress before they are available for download.


rocketthemelogoRocketTheme: “Has an extensive collection of premium WordPress themes available for purchase and download. Each of our themes are built with usability and customization as a priority. Each theme can be easily modified to fit virtually any blog, portfolio, or corporate site. They add a new theme every month, and an array of propitiatory extensions to enhance your site”. These are the themes I use at the moment, not because I think they are better, but because I am in a Rockettheme mode at the moment.

elegantthemeslogoElegant Themes:  “Design is our art and our passion. Our goal is to create the best WordPress Themes with a pixel-perfect eye for detail and a high standard for aesthetic excellence. Let us help you make your website simple, beautiful and professional.” I have used their themes in the past, and found them to be really good.

headwaythemeslogoHeadway Themes: “Headway Themes allow you to build any layout you can think of, with full customization of any page with the powerful Headway Visual Editor.” I have one test site using this type of theme. Like all intricate themes, there is a learning curve that will have to be overcome, but worth it in the end.


woothemeslogoWooThemes: are powered by the versatile WooFramework allowing you to build a site with incredible flexibility. They also have some very powerful plugins, including their eCommerce one, that work better with their themes.


Other WordPress Theme Resources to try:

themetrust-logoTheme Trust –
Moderately price themes ranging from basic to magazine templates. Very nice and responsive, but itis a pay for template site. This isn’t a bad thing, as I said in my earlier articles, the support is generally better and updates are generally better when you purchase a theme rather than go for a free one.

studiopress-marketplaceStudio Press –
The Genisis framework in particular use the child theme that it has to get close to the build the client is looking for. It ill help you get close to the build they want and helps those on a limited budget. Genisis is a great framework to be working with, and if you are going to start learning a framework, I would recommend this one.

PageLines –
PageLines customers are a diverse and talented group of professionals from around the world. PageLines software is now used in over 170+ countries and powers sites as varied as Bicycle Tours in London to Musicians in Sweden. Within such a global community there are many unique ways of designing websites. With this in mind we wanted to create a place where you can share your creativity and learn from the creativity of others.

templatehawk-logoTemplate Hawk –
This is yet another resource for templates. They really have nothing to say about themselves over there but they do have some decent templates and offer ‘affordable’ customization.

themezilla-logoThemezilla –
We build premium WordPress themes & plugins.
Over 40,000 customers use our themes to power their websites.
Become a member today and download our entire collection.

creativemarket-logoCreative Market –
Yet another company that doesn’t say a lot for itself, but I would recommend going over there an taking a look. There themes are really beautiful, and very pastel like. They also have plug-ins and custom vector graphics. Their blog is also not all about them but have a great number if useful “How to” articles. So check it out.


themefoundry-logoTheme Foundary –
A brand you can trust. Established in 2008, we’ve been selling WordPress themes for over 7 years. We’re an official partner. Our themes meet their strict quality and security guidelines. Our newest themes include professional grade Typekit® fonts. You won’t find this anywhere else.

zigzag-pressZigZag Press –
Find a range of flexible, functional Premium WordPress Themes built on the rock-solid Genesis framework! Yet another website that offers themes running on the Genisis framework. You can beat that.



JV Zoo – httjvzoo-logo_optimizedp://

In case you wanted to create a store just selling templates, plugins and the like, I included this website. In their own words: “There are no out of pocket costs to become a JVZoo seller. You can create as many buy buttons as you like and add as many products as you want to our marketplace. You will never be charged a fee for doing so.”

Wanna Find a Plug-in?

I re-worked this wonderful compilation of plugins I have come across. Some of them will be old, so let me know, and I will try to keep an updated list. My favourites are among these, but I have probably test-driven all of them at some point. I have also left out some of the more obvious ones, and it’s fine to bring my attention to those as well.

So if you have a plug-in you would like to see on the list feel free to post it in the comments section below along with anything else you might have to say. This list will be changing from week to week and I will be adding new information as I get ideas of what to include, and I will be tweeting the changes so make sure you are following me on twitter.

I am also not rating which I think are best at the moment, but it is on the cards when I review this list for plugin additions, so if you see an asterisk, or other form of rating mechanism, then that means I have started doing just that. So check your twitter feed under @barbapplestudio

A really nice resource for searching for plugins based on category, downloads, votes, etc is:

“Google Trends for .org Plugins” – Simple tool to compare free plugins side-by-side:

Custom Post Types

Custom Fields


For Images

For Managing When Plugins or Scripts Load

For Caching


Google Analytics Dashboard


Full Screen Background Sliders

Social Sharing




 RSS Aggregation / Feed to Post Import

 Frontend Post/Registration





This is by no means a definitive list but it will be growing and I will be posting it on twitter for sure.

Awesome news with ManageWP

I was sitting here in my pajamas at 5 am in the morning, tired and wide awake, and go to my favorite website right now to find out if did what I asked it to do while I was asleep. YES! It did! When does that ever happen? Well tonight it did, and raised the bar a little bit as far as I am concerned as to what I look for in a website. It was a reminder to me why, as a developer, we need to charge for what we do. This isn’t a big name company, but if it continues to do what its doing as efficiently as it has then we are looking at a contender here, at least in my book. So much so that it warranted me to write a review, and have as many people experience this Disney World of websites as possible. It is also a reminder of what a geek I truly am.

barbapple studios web designAs a web designer, I am inundated with emails promising me that if I use a particular piece of software, my life will get easier. I buy this pitch time and time again like a dog begging for treats, yet all it gets is a pat on the head at the end. Sometimes it gets the treat, so it is worth the constant humiliation when it does. If you stay in the game long enough a gem like ManageWP comes along. And Yes, I became an affiliate because I’m not as slow as people think, although I do choose with whom I affiliate with very carefully.

On with it web geek, give us the story Father Mc Grory, and enough of this incessant rambling. OK, it is called ManageWP and it does the following for me right now – It manages WordPress, MY WordPress.

barbapple studios web design

Manages all my websites in the following way:

  • Tracks my plugins and themes and whether they need updating or not, and will update them from there
  • Uptime monitoring
  • Daily, Weekly, and monthly backups
  • Black and white listing checking
  • SEO Keyword checking with Google and others
  • Clone and Migrate any website
  • Client reporting – nice touch!
  • Track spam comment in all of the sites

I mean there is a manure truck full of other stuff it can do, but too many to ist here. Your best bet is to put on your crash helmet, and your seatbelt so that you can head on over to manageWP and test drive this for yourself. As I said, so far so good with this tool, and finally something that is so useful, I’d be nuts to keep it out of my toolbox.

Oh yeah, before I nod off again, the pricing is very reasonable right now, and does get more inexpensive per site, the more sites you have. As of this writing their price for one website is as follows:

One-click updates
One-click login to any dashboard
Install, manage plugins & themes
Manual backups

$0.80 per website / Month

  • Standard features +
  • + Scheduled backups (including to Amazon S3, Dropbox, Google Drive)
  • + Clone wizard
  • + Client reports
  • + Google Analytics integration

$2 per website/ month

So there you have it – give it a try, and let me kow your comments about it below.

Ten things I do

These are the ten things that I do when I initially start on a clients website. These can vary and some other thing may be done depending on the scope of the project. Most of these are must haves, and others are dependent on the clients needs. But number 10 is a must and happens on every build. Have fun.

  1. Change admin user name to something else
  2. Install iThemes Security. Run Scan and set it up
  3. Delete unused plugins and themes
  4. Install W3 Total Cache, and configure it.
  5. Install a good backup plugin like BackUp Buddy by or BackWPup, and back up the website.
  6. Change permalinks, and other aspects of the settings tab.
  7. Make sure the theme, and the plugins I use are well supported.
  8. Delete all default pages, posts, and comments
  9. Install SEO by Yoast – if client wants search engine work
  10. Make some tea or coffee.

This is not all I do, but I make sure these 10 things are definitely done.

Limit Logins

Limit Login Attempts – By Johan Eenfeldt

This plugin will limit the number of login attempts possible both through normal login as well as using auth cookies. By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease. Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.

This is why it is important to research and test. Test Test Test! I used to like this plugin, but it has gotten the better of me a few times and my clients – it is too tough and I was still getting comment spam with it. Locked myself out quite a few times with this.Two mistypes, and hitting the enter key on a blank password locked me out. I know you can set it however you like, but not user friendly enough for me.


iThemes Sync

This is an awesome unobtrusive plugin to help you keep track of all of your theme and plugin updates. Easy to install and configure which is a plus for me. In their own words:

It's important to keep your WordPress sites updated, both for the security of your site and to take advantage of the latest features and improvements of your themes and plugins.

Updates to WordPress core and any plugins or themes installed on your sites can happen pretty frequently. And if you're managing multiple WordPress sites, keeping them all updated can take up a lot of your valuable time.

iThemes Sync is an easy way to manage updates for all your WordPress sites from one place. Instead of logging in to each site individually, you have one place to view and install available updates.

iThemes Security

Maybe it is because I know the developer, maybe it’s because it’s a great plugin or a combination of both, but I love this plugin. It covers a lot of bases when it comes to WordPress website security, and gives me peace of mind for my website. It isn’t the only thing I have installed but it is a must and a first security install for me on a clients site. In their own words:

“iThemes Security shows you a list of things to do to make your site more secure with a simple way to turn options on or off. We’ve simplified these steps and provided descriptions of each action so you know exactly what’s happening on your site. You shouldn’t have to be a security pro to use a security plugin. And isn’t that the point?”