What’s more, if your content isn’t accessible on any type of device, then you risk losing out on potential visitors. Fortunately, by using a headless Content Management System (CMS), you can create your content once and then publish it across multiple operating systems, including Android and iOS.

In this post, we’ll explore what makes a CMS headless, and the reasons you may want to choose that kind of platform. Let’s get started!

What Is a Headless Content Management System (CMS)?

A Content Management System (CMS) has a front end (the head) and a back end (the body). To convert a traditional CMS into a headless CMS, you separate the two ends. The ‘head’ refers to where the content ends up, and the ‘body’ is where that content is stored and authored.

A headless CMS tends to take the form of a database back end with a web-based User Interface (UI) as the front end. You’ll use the UI to create your content, and the database to store and manage all of the supporting data.

A headless CMS doesn’t care how or where your content is displayed. Instead of coupling your content to a specific output, such as a web page, it provides your content as data using a RESTful Application Programming Interface (API). To access a post, you’ll send the headless CMS a network request to an API endpoint.

You can host a headless CMS on your own server and database. However, this requires you to perform your own scaling and operations. In most cases, it’s simpler (and cheaper) to host your headless CMS using a web hosting provider.

The opposite of a headless CMS is a traditional or ‘monolithic’ CMS. This is software that you either install and manage yourself, or access via a managed environment. While a headless CMS only provides the back end required to store and manage your content, a traditional CMS provides a way to display that content as well.

Of course, some platforms can do double duty. For example, WordPress is typically considered a traditional CMS. However, WordPress has a REST API built in, which makes it a popular choice for converting into a headless CMS.

5 Benefits of Using a Headless CMS

There are many benefits to opting for a headless rather than a monolithic CMS. Let’s look at five of the key advantages.

1. You Can Push Content to Multiple Platforms

Modern web content should be accessible across multiple platforms. A headless CMS removes the presentation layer from your content, which makes it platform-independent.

When you need to deliver the same content across various channels, a headless CMS can save you a significant amount of time. For example, you can make API calls to a headless CMS and push the same content to both iOS and Android. This is often much easier than developing and maintaining two separate sets of content.

2. Choose Your Preferred Technology and Tooling

A headless CMS enables you to take a developer-first approach, rather than focusing on how the back end will feed to the front end. Since headless content is served over APIs, you can build your website using the technology of your choice, including your preferred front-end tooling. You can also define how data is stored and managed in the back end.

Since you don’t have to learn technology that’s specific to your chosen CMS, a headless platform can save you a significant amount of time. As your project evolves, you can interchange parts of your technology stack, or move from one framework to the other without having to start from scratch. This gives you the freedom to continuously revise and improve your approach, based on the changing needs of your project.

3. Greater Freedom to Display Your Content

Since you’re not tightly tied to any particular themes, plugins, or even a specific platform, you have more control over your content’s appearance. Even if you develop custom software such as bespoke themes and plugins, you’re often restricted by your CMS’ front end.

By opting for a headless CMS, you have greater freedom to store, develop, and present your content. This includes showcasing your content in ways that traditional CMSs such as WordPress aren’t designed to support, even with the help of themes and plugins.

4. Protect Your Content Against Attackers

Headless content is separated from the presentation layer, which means that it has a smaller attack surface. In particular, a headless CMS doesn’t have a native content publishing solution, so the chances of a Denial-of-Service (DDoS) attack are reduced.

Since your content exists separately from your front-end delivery, it also isn’t as vulnerable to third-party application issues. This includes security vulnerabilities and bugs that are sometimes present in pre-existing technology stacks.

5. Get a Performance Boost

Traditional CMS architectures have to spend resources on content editing and rendering. By contrast, a headless CMS consists of a content database and API calls. This can significantly reduce your overhead costs and cloud storage bills.

When used as a headless CMS, WordPress only requires a simple MySQL and PHP stack, making it a lightweight and high-performing option. In other words, headless architecture is a great way to speed up your websites and applications.

Potential Issues With Headless CMSs

For all the benefits on offer, there are some potential drawbacks. Headless CMSs don’t offer a ‘What You See Is What You Get’ (WYSIWYG) editor or a live preview option, which can make it difficult to predict how your content will appear when rendered.

Headless CMSs also typically require more maintenance, particularly in terms of updates and security. They can also require different credentialing, and may benefit from advanced libraries and front-end programming expertise. For these reasons, headless CMSs can be challenging for users who don’t have extensive content management and programming experience.

Using WordPress as a Headless CMS (2 Methods)

If you’ve weighed up the pros and cons and decided to give headless a try, WordPress is a great platform to get started with. Here are two ways to set up WordPress as a headless CMS.

Method 1: Create a Blank Theme

The front end may have little role to play in a headless CMS, but WordPress does still require a theme to run. The easiest option is to create a blank theme, using the following files:

1. index.php. This will redirect users to your website’s static home page. The file will preserve the back end, and remove the front end of your CMS.
2. style.css. This should contain some basic information about your theme, including the theme’s name and the author’s name.

To create your index.php file, you’ll use the following format:

<script type="text/javascript">

window.location = 'http://example.com';

</script>

To create the style.css file, use this format:

/*

Theme Name: blank

Author: name

*/

You can then place these two files in your wp-content/themes/blank directory, and activate the theme in the WordPress admin area.

Method 2: Use a Plugin

Alternatively, you can create a headless WordPress installation using a plugin. While this diminishes your flexibility a bit, it’s also a faster and simpler option.

There are a few tools you can try, but we’d recommend getting started with WP Headless CMS Framework:

This solution provides multiple framework options, and is highly-configurable thanks to a collection of modules that can be activated and deactivated at will. The plugin also comes with its own comprehensive documentation, which should get you up and running quickly.

Conclusion

In today’s multi-device world, it’s often not enough to publish your content to a single place. Creating content for multiple platforms can be a time-consuming process, but a headless CMS enables you to do this far more quickly and effectively.

To set up WordPress as a headless CMS, you can either:

1. Create a blank theme.
2. Use a plugin, such as WP Headless CMS Framework.

Going headless doesn’t eliminate the need for secure, reliable hosting! Regardless of whether you opt for a traditional or a headless CMS, make sure you choose the right hosting provider.

The post What Is a Headless Content Management System (CMS)? appeared first on GIWS Blog.

There are a few plugins in the WordPress repository that can help you organize and arrange multiple files into more easily accessible folders. This way, you can find your media content faster than you would with the default Media Library.

In this post, we’re going to show you four plugins that can help you have a more efficient WordPress media library. We’ll also talk briefly about why you need to organize your media library. Let’s dive into it!

Why You Need an Organized WordPress Media Library

The WordPress Media Library lets you add, edit, view, or delete media from your WordPress site. The media you upload when creating and editing pages and posts also appears here. Media types can vary from images, videos, audio, spreadsheets, and more. By default, the Media Library offers some pretty useful yet basic options with regards organization.

For example, you can switch between a list view and a grid view. Likewise, you can choose which content to display based on the media file type or the date it was uploaded. If the Media Library offers this level of organization, it begs the question of why you’d need an additional plugin to organize your WordPress media.

In short, once you begin to have lots of media files in your library, you’ll likely require more organizational features than is offered by default. Here are just some of the benefits of having a more organized Media Library:

• It’s easier to access old media files. If your site is years old, you’ll likely know how frustrating it can be to find old media files. In most cases, you’ll end up having to re-upload images or videos. Having the ability to create folders makes it significantly easier to navigate through your library’s content.
• You can save screen space. The WordPress Media Library packs all your media files into one place. However, it doesn’t really let you individually manage how your media appears on your screen. Even a month’s worth of images will see you hunting to find a particular image.
• An organized media library simply looks better. Your Media Library can quickly begin to look messy. Organizing the whole place will definitely be more pleasing to the eyes.

Almost any site that consistently uploads media files can use a dedicated media plugin. Creative image-heavy websites such as webcomics and portfolios that require a consistent upload of high-quality media content will find it even more instrumental.

4 Plugins for a More Efficient WordPress Media Library

Let’s take a look at some solutions for implementing a more efficient Media Library. Here are four of the best plugins we recommend:

1. FileBird

FileBird’s approach to organizing your Media Library is centered around folder creation and file management within your dashboard. The plugin creates virtual folders that you can give descriptive names to for easy navigation.

One of the most outstanding features of FileBird is the ability to create unlimited folders and even subfolders in the premium version, although the free version is no slouch either. It has a simple intuitive user interface with drag-and-drop capabilities to ease the process of moving files into folders and rearranging them. You can also create, rename, or delete folders as you would on your desktop computer.

The plugin is also compatible with many other plugins, themes, and page builders. In general, it is a powerful library tool that seamlessly combines utility and ease of use.

2. Media Library Assistant

Organizing your library with the Media Library Assistant plugin is different to other solutions. The plugin relies on a set of shortcodes that you can use to directly add images and other media file types when editing a post or page. The shortcodes are mostly high-level and easy to remember – for example [mla_gallery].

Media Library Assistant also makes locating media on your site much easier than the default. It adds two extra tabs within your Media Library screen, and allows for multiple search filters including alt text, image captions, and slugs among many others. Just like FileBird, the plugin is also compatible with many other plugins and supports various languages.

3. Folders

The Folders plugin offers much more than Media Library enhancement. It not only helps you to organize your media files, but virtually your whole site — pages and posts inclusive. So, whether it’s a site page, blog post, image, or videos, you can easily save them in the same folder or subfolder. Likewise, it is possible to copy files into multiple subfolders which can come in handy when you’re using the same files on different pages.

The plugin is a really powerful management tool that can afford you a similar level of organization to your experience on your desktop computer. It includes a drag-and-drop feature that makes the plugin very easy to use. There’s also a premium version costing $19 per year, which lets you access more than the standard ten folders, among many more additions.

4. Export Media Library

Of all the entries on our list, Export Media Library offers the most highly-specific functionality. In fact, the plugin comes with just one feature — exporting your WordPress media files as an archive (.zip file). However, you can choose the folder structure option that best suits you.

You can either export your packaged file as a single folder containing all of your media files, or create nested folders for your site’s content. The other selection is whether or not to compress your export file. By doing this, you’ll get a lighter file in size, at a cost of longer processing time to create it.

Overall, this plugin isn’t going to make your day-to-day Media Library management any quicker. However, it’s going to work really well in conjunction with other tools on this list, especially if you’re moving your site.

Conclusion

The default WordPress media library is a fantastic tool when it comes to uploading content to your site. However, after a while, you may discover that you need more organization than what is provided by default.

Here are the four WordPress plugins we recommend for achieving a more efficient media library:

1. FileBird: A powerful tool with easy-to-use drag-and-drop capability.
2. Media Library Assistant: Uses shortcodes and extensive search filters to organize your Media Library.
3. Folders: Organizes site-wide content into folders – pages, posts, and media alike.
4. Export Media Library: Offers a way to export your Media Library, and split the contents into custom folders.

The post 4 Plugins for a More Efficient WordPress Media Library appeared first on GIWS Blog.

WordPress is inherently a highly-secure platform. The security team is made up of a number of experts who work hard to deal with security concerns at every new update. However, no site is totally safe, which means there are still vulnerabilities you’re liable to experience.

In this article, we’ll consider five of the most common WordPress security threats and how to prevent them using the best practices. Let’s go!

How We’ve Chosen the Most Common WordPress Attacks

For the purpose of this article, we’ll be basing our advice on the Open Web Application Security Project (OWASP) ranking. Since 2001, OWASP has been an integral part of the promotion of security and trustworthiness online. They are a nonprofit foundation that works hard to improve software integrity on the internet.

The project sets a clear goal of comprehensive data collection and achieves it by leveraging the OWASP Azure Cloud Infrastructure to collect, analyze, and store data contributed. In essence, volunteers can simply contribute data by sending a CSV/Excel file by email or uploading it to a contribution folder.

OWASP uses this data collection and analysis system to compile a list of the Top Ten security risks sites encounter regularly. With about 275 local chapters worldwide, the project has grown a reputation for helping organizations to develop and maintain trustworthy software applications.

The 5 Most Common WordPress Attacks (And How to Prevent Them)

If your WordPress site’s security is a priority, this list will help you to know the attacks to look out for and how to prevent them. Let’s begin!

1. Injection Flaws

The most prominent vulnerability you’re likely to encounter on your WordPress site is a code injection flaw. You mostly experience an injection when your site lets users enter data through a vulnerable entry point, such as a contact or login form.

When the data entered is not ‘validated’, you can be susceptible to this attack. SQL injections are the most common but other types such as NoSQL, OS, and LDAP injections may also be an issue.

Injection flaws often lead to access denial, data loss and corruption, disclosure to unauthorized parties, and even total host takeover.

The best approach to prevent injection involves separating commands from queries on your site. WordPress developers can use certain SQL controls such as LIMIT to prevent this. Site owners can also take advantage of security plugins (such as Malcare) to keep their websites protected.

2. Broken Authentication

Broken authentication occurs when there’s a vulnerability in the implementation of identity and session controls. The strength of a site’s authentication control is highly dependent on session management.

If this is not implemented properly, hackers can compromise your keys, passwords, and session tokens. In most cases, you may end up suffering identity theft, social security fraud, and disclosure of highly sensitive information.

If you want to minimize the risk of broken authentication, you should implement multi-factor authentication on your site. What’s more, look to replace the default credentials you’re given when creating a new WordPress site. Weak password checks should also not be an option, especially for admin users.

3. Cross-Site Scripting (XSS) Attacks

Very similar to injection attacks, XSS attacks occur at entry points into site – such as user input fields. These attacks happen when automated applications detect any form of XSS on your site. It can be exploited to sneak untrusted data into a new page that lacks proper validation or an existing one through user-inputted data.

Cross-site scripting lets the attacker execute code remotely within the victim’s browser. This way, they can either steal their credentials or deliver malware. You can prevent an XSS attack by making use of two strategies.

The first strategy is to ensure that network requests generated from one page doesn’t gain access to data on another. Likewise, your website must be able to differentiate between regular input and malicious code. Frameworks such as React JS escape this attack by design.

Generally, preventing XSS attacks starts with good development practices. For a site owner, choosing a strong, secure theme is vital.

4. Sensitive Data Exposure

Sensitive data exposure can be considered a data breach. When sensitive data is being transferred or stored on your site, you must put adequate measures in place to ensure that hackers can’t lay their hands on it. Otherwise, if exposed, attackers can steal passwords, credit card details, session tokens, and much more besides.

Apart from putting your own sensitive data at risk, your site visitors can also be victims. This is why you must do your best to keep data secure on your site.

In a bid to escape this type of attack, it is important that you never store data in plain text or accept data sent over non-HTTPS connections. For site owners, a suitable SSL certificate can help you encrypt the most sensitive data across networks.

5. XML External Entities (XXE)

This type of attack arises due to old or poorly managed eXtensible Markup Language (XML) processors. These evaluate references to external entities within XML documents. In the process, an attacker can exploit an incorrectly configured XML parser that accepts XML directly or through XML upload. In other words, they can now access any XML input that makes references to external entities.

XXE can be used to execute a Denial of Service (DOS) attack, extract your data, or even implement a remote request from your server as well. Developer expertise goes a long way in identifying and dealing with XML external entities.

To prevent this attack as an end user, you’ll want to keep your core WordPress installation up to date. XXE concerns are usually at a fundamental code level, and are patched during version updates of core software.

Conclusion

While the core WordPress software is continually updated to mitigate major security threats, plugins and themes can be a major source of concern for users – especially if they’re poorly coded. In essence, the more attention you pay to your site’s security, the less the probability of having to deal with these issues.

In this post, we’ve looked at five of the most common WordPress attacks today. Let’s recap them quickly:

1. Injection flaws
2. Broken authentication
3. Cross-site scripting (XSS) attacks
4. Sensitive data exposure (SSL Certificates can help avoid this)
5. XML external entities (XXE)

The post The 5 Most Common WordPress Attacks (And How to Prevent Them) appeared first on GIWS Blog.

Fortunately, by implementing some simple security tactics and performing regular checks, you can make your site much less vulnerable to attack. This can help you avoid losing customers, traffic, revenue, or confidential information due to a preventable security breach.

In this post, we’ll discuss why protecting your WordPress site is more important than ever. We’ll then share nine of our top tips for boosting your site’s security. Let’s get started!

An Introduction to WordPress Security

WordPress powers over 40 percent of the web, which makes it an attractive target for hackers. If a malicious third party manages to identify a vulnerability with one WordPress website, they could potentially use that same security loophole against the millions of other websites that are built on the same platform.

With this mind, it’s unsurprising that attacks against WordPress are on the rise. Wordfence recorded 4.3 billion attempts to exploit vulnerabilities in 2020. When asked about web security, over 70 percent of developers, freelancers, and agencies confirmed that they are increasingly worried about their websites. In fact, 25 percent of respondents confirmed they’d had to deal with a hacked website in the month prior to participating in the survey.

The WordPress team has a strong track record of identifying and addressing vulnerabilities in the platform. However, no software is perfect. In addition, many website owners choose to extend WordPress core with themes and plugins. These third-party products can add new designs and features to your site – but can also add new security vulnerabilities.

According to Patchstack’s security whitepaper, third-party plugins and themes account for 96.22 percent of detected WordPress security vulnerabilities. The total number of active and vulnerable theme and plugin installations detected throughout 2020 came in at a staggering 70 million.

If a hacker does manage to take control of your site, the consequences could be disastrous. The attacker might deface your site, steal your data, or redirect your loyal customers to a spam website.

The impact of these malicious activities can be far-reaching. They may include a loss of trust amongst your customers and missed sales, right through to potential legal action due to your failure to protect your visitors’ information.

9 Ways to Keep Your WordPress Website Secure in 2021

WordPress may be a favorite target amongst hackers, but that’s no reason to switch to a different Content Management System (CMS). Let’s take a look at nine tips that you can use to harden and protect your WordPress website against common attacks.

1. Choose a Hosting Provider That Prioritizes Security

The most important way to keep your WordPress website safe is to choose a hosting provider that prioritizes security. Wherever possible, we recommend opting for a hosting solution that offers built-in security features and tools.

At GIWS, we take security seriously, which is why all of our hosting packages include the Cloudflare Web Application Firewall (WAF). This tool can help protect your site against brute-force attacks in which a hacker tries to submit many different passwords and usernames in the hopes of guessing the combination correctly.

Our hosting plans also come with the cPanel control panel and Softaculous installer. This popular installer provides access to a wide range of add-ons, tools, and software, including many that can help you protect your website.

Running outdated software can make your site more vulnerable to attack. If you do choose to install additional software via Softaculous, then we’ll email you every time an update becomes available. This ensures you won’t miss any critical security updates or bug fixes that can help bolster your site’s security.

If you do have a security concern, then it’s important to address it straight away. That’s why we also offer 24/7 customer support to all of our hosting customers.

2. Install a Secure Sockets Layer (SSL) Certificate

Without a Secure Socket Layer (SSL) certificate, malicious third parties may be able to intercept the data your website sends and receives. This includes login credentials and payment details. If a hacker manages to access this information, it could damage your reputation and destroy users’ trust in your website. It may even land you in legal hot water due to data protection laws.

An SSL certificate can help ensure your private data remains private by transferring information via Hypertext Transfer Protocol Secure (HTTPS) instead of Hypertext Transfer Protocol (HTTP). As the name suggests, HTTPS is more secure than HTTP, as it enables you to encrypt any data that flows in and out of your website.

To help you meet this important security requirement, we provide several different types of SSL certificates:

After procuring your SSL certificate, we’ll send you an SSL Token via email. You can install your certificate by adding it to your website.

If you’re a cPanel user, then you can log into your account and launch the SSL Status:

We’ll then ask some simple questions about your website and your certificate. After providing these details, AutoInstall SSL will upload your certificate and your data will be encrypted.

3. Implement a Content Delivery Network (CDN)

If a malicious third party manages to break into your site using a brute-force attack, they could wreak havoc. They might steal your data, deface your site, or even delete your WordPress website entirely.

You can help protect your site against brute-force attacks by using a long, complex password that features a mix of numbers and symbols, plus uppercase and lowercase letters. However, some hackers use automated scripts and bots to bombard your site with thousands of login credentials. Even if you follow password best practices, your site may still fall victim to a brute-force attack.

To protect against these automated scripts and bots, you may want to consider using a Content Delivery Network (CDN). Although this tool is often used to improve website performance, it can also block malicious requests from ever reaching your site.

This may prevent hackers from hammering your site with login credentials. At GIWS, we offer the Cloudflare CDN to all our customers:

In addition to offering brute-force protection, Cloudflare’s network is designed to monitor and mitigate Distributed Denial-of-Services (DDoS) attacks. In this scenario, a hacker floods your network with so much malicious traffic that it exceeds your website’s capacity to process requests, at which point legitimate requests may be ignored.

You can configure your Cloudflare CDN by logging into cPanel and navigating to Software > Cloudflare. You can then follow the onscreen instructions to ensure Cloudflare is set up correctly for your particular website.

4. Use Plugins and Themes Safely

WordPress has huge directories of themes and plugins that can help you create beautiful, feature-rich websites. However, these third-party extensions can also make your site vulnerable to attack. In 2019, 97.2 percent of WordPress vulnerabilities were related to plugins.

To help protect your website, you should only install plugins from reputable sources. Wherever possible, we recommend using the official WordPress Plugin Repository, as it has strict security guidelines:

Alternatively, you can purchase themes and plugins from reputable third-party marketplaces such as CodeCanyon. Even if you’re using a quality source, it’s still smart to evaluate the theme or plugin, including examining when it was last updated:

We also recommend checking the software’s reviews, particularly the most recent ones. A spate of negative comments may indicate a security issue with the latest release.

Themes and plugins also add code to your site, which may contain vulnerabilities. A responsible developer will work hard to close any security loopholes discovered in their theme or plugin, and will often release an update that contains a solution for any recently-discovered vulnerabilities. For this reason, it’s important to keep your themes and plugins up-to-date.

According to WPBeginner, 86 percent of sites are hacked due to outdated software. To minimize your risk, it’s important to install updates as soon as they become available:

At some point, you may no longer require a particular theme or plugin. If you simply deactivate the software in question, then hackers may still be able to exploit its code. For example, hackers commonly target individual PHP files within a specific plugin.

If you simply deactivate the theme or plugin, then those PHP files will remain accessible and will therefore still be exploitable. This means that it’s crucial to delete extensions that you no longer require.

5. Install a Web Application Firewall (WAF)

Themes and plugins can potentially introduce vulnerabilities to your website. Ideally, when such a problem is discovered, the theme or plugin developer will rush to patch the issue and release an update.

However, this isn’t always the case, as some complex vulnerabilities may take time to fix. While we’d always recommend removing insecure software, this isn’t always feasible. For example, perhaps the plugin in question delivers your website’s core functionality.

If you do need to continue using a vulnerable plugin, then you can make it more difficult for hackers to abuse these known security loopholes. One method is to use a Web Application Firewall (WAF) to filter out malicious requests before they reach your WordPress website. This can also protect your site against Cross-Site Scripting (XSS) attacks.

There are several WAF plugins available for WordPress. However, the Wordfence endpoint firewall is a popular option:

After installing and activating Wordfence, it’s a good idea to leave this plugin in Learning More for at least a week before enabling its firewall. This can help you avoid false positives, where Wordfence blocks legitimate activities.

While the plugin is in Learning Mode, you should perform as many different actions as possible on your WordPress website. This gives Wordfence the best possible chance of learning how to protect your site while also permitting normal activity and visitors through its firewall.

You can put Wordfence into Learning Mode by navigating to Wordfence > Firewall. Then open the Web Application Firewall Status dropdown and select Learning Mode:

Save your changes, and Wordfence will start monitoring your site. When you’re ready to take Wordfence out of Learning Mode, you can enable the firewall by navigating to Wordfence > Firewall. Then open the dropdown and select Enabled and Protecting.

6. Activate Two-Factor Authentication (2FA)

It’s important to protect your website with a strong password. However, there are some password-based attacks where the strength of your login credentials has no impact on whether that attack succeeds or fails.

This includes credential stuffing attacks, where a hacker attempts to break into your dashboard using thousands, or even millions of username and password combinations. There are even keystroke logging programs that can monitor your keyboard and record every single thing you type, including your password.

One way to protect against these attacks is to enable Two-Factor Authentication (2FA). After activating this feature, anyone trying to access your WordPress website will need to enter the correct login details and then pass an additional security check – such as responding to a push notification on their phone or entering a code sent to their email address – to access your site.

By activating 2FA, you can make it significantly more difficult for a third party to gain access to your website. You can set up 2FA using a mobile application such as Google Authenticator or Microsoft Authenticator:

After installing your chosen mobile app, GIWS customers can enable 2FA by logging into their accounts and navigating to Account > Edit Account Details. You can then select Security Settings in the left-hand menu:

On the subsequent page, select Click here to enable. You’ll then be guided through the process of linking your WordPress site to your authenticator mobile app:

As part of this process, we’ll provide you with a backup code. If you ever lose access to your authenticator app, then you can use this code to recover your WordPress website. To avoid getting locked out of your site, it’s vital that you make a note of this code and keep it somewhere safe.

7. Consider Disabling XML-RPC

Pingbacks are a way to notify other websites that you’ve linked to their content, and vice versa. By default, they’re enabled in WordPress. While this feature can make it easier to respond to comments that mention your site, it can also make your website more vulnerable to DDoS attacks.

WordPress pingbacks are made possible by the XML-RPC interface. However, an attacker might use this feature to bombard your site with pingbacks. This can overload your server and might even take your site offline. For this reason, you may want to consider disabling the XML-RPC interface using the REST XML-RPC Data Checker.

If you do decide to disable pingbacks, then install and activate this plugin in your WordPress dashboard. Then navigate to Settings > REST XML-RPC Data Checker. Next, select the XML-RPC tab and choose Disable XML-RPC API interface:

Now you just need to save your changes and pingbacks will be disabled for your website. If you don’t want to use a plugin, then you can block all incoming XML-RPC requests before they’re passed to your site.

This technique does require you to edit your site at the code level, so it’s wise to create a full backup before proceeding. If you’re an GIWS customer, we provide two backup tools that you can access via cPanel:

After creating a backup, connect to your server via File Transfer Protocol (FTP) using an FTP client such as FileZilla. You can then open your .htcaccess file for editing and add the following:

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Don’t forget to save your changes and re-upload the file to your server. To verify that XML-RPC is now disabled, head over to XML-RPC Validator and enter your website’s URL. If XML-RPC is disabled, then the Validator should display an error message.

8. Remove the WordPress Theme Editor

By default, you can modify your theme using WordPress’ built-in theme editor. While this is helpful for creating custom themes, it’s also a way for hackers to inject malicious code into your website:

If you don’t need the theme editor, then you may want to consider disabling it. This requires you to edit your website’s code, so we recommend creating a backup before proceeding.

To disable the editor, you’ll need to connect to your server using an FTP client. You can then open your wp-config.php file and add the following after the line that reads “That’s all, stop editing! Happy publishing”:

define( 'DISALLOW_FILE_EDIT', true );

Save your changes and the theme editor will disappear from your WordPress dashboard. If you need to restore the theme editor at any point, then simply connect to your server using FTP and remove the line of DISALLOW_FILE_EDIT code.

9. Protect Your Database Against SQL Injection Attacks

A hacker may attempt to gain access to your WordPress account by injecting malicious SQL queries into your MySQL database. Hackers can launch these SQL injection attacks via any content that accepts user input. This includes many website staples, such as comment sections and contact forms.

Since MySQL is vulnerable to injection attacks, it’s important to keep your database up-to-date. It’s also important to protect your MySQL database with a strong password that has no connection to your website, company, or you as an individual. Here, it may help to use a password generator such as Strong Random Password Generator or LastPass:

You can also make it more difficult for hackers to identify your database by using a unique database name. GIWS customers can change their WordPress database name at any point by logging into cPanel and then accessing the phpMyAdmin tool.

In the left-hand menu, select the database that you want to rename. Then open the Operation tab:

Here, enter the name that you want to use and click on Go. When prompted, opt to reload your database.

Conclusion

As one of the world’s most popular Content Management Systems, hackers are always eager to uncover vulnerabilities in WordPress themes, plugins, and core. If a malicious third party does manage to identify a security loophole, they could potentially use it to launch attacks against millions of WordPress websites – including yours.

By following some simple security precautions, you can immediately make your site less vulnerable to attack. It’s important to start with the fundamentals by vetting all of your themes and plugins carefully and installing an SSL certificate. Once you have a strong foundation, we recommend exploring more advanced security tactics, such as enabling 2FA and disabling the theme editor and XML-RPC when possible.

Your choice of hosting provider is also crucial for security. All of our GIWS packages include features, tools, and add-ons specifically designed to help keep our customers safe, including HackScan Protection, Cloudflare, and a dual firewall. Check them out today!

The post 9 Ways to Keep Your WordPress Website Secure appeared first on GIWS Blog.

React is one of the most popular front end frameworks. Unsurprisingly, if you want to use React in your WordPress project, you have lots of options. If you’re feeling overwhelmed by so much choice, it’s understandable – but there’s no need to panic.

In this article, we’ll introduce four React frameworks that you can use in your WordPress projects. We’ll cover the pros and cons of each framework. We’ll also look at some common scenarios where you may want to use one React framework over the other. Let’s get started!

What Is a REST API?

An Application Programming Interface (API) is a set of programming instructions and standards for accessing web-based applications and tools. You can use APIs to communicate with other websites, applications, and services. This includes requesting data from third parties.

Many companies have released their APIs as products that third parties can use. For example, Google has released a wide range of APIs that provide access to their services, including APIs for YouTube, Street View, and Google Play.

REST (Representational State Transfer) APIs are distinct from other APIs. To be considered RESTful, an API must follow specific guidelines. These guidelines help ensure the resulting API is lightweight, flexible, extensible, and secure. These guidelines include a separation between the client and the server, the use of cacheable data wherever possible, and a uniform User Interface (UI).

WordPress has its own REST API. This API was originally developed as a separate feature plugin. However, elements of the REST API were added into the core platform as early as WordPress 4.4. The API was fully integrated into WordPress 4.7, which means that every version of WordPress since then has its own fully-functional REST API.

WordPress’ REST API provides data in JSON format. By default, every WordPress website has JSON data available. Unless the site owner has restricted access to it, it’s easy to see your website’s JSON output – simply enter its URL in the following format:

http://example.com/wp-json/wp/v2/posts

Your browser should now display a series of JSON data related to your site’s recent posts. This data isn’t particularly human-readable, but it’s compatible with a large number of web technologies. Similarly, you can see the JSON output of all your most recent pages, by replacing the /posts part of the URL with /pages.

What Does the REST API Mean for WordPress?

Traditionally, WordPress generated HTML using a theme based on PHP template files. However, the introduction of the REST API removed this dependency on the PHP rendering engine. This opened up lots of opportunities for WordPress developers.

The REST API makes it easier for WordPress to interact with other websites and web applications. This API lets you perform Create, Read, Update, and Delete (CRUD) actions on WordPress content, including posts, pages, and even custom post types. This gives developers an easy way to push and pull data out of WordPress.

WordPress’ REST API can also communicate and exchange data, regardless of the language an external program is using. This has made the WordPress platform far more flexible and powerful, as you’re not confined to any specific technologies or languages.

The REST API makes it easier for developers to display content from an individual website within a multisite setup. It is also possible to display content from separate WordPress websites.

Today, the WordPress REST API is commonly used to separate content from the front end, paving the way for developers to use WordPress as a headless Content Management System (CMS). This is where React comes in.

How React and WordPress Can Help You Create a High-Performing App

The React framework is a JavaScript library. Developers can use this library to build UIs for Single Page Applications (SPAs) within web and mobile environments.

The major aim of developing React was to improve JavaScript’s UI development. Though originally launched for use with Facebook, React is now enjoying a great rate of adoption across several industries. It is also gaining popularity with the WordPress community, particularly with developers who want to set up headless WordPress.

With a headless setup, you can use the WordPress CMS on the back end, then build your front end using practically any development technologies you’d like. React-based frameworks can use the WordPress REST API as an interface to access your website’s data from outside the WordPress framework. This means it’s possible to create an SPA using React, then control the content using the familiar WordPress back end.

React can also make your projects faster by eliminating the need to re-render. Rather than re-loading each page in its entirety, an SPA loads content dynamically. This means the fundamental code of a website is loaded just once. If the state of a component changes, React will re-render the necessary components only.

React has a large and active developer community. Major firms such as Facebook, Airbnb, Dropbox, Netflix, and Reddit use React to build many of their applications. This comes with a lot of perks in terms of development and expert base.

Some of the React frameworks we’ll cover in this article are relatively new. Using cutting-edge technologies may be exciting, but it can also pose problems if you encounter technical issues. You may struggle to find an expert who has the know-how required to help resolve your problem. However, by opting for a React framework, you can request assistance from the large, and growing React community.

What You Should Look for in a React Framework

When using any web technology, it’s important to choose the right framework. Every framework has its own unique set of features, strengths, and weaknesses. Some frameworks are also better suited to particular kinds of projects.

In this article, we’ll share four React frameworks that have plenty to offer WordPress developers. However, the right framework will vary depending on your project. With this mind, here are some things to consider, when deciding whether a particular React framework is right for you:

• The setup process. Some frameworks are easier to setup than others. In particular, you should check whether the framework is pre-configured to work with WordPress. It’s also a good idea to verify whether the framework provides any additional tools needed to build your project.
• The learning curve. Mastering a new technology always requires time and effort, but some frameworks have a steeper learning curve than others. In particular, you should investigate whether there are any additional technologies you’ll need to learn, such as Redux, Webpack, Babel, and GraphQL.
• Compatibility or optimization. All the frameworks in this article are compatible with WordPress. However, some may require additional optimization, in order to deliver the best possible experience. Other frameworks, such as Frontity, are designed with WordPress firmly in mind. Frameworks that are optimized for WordPress shouldn’t require any major additional configuration.
• Flexibility or ease-of-use. Choice is a good thing, but all those extra settings can be confusing. When exploring new technologies, it’s smart to opt for a framework that’s beginner-friendly. However, it’s a good idea to consider how you might use this framework in the future. A framework should offer the advanced features and flexibility you’ll need to support your growing projects.

There’s another major decision to make when choosing your framework. This is the choice between Server-Side Rendering (SSR) and Client-Side Rendering (CSR).

Client Side Rendering or Server Side Rendering?

There are two approaches to rendering content: client-side, and server-side. Both have their own unique strengths and weaknesses.

CSR is where content renders in the browser. Instead of receiving all the content from a HTML document, the browser receives a bare-bones HTML document with a JavaScript file. The rest of the content will then render inside the web browser.

With CSR, the initial page load is typically slower, but subsequent page loads will be faster. A CSR framework can update the UI by re-rendering only the affected DOM element. You don’t have to reload the entire UI following every call to the server. This means the CSR is well-suited to websites that provide rich user interactions, or that feature lots of dynamic content.

The opposite of client-side, is server-side. With SSR, the user makes a request and the server prepares an HTML package for that specific user. The server sends this data to the user’s machine, and the browser then constructs the content and displays the webpage.

The process of fetching data, creating the HTML package, and delivering it to the browser happens very quickly. This means the initial page load is faster, which results in a better user experience.

By reducing page load times, SSR may provide a Search Engine Optimization (SEO) boost. SSR is also good for SEO, as it doesn’t require search engine bots to render JavaScript.

However, with SSR the page rendering is typically slower. New content will also require full page reloads, which can have a significant impact on your website’s performance. For this reason, SSR is better suited to static websites. It also isn’t ideal for sites that feature lots of complex user interactions, or dynamic content.

4 of the Best React Frameworks for WordPress Development

There are lots of React frameworks to choose from. Every project is different, but we’ve collected four React frameworks that we believe have plenty to offer WordPress developers.

1. Frontity

Frontity is an open source framework for React. Unlike other React frameworks that are compatible with WordPress, Frontity was designed specifically for WordPress.org and WordPress.com. This means that Frontity is pre-configured to provide the best possible experience for WordPress users.

As a server-side framework, Frontity stores all your content in HTML, then responds to requests with a fully populated and well-formed HTML page that’s immediately usable. This minimizes your site’s initial load time. The HTML file is also served to search engine crawlers. This keeps search engines such as Google happy, and helps you avoid SEO penalties.

Even if you’re using WordPress for a headless setup, you may still want to use the meta tags generated by a third-party SEO plugin. To help preserve your SEO, the Frontity team has created a REST API – Head Tags plugin. This plugin adds all the meta tags in your website’s HEAD section, to the REST API’s responses.

In addition, Frontity uses Serverless Pre-Rendering (SPR) to render HTML on the fly. By taking this approach, the Frontity team aims to combine the speed and reliability of static rendering with the versatility of dynamic data rendering. A Content Delivery Network (CDN) saves the HTML and serves it as static content.

Frontity is designed to be easy to use. This framework has its own state manager and uses Emotion for the CSS, so you don’t have to learn the complexities of technologies such as Redux. This makes Frontity a good choice for React newcomers, or anyone who’s looking to launch a project quickly without necessarily having to master additional technologies. In fact, you can build a web application using Frontity and WordPress in five easy steps.

2. Gatsby.js

According to a study by Critical Case, a one second increase in page load time can result in 11 percent less page views. If you’re concerned about your site’s performance, Gatsby is a static site generator that places the focus firmly on speed.

Gatsby builds your project into static HTML files that are optimized for performance, and also loads only the necessary CSS, HTML and JavaScript. After your website is loaded, Gatsby will then call upon any additional resources that it requires. This results in faster page loading speeds.

However, Gatsby is geared towards displaying static content. While it does allow for client side code, it has a steep learning curve compared to some other solutions. If you need to display large amounts of dynamic content, Gatsby may not be the best framework for your project.

For newcomers, the Gatsby team provides a helpful starter default project. This project contains code related to your website’s front end, including a site header and page template. It also automatically installs all the modules of code that your project will depend upon. This can save you a considerable amount of time when getting started. If you choose Gatsby as your framework, we’d recommend using the starter default project wherever possible.

However, if you opt for Gatsby you’ll need to trigger a build whenever you update your content. One solution is to deploy your website using the Netlify platform. You can use Netlify to create webhooks that will rebuild your project automatically whenever a new commit is pushed or merged to your repository’s master branch.

Alternatively, you can trigger a build using a WordPress plugin, such as WP Trigger Netlify Build. However, this rebuild process can add considerable complexity to your WordPress projects.

3. Next.js

Next.js is a minimalistic React framework. This framework renders applications on the client-side, but Next.js also supports SSR. This can help preserve your SEO, while also improving your project’s performance. Next.js can deliver an additional performance boost, thanks to its automatic server rendering and code splitting.

However, Next.js is an opinionated framework. This means the framework is designed to be easy to use – as long as you follow the path laid out for you. Deviate from this path, and an opinionated framework can suddenly become much less user-friendly.

This means Next.js isn’t the most flexible solution. For example, you may struggle to use a different router with your Next.js setup.

Before choosing Next.js as your framework, it’s a smart idea to consider how you might develop your project in the future. You can then read through the Next.js documentation, to decide whether this framework is compatible with your project’s roadmap.

If you do decide to use Next.js, you can install all the necessary software and start the development server from the command line. You’ll find detailed, step-by-step instructions, over at the official Next.js documentation.

4. Create React App (CRA)

The Create React App (CRA) is designed to get your React project up and running as quickly as possible. This tool offers a modern build setup with zero configuration. You just need to run a single command, and CRA will set up all the tools you need to start developing.

When you create a project with Create React App, it installs the latest version of React and React-DOM. It also installs the latest version of react-scripts, which is a development dependency that manages the other dependencies involved in starting, testing, and building your application.

CRA generates only the files needed to build your React project. You won’t have access to configuration files such as Webpack, Babel, and ESLint. This is great for anyone who wants to create a project without having to master additional technologies. Since CRA handles much of the configuration and setup for you, you’re free to concentrate on what really matters – building your project.

However, at some point you may need to perform more complex tasks that require access to these configuration files. Although CRA doesn’t provide these files by default, it does have an eject command. This copies all the configuration files and transitive dependencies into your project. However, this is a one-way operation that adds a significant amount of complexity to your project.

CRA projects are rendered on the client-side only. This means CRA isn’t suitable for developing highly-interactive websites, or projects that feature dynamic content. There’s also no code splitting, which is bad news for performance.

CRA is designed with ease-of-use in mind. If you do choose CRA as your React framework, you can create a new CRA project using only a handful of commands.

How to Host Your Completed React Project

Once you’re happy with your web application, you’ll want to share it with the world. Your options may vary depending on which React framework you chose to use in your project.

To provide users with the widest possible choice, the Frontity team ensures that their server code is small enough to work with serverless technologies. This means you can deploy your Frontity project to any Node.js server or serverless provider, including Vercel and AWS Lambda. Alternatively, since you’re using WordPress as the back end you may want to opt for your favorite WordPress hosting solution.

Conclusion

React is a hugely popular front end framework. However, with popularity comes lots of options – and choosing the best React framework for your project can feel overwhelming.

If you’re not sure where to start looking for a React framework, then check out any of the four choices we recommended earlier:

• Frontity. An open source, server-side framework that’s optimized for WordPress.
• Gatsby. A static site generator that prioritizes performance without sacrificing Search Engine Optimization (SEO).
• Next.js. A performance-focused, opinionated framework that transparently handles SSR.
• Create React App (CRA). A zero-configuration framework for when you need to create a React project, fast.

Technologies such as React can significantly boost your project’s performance, but why stop there? By opting for a hosting provider that prioritizes performance, you can supercharge your React project. If you’re lucky, then your hosting plan may even provide Web Hosting Services that are 20X faster than competing WordPress hosting providers.

The post 4 of the Best React Frameworks for WordPress Development appeared first on GIWS Blog.