Grady Morgan: April 2016

Saturday, April 30, 2016

Getting Constantly Hacked? How to Stop WordPress Backdoor Exploits for Good

Is a ghoulish hacker haunting your site? Tell-tale signs include: Constantly getting hacked no matter how often you clean your site, and WordPress telling you there's an extra admin account that isn't actually listed.

OK, so maybe your site isn't actually haunted… but it sure feels like it when your site has a mind of its own! What's more likely is that you have a backdoor security exploit. Fortunately, there are many options for fixing it, no exorcism required.

In this post, we'll look at what backdoor exploits are, how you can recover from one with the help of plugins, reasons why your site got hacked in the first place, and how to secure your site so it doesn't happen again.

What is a Backdoor Exploit?

When your site is compromised and the hacker adds their own way to access your site and the admin dashboard whenever they want, it's called a backdoor exploit. The key here is that the hacker can get into your site without gaining entry through the front-end login page.

It's easier to remember when you think of your site as a house. Everyone you invite over is welcome to enter through the front door, just like your site's login page. But when an intruder cuts out a door at the back of your house and creates their own key for the makeshift door, they can enter your house through this backdoor without you even knowing.

Similarly, a hacker can create a script that acts as a key. They inject it into your site creating their own backdoor so they can gain access whenever they want.

While regular users – along with site admins like yourself – would need to access your site through the login page, the hacker wouldn't need to and this is how they're able to access everything while going virtually undetected.

A hacker can use a program they created to systematically hack into your site, then they most commonly do one of a few things:

Upload or create a file in your WordPress site with the backdoor script enclosed

Add themselves as a hidden admin, often by piggybacking on your account

Execute PHP code that they send through a browser

Collect personal information for spam purposes

Change anything on your site for their own purposes, often for spamming

Send spam emails from your site to look like you are the one who sent it

If a file is added, it's often named to look like it's a legitimate file that's a part of the WordPress core. The file could be named sunrise.php, php5.php, users-wp.php, wp-config.zip or something similar.

While details on detecting a backdoor is going to be covered later on, it may be important to note that some plugins do include a sunrise.php file, but your main clue that it's a backdoor would be that the file isn't located within a plugin folder and could be in the uploads folder, for example. By making the file seem normal, they can go on to infiltrating your site without being detected.

Typically, hackers add the backdoor file to your wp-includes and wp-content > themes, plugins or uploads folders, but may also change your wp-config.php file.

Just knowing a hacker could do all this to your site is terrifying and it's a tough pill to swallow especially when you think your site and the WordPress core is bullet-proof because, well, isn't it?

How Hackers Get Into Your Site

WordPress Core

WordPress itself is secure, but there are ways a hacker can still get into your site. The reason for this is because improvements to the WordPress core are made on a regular basis, but sometimes these adjustments have unforeseen vulnerabilities.

These vulnerabilities act like plot holes in a movie. Most viewers probably won't notice them as they enjoy the film, but other astute people will.

In WordPress, these bugs are often found through testing and squashed before it even gets to be applied to your site, but just like plot holes in a movie, sometimes they're missed during the creation process before anyone can fix them.

Sometimes a new version of WordPress is made publicly available that has security holes in it. When hackers find these vulnerabilities, they're able to exploit them to get into your site, although, when these threats are detected, the WordPress security team works on a patch and they're included in the frequent security updates.

Even though security issues could be found, this doesn't mean WordPress isn't secure. If you keep it up to date, then it is secure since it won't include any known vulnerabilities.

If you don't regularly update your WordPress site, the security fixes aren't applied and your site would still have the same vulnerabilities that came with the version of WordPress you're using. A hacker could then use the security hole to get into your site.

Plugins and Themes

This also applies to plugins and themes. Sometimes, they also include vulnerabilities and unless you update them regularly, the bugs won't be squashed and a hacker could use them to burrow into your site and gain unauthorized entry.

Not all themes and plugins are made equal as well since they're all created by independent developers or companies. While there's a screening process a plugin or theme needs to go through to be publicly accessible through the official WordPress directories, a hacker could inject malicious scripts into them after the fact and it would be released to all the users.

Some plugins or themes could be released even though they're not coded well. While the screening process includes a list of best practices that a submission has to pass in order to be accepted, it's more of a bare minimum requirement and it's highly recommended that submitted plugins and themes exceed all the expectations.

An illustration of a scared WordPress user. — It can be scary to think plugins could be vulnerable, but most are secure.

While so many plugin and theme authors pass with flying colors, not all of them do. Regardless, the submission is passed on to the public. This is why it's incredibly important to only download and use plugins and themes from developers and companies you trust and that have a good reputation overall.

While vulnerabilities are often found in plugins and themes, it's usually because there's no shortage of hackers to find these security holes in order to exploit them. Most developers and companies jump to work to fix the bug and release a patch quickly and these are the authors you can trust.

Even still, most developers submit plugins and themes on a volunteer basis and taking care of regular maintenance is something they can only afford do on their spare time, after their day job. This does mean a vulnerability could go on without being fixed for a while and this is when you would need to find an alternative that would still be suitable for your specific needs.

The Need for Speed … and Security

It's important to keep your plugins, themes and site fully up-to-date, but it's not enough to do this at your leisure. As soon as an update becomes available, you need to upgrade as soon as humanly possible. The longer you wait to do it, the longer a hacker has to find out your site is vulnerable and attack it.

While keeping your entire site up-to-date is crucial, it's not the only security measure you should take. Hardening your site's security is another important step. This means taking extra security precautions to ensure your site stays safe.

This can include installing a security plugin like Defender, making manual changes to your site or using strong passwords to only name a few.

You can also check a few of our other articles such as Give Hackers the Smack-Down with Defender, WordPress Security: Tried and True Tips to Secure WordPress and 12 Ways to Secure Your WordPress Site You've Probably Overlooked for more details.

If you don't harden your site's security, you could leave your site wide open for hackers to easily saunter through, especially if you're using passwords that are easily guessable such as “password,” “wordpress123,” or “adminpass.” Using an insecure password like these would be the equivalent of leaving a key hung to the door knob of your house.

Bottom line: Not following security best practices or neglecting to keep your site, plugins and themes up-to-date can ultimately lead to your site being compromized with a backdoor exploit.

Disaster Recovery Plan

If you find you suspect your site has been hacked with a backdoor exploit, there are ways of checking, but before you do, you should make a full backup of your site. Even though your site could be hacked, there's still a chance things could get worse before they get better.

An illustration of a hard drive with a solid green light indicating it's secure and backed up. — Snapshot Pro is our premium backup solution.

Having a backup can be helpful. If you accidentally make a mistake while doing some detective work, your backup acts as your fail safe.

You can restore your site back to the point where you started and continue investigating from there as if nothing else happened. If you don't have a current backup solution, you ought to take a look at some options.

Sure, a clean backup of your site is loads better, but having an imperfect backup is better than none at all. (You can also check out a couple of our other posts including How to Backup Your WordPress Website (and Multisite) Using Snapshot and 7 Top Premium and Freemium WordPress Backup Plugins Reviewed for details.)

Detecting and Deleting Malicious Scripts

Once you have your backup, you can do some detective work and check for backdoors by looking for some telltale signs.

A Bug's Birth Announcement

First and foremost, try to find announcements of recent vulnerabilities in the WordPress core, plugins or themes from either the developers themselves or from security blogs such as the ones on the WordFence and Sucuri sites. You could also sign up for email updates such as for our own WhiP newsletter to get notified of any recent security issues.

You could also check out the WordPress Trac site for open tickets relating to any plugins or themes you have installed as well as for WordPress itself.

If you see information about a vulnerability that could relate to you, look into it and see if there's a solution.

Does Your Site Look Hacked?

In the event you don't find anything, try clearing your cache and cookies, then visiting your site. If you're like me and you don't want to live without your passwords being automatically saved to the login forms on all the sites you visit, you can use a different browser or open an incognito tab in Chrome.

If there's a message letting you know it's not safe to proceed to the site, then that's your first clue.

A Chrome browser error message when trying to visit a site: — If you visit your site and see a message saying your site isn't safe, you may have been hacked.

This could be a case of your SSL certificate not working properly. If you see a yellow or red padlock next to the URL in your browser's address bar, click on it to see the specific error message.

If your certificate has expired or invalid, it could be an issue with your SSL certificate that can be fixed. Our post How to Use SSL and HTTPS with WordPress has details on what to do to solve certificate errors.

If you see an error message warning you that the certificate isn't trusted or you don't have SSL encryption installed, then you may have been hacked. The next step in your investigation would be to try to look through your site and see if you see any spam in your comments, but especially in your posts or pages.

A white screen of death could also be a sign of a hacker, but could also be a common issue that can be quickly resolved. Our post Troubleshooting White Screen of Death Errors in WordPress has more details on this kind of error.

Also, try visiting one of your posts and copy the link. Open Facebook and paste the link into the status form. Instead of posting the link, wait for the site preview to load. If the description looks like spam, then a hacker has placed it into your site's header script.

Checking for Ghost Users

Even if you find spam all over your site, your detective work isn't over yet. Go to Users > All Users in your admin dashboard.

At the top of the page, look at the total number of admin or super admin users you should have, then look for them on the list.

On the user list, there are two super admins indicated. — If you don't have all your super admins listed, you have a backdoor exploit.

If there's at least one extra admin account that's not on the list, then you have a backdoor exploit.

Take the image on the left for example, if (2) is shown next to Super Admins, but there's only one listed on the page, then the hacker has created an extra hidden user.

Be sure to also check the total number of users displayed at the top with all the users on the list. The hacker may have created an account with a different user role as to not arouse suspicion. Even is this is the case, the backdoor could still grant them access to everything.

You can also try logging into the admin dashboard. If this isn't possible even if you try recovering your password, then that's another sign you have been hacked.

Investigating Files

There's one last place you need to check and that's in your site's files.

In cPanel, go to Files > File Manager and check the files you have listed as a part of your site against the WordPress Files list in the Codex. If you see anything that isn't supposed to be there, view the file's contents safely by clicking on the file on the list, then selecting Edit at the top of the page.

View the code in the file. If you see a script that doesn't look familiar to WordPress, you have likely found a backdoor. You may be able to tell by looking for a line that looks similar to eval($_POST['hacker-key']); or eval(base64_decode("hacker-key")); where hacker-key is a string of letters, numbers and characters. These can be signs of a hacked site and a backdoor.

In some cases, this kind of code may be used in plugins, for example, but most of the time, it's a sign of a hacked site. These kinds of code let a hacker inject scripts into your site.

Delete the backdoor file and search for any other like it. Hackers often place many of these among your regular files so there's more of a chance you miss one and leave it for them to use later.

Now, download a fresh copy of WordPress to your computer from WordPress.org. Extract it and compare each clean file to the files in your public-facing site. If you see any major differences, upload a fresh copy of the file to your server while replacing the old one.

You should also do this with all the plugin and theme files as well.

Conducting a Search via SSH

I know, searching through each any every file is tedious, to say the least, and there's an easier way which is to conduct a search of your site via SSH. (A search warrant isn't required.)

Please keep in mind that the commands below may not work for all SSH clients or all types of servers so if it doesn't work for you, check out your SSH client's documentation or the official site for your server-type.

Once you're logged into your favorite SSH client like Terminal for Mac or PuTTY for Windows, you can search for possible problem files with a command similar to this one:

This will check all PHP files in your site that have been modified in the last 30 days. Just be sure to replace /path/to/your-site with the actual path to your site as you probably can imagine. You can also change php to a different file extension to search more thoroughly.

Once you find files that have been modified, sift through the list and find ones that you know you didn't modify yourself and make a note of them, Once you have a complete list, you can search each of these files for malicious code.

Go to the directory the first file is in on your list with the cd ~/folder-name/ command, where folder-name is the name of the directory the file is in. Then, enter vi name.php to view the file's contents. Don't forget to replace name with the real name of the file.

From here, you can compare the file with a fresh one to see if any changes have been made. If needed, you can edit the file and enter :wp to save and quit. You can also quit with :q and delete the entire file by entering rm -rf name.php and replacing name with the actual file's name.

There are also many more search tips listed in our post How I Cleaned Up My WordPress Site After It Was Hacked and Blacklisted that you could try including using grep.

Find that Ghost Admin

If you noticed that there's an extra admin account that's not actually listed with a username in your back end, you can find the hidden account or user in your database.

Log into your phpMyAdmin account and click your site's database from the list on the left, then click on the wp_users table. A list of the user accounts should load for you.

Check if any of the accounts shouldn't be there. If you find one, click the Delete button to remove it. If not, click the wp_sitemeta table on the left since you need to check each of the user's data that's listed for signs of tampering.

Check the site_admins field and look for an unknown username listed. If you have a hidden admin account created by a hacker, you should see something similar to this:

The hacker part would be any admin username you don't recognize. To get rid of the admin account, click Edit next to the site_admin field and delete the portion that the hacker added until it looks similar to the example below:

If you already had more than one admin account, and there was an extra one tagged along, then you can safely delete the i:1;s:6:"hacker"; portion of the field, keeping in mind that the hacker username may be different.

Once you have made the changes you need, make sure Save is selected in the drop-down box at the bottom of the page and click the Go button. The hacker's account is gone, but you should still

If you only had one admin account to begin with and they hijacked it, you can check out this post for details on how to fix it: Hacked? How to Get Back Into the WordPress Admin.

The hacker's account would be gone at this point, but you should still do a thorough check on your site since there are other changes the hacker could have made.

The Roadrunner's Quickest Solution

All these search tips aren't an exhaustive list of files and code you should look out for, plus it's an exhausting task. Be ready to clear your day.

For most people, this just won't do and that's why using a plugin to do the searching for you can be of enormous help here. You can scroll down for a list of plugins and you can pick the one you're most comfortable with to install on your site.

A straightened paperclip being pushed into a pin-sized reset button.

Doing a Clean Sweep of Your Site

Sure, these steps help to clean your site, but sometimes the best way to really be sure the backdoor exploit is gone is by just starting fresh. If you delete everything and start over from scratch, you can rest easy knowing your site is hacker and backdoor-free.

For details on how to delete your WordPress site and start over, check out our post How to Reset Your WordPress Website.

You can also restore a previous backup that you know is clean. We also have posts that include how to get this done that you can check out: How to Backup Your WordPress Website (and Multisite) Using Snapshot and Backup Plugins Aren't About Backing up, They're About Restoring.

These are the easiest and best options, but you could also use plugins to clean your site quickly if these options just aren't possible for you.

Make Quick Work of Cleaning

Using a plugin to search your site for traces of a hacker is the best and easiest option if you need to keep your site otherwise intact. Here are some excellent plugins you can choose from to automatically search your site and notify you of any changes.

If the plugin detects something fishy, it should let you know and even offer to fix it for you.

These free and premium plugins should work great on both single and Multisite installations of WordPress. They're also updated frequently to ensure you site stays secure.

Defender
- Details
Once installed and activated, you can run a scan and see if there are any files that aren't a part of the WordPress core. You can also see which core files on your site are different when compared to a clean copy.

You can see what files have been corrupted first hand on either you single WordPress install or on all the sites in your Multisite network. When you activate Defender network-wide, you won't have to worry about manually checking all your subsites after you have checked your main one.

This plugin is also easy to install and configure. It also tells you how you can up your game and smack down security threats. In a few clicks, your site or network's security can be hardened and prepared to block future attacks.

The best part is if you're currently a WPMU DEV member, Defender is already included in your subscription. If you're not a member yet, you can try out Defender and all WPMU DEV plugins and themes for free with our 14-day trial.
VaultPress
- Details
With VaultPress, you can protect your site from threats and check core files for changes. You can also bundle features to get security and backups of your site in one premium subscription.

It's easy to install and use and it works well. While it can't check your custom files for issues, it does an excellent job protecting your site.

It's also compatible with Multisite, but each subsite needs its own licence.
Sucuri Security
- Details
The Sucuri Security plugin can check your site for malware and hacks, then clean your site so it's good as new. It also includes a lot of comprehensive features such as an SSL certificate, firewall protection as well as protection against new incoming threats.

It's a plugin that's popular and trusted by many WordPress site owners. If you want to give this premium plugin a test drive before committing, you can try the free version in the WordPress plugin directory.
Wordfence Security
- Details
Wordfence can detect changes in all your files and clean up your site if you have been hacked. It also protects your site from many angles.

It includes firewall and updates to include the latest fixes for vulnerabilities as soon as they come out so your site is as prepared as possible for future possible attacks.

It's Multisite compatible and easy to install and configure, although, there's a lot of options, but they're fully explained in tooltips so it's not so difficult to keep up.

It's a top quality premium plugin that's also widely popular and you can try it out by installing the free version available on WordPress.org.

You can also check out our Wordfence Security plugin review for more details.
iThemes Security
- Details
iThemes Security can detect and clean up corrupted files in a couple clicks and it can also protect you from new attacks including ones of the brute force variety.

You can also increase the overall security of your site with cool features such as hiding the standard login page, changing the WordPress security keys and the option to bundle full site backups.

It's a premium plugin that's also Multisite compatible so you can protect your entire network. If you would like to give it a test drive, you can download it for free (with some limitations) from the WordPress plugin repository or check out our iThemes Security review of the free version.
BulletProof Security
- Details
BulletProof Security is a free plugin that can scan your files for issues and quarantine them so the rest of your site doesn't go kablooey before you can fix the problem. It also does a great job of protecting your site and includes firewall protection.

It's Multisite compatible and is incredibly easy to set up. The setup could even be considered as being easier than installing it – and adding it to your site is as straightforward as most other plugins.

If you want to upgrade to the premium version, you can also get protected against spam, and perform backups and also restore your site.
All in One WP Security & Firewall
- Details
This plugin is free and it doesn't have a premium version so you can be sure that you're not going to be limited when it comes to functionality. As the name suggests, it includes firewall protection and also protects both your site's files and database.

It can scan your site for threats and also protect you from the latest threats. It checks for changes in your files and database while also notifying you if changes were detected. All in One WP Security and Firewall does a great job of protecting your site, but it may be at its best when installed on a clean site, although, if you disagree, please let me know why you love it for cleaning up a hacked site in the comments below.

This plugin is as easy to install as any typical plugin, but it's best for single WordPress installs.
Shield WordPress Security
- Details
Shield WordPress Security is a free plugin that includes protection from the latest threats and also includes a firewall. Its settings are also easy peasy so you won't have to worry about accidentally breaking your site by accident.

The cool thing about this plugin is that it's also a spam-fighting, automatic-updating machine. You won't have to worry about installing separate plugins for spam comment blocking or for automating updates since having too many plugins on your site can cause it to be slow.

It's best to use this plugin on single installs of WordPress, but it sure does install easily.

Keeping Your Site Secure

Once your site is all cleaned up and your hacker's out of there without a trace, it's still important to keep an eye on your site regularly to make sure your site isn't hacked again.

Apart from keeping your site, the trusted themes and plugins you're using updated regularly, you should install a security plugin if you haven't already. It can automatically check your site on a regular basis and notify you and even block incoming threats.

Once you have a security plugin installed, you shouldn't have to worry about hackers breaking into your site again, ghost or otherwise.

For more security tips, check out these posts: WordPress Security: The Ultimate Guide, Give Hackers the Smack-Down with Defender and Hacked? How to Clean Your Site and Get Off Google's Blacklist.

Have you ever been hacked and was it with a backdoor exploit or something else? Have you been able to recover after being hacked? What did you do? What do you consider to be your best tips on cleaning your site and detecting a backdoor exploit? Feel free to share your experience in the comments below.

5 Best WordPress Ecommerce Plugins Compared – 2016

Are you looking to build an online store? Want to know which is the best WordPress eCommerce plugin? Choosing the right eCommerce plugin is crucial for your business because a better platform means more opportunity for growth. In this article, we will compare 5 best WordPress eCommerce plugins for 2016.

Best WordPress eCommerce Plugins

What to Look in a WordPress eCommerce Plugin for Your Site?

There are plenty of WordPress eCommerce plugins in the market. But not all of them have the essential set of features you would need to start your eCommerce site.

Some eCommerce plugins are good for selling digital goods like eBooks, photos, music, etc. While others are better suited for selling physical goods that need shipping and inventory management. There are also eCommerce plugins that are good at both of them.

You need to choose a plugin depending on what you will be selling and what kind of features you would need to efficiently run your online store.

Next, you need to consider which payment gateways you will utilize to accept payments. Make sure that the plugin you choose supports those payment gateways by default or through addons.

Your eCommerce plugin will not come with a theme. You would need to see that the plugin you choose has themes that work with the plugin. See our guide on how to choose the perfect WordPress theme.

It is impossible for an eCommerce plugin to have all the features. Most of them solve this problem by addon plugins. These addons extend the functionality of your eCommerce plugin. Make sure that there are enough addon plugins to connect your WordPress eCommerce website with other services.

Last but not the least, you need to see what kind of support options are available for the plugin. Even if you will be hiring a developer to work on your site, you would still need help from time to time. Make sure that the plugin has a support system where you can get help.

What Do You Need to Run an eCommerce Website?

Ecommerce websites are resource intensive, so the first thing you will need is the best WordPress hosting that you can afford.

If you're on a budget, then you can start with Bluehost. The Ecommerce plan comes with SSL Certificate which you need to collect payments securely, dedicated IP, and a dedicated support line. They also install WooCommerce by default which when you read the article will find out is the most powerful WordPress Ecommerce plugin.

If budget is not an issue, and you want the best performance, then we recommend using a managed WordPress hosting provider like WPEngine.

Next, you will need to choose a domain name for your website. Here is our guide on how to pick the right domain name for your eCommerce site.

Lastly, you will need to choose essential business plugins that you will need such as OptinMonster which help you reduce shopping cart abandonment and increase sales.

Having that said, let's take a look at the best WordPress eCommerce plugins.

1. WooCommerce

WooCommerce is the most popular WordPress eCommerce plugin. It was acquired by Automattic (the company behind WordPress.com blog hosting service) in 2015.

There is a large number of addons and themes available for WooCommerce. They also have a large and passionate user and developer community behind it.

Pros of Using WooCommerce

Here are some of the advantages of using WooCommerce as your WordPress eCommerce plugin:

Extensions and Themes – There are hundreds of extensions and themes available for WooCommerce, which makes it easy for you to add new features to your eCommerce site. Large collection of themes means you have tons of options when choosing your site's design and layout.

Supports Both Digital and Physical Goods – With WooCommerce you can sell physical as well as digital downloads (such as ebooks, music, software, etc.). With Envira Gallery's WooCommerce integration, you can easily sell photos from your website as well.

Sell Affiliate or External Products – Using WooCommerce, you can add affiliate or external products to your site. Affiliate marketers can create product sites and provide users a better experience.

Complete Inventory Management – WooCommerce comes equipped with tools to easily manage your inventory or even assign it to a store manager.

Payment and Shipping Options – WooCommerce has builtin support for popular payment gateways and you can add many other payment options using extensions. It can also calculate shipping and taxes.

Support and Documentation – There is excellent documentation available online for WooCommerce. Apart from documentation, there is knowledge base, help desk, and community forums available.

Cons of Using WooCommerce

Too Many Options – WooCommerce is very easy to use, but the number of options available on the settings page can be quite intimidating for a new user.

Finding Addons – There are lots of addons available for WooCommerce, sometimes a user may not find the right addon for features that they need.

Theme Support – WooCommerce works with any WordPress theme, but it is not always as easy to setup or good looking with all themes. You need a WooCommerce ready theme to take full advantage of its features without too much hassle.

WooCommerce is the perfect choice for any kind of eCommerce website. It has a large community of developers and users, lots of addons and themes, excellent support for multilingual websites, and best free and paid support options.

2. Easy Digital Downloads

Easy Digital Downloads allows you to easily sell digital downloads online using WordPress. It is very easy to use and comes with powerful features to create beautiful and functional digital goods store.

We use Easy Digital Downloads to sell our software like WPForms, SoliloquyWP, etc.

Pros of Using Easy Digital Downloads

Designed To Sell Digital Goods – Easy Digital Downloads is built from the ground up to sell digital downloads. Unlike eCommerce plugins that can be used to sell all kind of products, EDD provides a far better experience for selling digital goods.

Easy To Use – Easy digital downloads is very easy to use, from the start you would instantly figure out how to add products and display them. This is really useful for the first timers.

Extensions – There are hundreds of extensions available for Easy Digital Downloads. Addons for many payment gateways, platforms and services, and to add extra features.

Themes – Easy Digital Downloads works with almost any WordPress theme, however if you have not choosen a theme yet, then Easy Digital Downloads has themes built specifically for the plugin.

Awesome Support – The plugin is very well documented, and you have free support forums, videos, tutorials, and even an IRC chatroom. There is also a priority support option for premium users.

Cons of Using Easy Digital Downloads

Digital Downloads Only – As the name suggests, Easy Digital Downloads makes it easier to create eCommerce sites for digital goods. But if you want to sell non-digital goods along with digital downloads then it will become quite complicated.

Selling External Products – If you want to add an external product or an affiliate product to your EDD store, then you will need to install a third-party add on for it.

When it comes to selling digital products online, we believe that Easy Digital Downloads is the best plugin to do that. We have used Easy Digital Downloads with great success, not only on client sites but also on a few of our own projects.

3. iThemes Exchange

Created by the folks behind the extremely popular BackupBuddy plugin, Exchange is a strong contender in WordPress eCommerce platforms.

Pros of Using iThemes Exchange

Multiple Product Types – iThemes exchange supports both digital downloads and physical goods. It also has a paid addon to sell memberships and subscriptions on your website.

Easy and Quick Setup – Upon activation, it takes you directly to a setup wizard where you can quickly setup your site by choosing what are you going to sell and how you will receive payments.

Intuitive UI – iThemes Exchange offers a very nice user interface to add products and manage your eCommerce store.

Free Stripe Addon – Most other plugins in our list are charging $40-$80 for Stripe addon, iThemes exchange has stripe addon available for free and for unlimited sites.

Cons of Using iThemes Exchange

Smaller Community – iThemes Exchange is younger than many other popular eCommerce plugins. Even though there is plenty of documentation, support, and addons available for it. You may feel that their community is still growing.

We feel that iThemes Exchange is a strong contender in the market with lots of potential. We would recommend it for users who know what they will be selling, and how they will be getting paid. Easy and quick setup wizard makes it a good choice for new users who don't want to be bothered by too many options.

4. Shopp

The fourth contender in our list of best WordPress eCommerce plugins is the Shopp plugin. Let's take a look at some of it's pros and cons.

Pros of Using Shopp

Separate Tables in Database – Developers of the Shopp plugin, believe that by using separate tables in the database, they improve the database performance, which results into faster queries and faster page loads for the users.

Multiple Product Types – Shopp plugin supports physical, digital, and virtual product types. Unlike other plugins on this list, Subscription product type in Shopp plugin allows you to sell products with recurring payments without buying an extension.

Security and Compliance – The Shopp Plugin is designed to be PCI compliant. The plugin pays special attention to security and safety which helps you create a PCI-DSS compliant eCommerce store.

Cons of Using Shopp

Limited Free Support – The most important disadvantage of using Shopp Plugin is that they have no free support forums. You will have to pay for support and access to community forums.

Creates Separate Tables – While we have already listed this feature as an advantage, it could also be a disadvantage. We do not think that using separate database tables significantly affects speed of a website.

Limited Themes – Shopp Plugin works with any WordPress theme out of the box. However, if you are looking for themes designed specifically for Shopp then there are very few options available.

Shopp is a great plugin to sell anything you want. But if you are a new user, then you would probably need to buy their premium support subscription. You may also want to use Shopp if you feel that other plugins are not helping you out getting certified for PCI-DSS compliance.

5. Shopify

Shopify is a fast growing eCommerce platform that handles everything for you. Although it is a standalone service, it does come with a WordPress integration. Let's look at the Pros and Cons of Shopify.

Pros of Using Shopify

Super Easy for Beginners – No need to worry about the technical aspects of an eCommerce store such as setting up SSL, integrating with different payment gateways, handling shipping, worrying about taxes, etc. Shopify handles it all.

Supports Both Digital and Physical Goods – Whether you're selling physical goods like shirts or digital downloads like music, Shopify can handle it all.

Complete Inventory Management – Shopify comes with an inventory editor and bulk importer combined with an order tracker which makes managing inventory a breeze.

Payment and Shipping Options – Shopify makes it easy for you to accept credit card both online and in person. Their shipping system streamline your fulfillment process with direct integration with popular providers like USPS.

Facebook Store, Buyable Pins, and Twitter Buy Buttons – Shopify integrates with everything. Whether you want to create a Facebook store, add a buy button on Twitter, or create buyable Pins on Pinterest, you can do it all with Shopify.

Cons of Using Shopify

Monthly Platform Fee – Shopify charges you a monthly fee to use their platform which is comparable to purchasing hosting and individual addons using the other plugins in this list.

Shopify Payments – Shopify encourages you to use their payment platform which is powered by Stripe and is a very good option for beginners. However if you want to overcomplicate things and use external systems, then Shopify charges you an additional fee.

If you want to have a powerful platform without having to deal with technical issues, then Shopify is the solution for you. While the monthly fee sounds bad at first, the hassle-free approach and peace of mind is definitely worth it because it allows you to focus on what you do best, your business!

Conclusion – The Best WordPress eCommerce Plugin is:

If you want maximum control, flexibility, and features, then WooCommerce is the best solution for you.

If you are just selling digital goods, then you should check out Easy Digital Downloads.

If you want a quick setup and ease of use, then Shopify is the best eCommerce solution for you.

That's all we hope this article helped you find the best WordPress eCommerce plugins for your site. You may also want to see our comparison of 5 best drag and drop WordPress page builders.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post 5 Best WordPress Ecommerce Plugins Compared – 2016 appeared first on WPBeginner.

BobWP Talks Ecommerce And WordPress On Finely Tuned Expert

At WP Engine, we're passionate about helping our customers learn and grow. In keeping with that ethos, we proudly present “Finely Tuned Expert,” a series of interviews with some of the brightest talents in tech, marketing, and (naturally) WordPress.

For this edition of Finely Tuned Expert, we welcome the one and only BobWP aka Bob Dunn to the show. Bob's appearance comes on the heels of a speaking engagement at WooConf 2016. Here, Bob discusses his evolution in ecommerce, along with a few tips useful to anyone looking to build a business online.

For more on BobWP, visit bobwp.com or follow @bobwp on Twitter. And don't miss Bob's podcast, “Do the Woo.”

Want more episodes of Finely Tuned Expert? Heck! We can't blame you! All of the episodes including our interviews with WordPress developer Carrie Dils and entrepreneur Syed Balkhi are available on the WP Engine YouTube channel as well as right here on the WP Engine blog.

The post BobWP Talks Ecommerce And WordPress On Finely Tuned Expert appeared first on WP Engine.

15 Reasons to Fall in Love with WooCommerce for Your eCommerce Venture

Many of you are already aware of the phenomenal growth of eCommerce industry in past few years, but have you ever wondered how much exactly?

The graph below gives you a better idea about it, courtesy statista, according to which only B2C eCommerce sales are projected to go as far as $1.92 trillion in 2016, exceeding $2.356 trillion by 2018.

Saturday, April 16, 2016

How to Easily Check Which WordPress Version You are Using

Recently, one of our users asked us how to check which WordPress version they were using? Sometimes you may need this information to see if your website is up to date. In this article, we will show you how to easily check which WordPress version you are using.

Finding WordPress version number

First thing you need to do is login to the admin area of your WordPress site. On the dashboard page, scroll down to the bottom.

You will find 'Thanks for creating with WordPress' line. Next to it, you will see WordPress version number.

Finding WordPress version inside admin dashboard

On the same dashboard page, you can also find your WordPress version number in the At a Glance admin widget.

In the screenshot above, we are using WordPress version 4.4.2. This is the easiest way to find which WordPress version you are using.

If you can't find WordPress version information in the dashboard, then there are some other ways to find it.

How to Find Out WordPress Version of Almost Any Website

In some cases you may not be able to see the version information in WordPress admin area.

Your developer may have disabled version information in admin area.

You may not have Administrator access to admin area

You are simply trying to find out WordPress version of a site you don't own or control.

We are assuming that you do not have FTP access to a website, and you cannot log in WordPress admin area.

Please note that these methods may not work on many websites. Some security conscious site owners hide this information to protect their website against common threats.

Having said that, here are some of the methods that you can try to find out the WordPress version of a website.

Method 1: Looking for Generator Tag in Source Code

Simply visit the website in a browser window. Right click on any empty area on the screen and select View Page Source from browser menu.

View Page Source

This will load the site's source code in the browser window. Press CTRL+F and then search for 'generator'.

Looking for generator tag in the source code of a WordPress site

If it is a WordPress site, and if the site owner hasn't disabled version information, then you will be able to see a tag like this:

This meta tag is used by WordPress to show that a site is created using WordPress. Many site owners remove WordPress version number, so this tag may not show up on some WordPress sites.

Method 2: Viewing readme.html File

Each WordPress installation adds a readme.html file in the website's root folder. Unless the site owner has disabled access to this file, you can access it by adding readme.html at the end of the site's URL.

http://www.example.com/readme.html

The readme file will show you the WordPress version on top.

WordPress readme file

This method may not work if a site is protected by Sucuri firewall.

Method 3: Viewing Source Code of WordPress Login Screen

WordPress login screen also contains information in the source code that would reveal the WordPress version of a website.

However, this method would only work if the WordPress site owner hasn't disabled access to login page or admin area via .htaccess.

Simply add wp-login.php to a WordPress site's URL.

http://www.example.com/wp-login.php

When the page loads, right click on any empty area on the screen. Select View Page Source from the browser menu.

This will open the login screen's source code. Press CTRL+F and search for 'ver='. You will be able to notice the version parameter added to stylesheets. It would look like this:

Find out Which Plugin Version You are Using

The easiest way to find out which plugin version you are using is by visiting the plugins page in WordPress admin area.

Finding a plugin's version number

There you will be able to see the plugin version below the plugin name for each plugin installed on your WordPress site.

However, if you don't have access to the admin area, then chances of finding out a plugin's version information are slim.

Some plugins like Yoast SEO automatically add version information in a site's source code. You can visit a website, right click in an empty area and then select View page source from browser menu.

The tag added by Yoast would look like this:

Meta information added by WordPress plugins

Other plugins load CSS or JavaScript files and sometimes they use plugin's version number appended to script or stylesheet URLs like this:

Finding plugin version in code

This is not a reliable method to find out a plugin's version number. For example, the version number could be the version number of jQuery script a plugin is loading.

Another sneaky way to find out plugin version is by visiting the plugin's readme file on a website. If you know what plugin's directory name would be then you can try accessing the readme.txt file.

For example, if a site has the free version of WPForms installed, then you can access its readme file like this:

http://www.example.com/wp-content/plugins/wpforms-lite/readme.txt

This method may not work if a site is protected by Sucuri firewall.

That's all, we hope this article helped you learn how to check which WordPress version you are using. You may also want to see our expert tips and hacks to protect your WordPress admin area.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post How to Easily Check Which WordPress Version You are Using appeared first on WPBeginner.

Carrie Dils Talks WordPress and Web Accessibility

Editor's Note April 14, 2016: While the live broadcast of our Finely Tuned Expert episode with Carrie Dils has come and gone, the recording lives on for your enjoyment whenever and wherever you choose. Watch the entirety of the show in the embedded video below. Want more Finely Tuned Expert videos? Find all of them right here on wpengine.com or on our YouTube channel.

For this edition of “Finely Tuned Expert,” we welcome back an expert who we last saw back when this internet show was a text-based Q&A. Texas-based WordPress developer Carrie Dils returns to the show to discuss freelance WordPressing, her collection of educational podcasts and blog posts, and web accessibly.

Catch the show live at 3 p.m. Central on Wednesday, April 13. Where can you watch it? Why, right here on wpengine.com, of course! Just click in the video window below at 3 p.m. Central, Wednesday, April 13 to watch it live.

The post Carrie Dils Talks WordPress and Web Accessibility appeared first on WP Engine.

Why Agencies Should Trust WordPress

Websites are at the heart of a client's business. They are the engine which powers all customer facing online interaction, as well as the mechanism via which digital marketers gather data and intelligence about their customers' behaviours and buying habits. Modern websites need to balance great design, insightful content, UX, speed, security, and so much more.

The opportunity for digital agencies here is immense. But the pressure is on to get it right for clients the first time, every time. Sites need to be scalable, easy-to-use, and work as an engaging platform for hosting company content. Getting the CMS right is crucial.

In his latest article in Digital Marketing Magazine, WP Engine EMEA Managing Director Fabio Torlini discusses why WordPress is the CMS of choice.

The post Why Agencies Should Trust WordPress appeared first on WP Engine.

Improve Your WordPress User Management with Users Insights

If you are running a multi-user WordPress site, you probably know that when it comes to user management in WordPress, it can be a real struggle to stay on top of things. Who did what? When was the last time this person showed up? Who are my most loyal customers? Where do my users come from? These are all important questions that the Users Insights WordPress plugin can answer.

How To Scale Your WooCommerce Store (Webinar Recording)

EDITOR'S NOTE 04/14/16: Did you miss the live broadcast of this webinar? Don't fret. A full video replay is available here. Happy viewing.

To maximize sales, growing your ecommerce store's traffic is crucial. But to increase traffic, your WooCommerce store needs to be able to scale. In this upcoming webinar, learn all about scalability and the dos and don'ts of scaling your ecommerce store for success. Sign up here:

THE MYTHS, MISTAKES & MANAGEMENT OF WOOCOMMERCE AT SCALE

This webinar will teach you several ecommerce scaling best practices you might have not heard of before, including:

Myths associated with scaling WooCommerce

Disastrous ecommerce mistakes to avoid

How to choose the right developer

How to pick the best hosting platform

Join us Wednesday, April 13 at 11 a.m. CDT as presenters Chris Lema of Crowd Favorite and Jason Jaynes of WP Engine debunk some of the myths associated with scaling WooCommerce. Register now.

To prepare for the webinar, check out our new ebook, An Executive's Guide To Scaling WooCommerce, by Chris Lema.

The post How To Scale Your WooCommerce Store (Webinar Recording) appeared first on WP Engine.

TemplateMonster Launches GPL WordPress Themes (+ Special Offer: 5 GPL themes for $75)

Single-site WordPress themes are gradually receding into the background, giving way to GPL licensed alternatives. Under this type of license, you are absolutely free to use a WordPress theme as you wish. To be more precise, you can install it on unlimited sites, modify its frontend and code, and even redistribute it as is or in its modified versions.

Which WordPress Files Should You Backup? And the Right Way to do it

Often we get asked which WordPress files should I backup? Having an up to date WordPress backup protects you against unexpected server failures and hacks. However you don't to backup every file if you don't want to. In this article, we will tell you which WordPress files are important to backup and the right way to do it.

Which WordPress files to backup

Why Setup a WordPress Backup?

All websites on the internet are vulnerable to hacking attempts, DDOS attacks, data theft, and data loss. This could happen to even the most secure websites on the internet.

A WordPress backup solution for your website, is your insurance against all those terrible things. It allows you to keep your content safe and restore your website after an accident.

Many beginners believe that their sites probably don't need a backup system. Until they come across an accident and realize how easy it would have been if they had a backup.

What's the Best Way to Create WordPress Backups?

The best way to setup a backup is by using an automated backup system.

There are several free and paid WordPress backup plugins available. You can take a look at our expert pick of the best WordPress backup plugins.

If you have the budget, then we recommend using VaultPress. It automatically syncs your changes, keeps daily backups with security scans and easy restore. We use VaultPress for all our WordPress projects.

However most owners don't like paying a monthly fee. That's why we recommend using BackupBuddy. It is the most popular WordPress backup plugin in the market. See our tutorial on how to keep your WordPress content safe with BackupBuddy.

Remember, you will only have to setup a backup solution once. After that, it will automatically create backups for you.

Which WordPress Files to Backup?

Your WordPress site has three kind of files and one database.

Core WordPress Files

Files in the wp-content Folder (your theme, plugins, and uploads)

WordPress configuration files

Your WordPress Database

Backing up Core WordPress Files

Core WordPress files are the files that run your WordPress site. You normally would never make any changes to these files, so they remain the same on all WordPress sites.

The core WordPress files include all files in the root folder, wp-includes, and wp-admin folder.

You can always get fresh copes of these files from WordPress.org website. This is why you don't always need to backup these files.

Core WordPress Files

Backing up wp-content Folder

The wp-content folder is where WordPress stores all your images, media, themes, and plugins. The contents of this folder are unique to your website.

If you know what plugins and theme you had installed on your WordPress site, then you can always get fresh copies of these plugins and themes from their sources. In that case, you don't need to backup plugins and themes folders.

If you can't remember all the plugins or the theme you had installed, then you should backup these folders too. If you have a custom theme, then definitely backup these folders.

All your images and uploads go into /wp-content/uploads folder. If you lose this folder, then you will not be able to recreate it. You must always backup this folder.

The wp-content folder is also the place where your other WordPress plugins may create their own folders.

wp-content folder

Plugins like W3 Total Cache, WP Super Cache, etc, may also create folders and files in your wp-contents folder. You can safely ignore those files as those plugins can regenerate those files.

However, plugins like Envira Gallery create folders to store files for your galleries. You must backup these folders.

You need to make sure that files that you have uploaded using plugins are not excluded from backups.

Backing up WordPress Configuration Files

The WordPress configuration files contain important settings information for your WordPress website. The two most important WordPress configuration files are:

wp-config.php file

.htaccess file

These files contain settings that are relevant to your WordPress site. They can be manually recreated, but it is safe to always add them to backups.

Backing up WordPress Database

WordPress stores all the data in a MySQL database. This is where all your posts, pages, users, comments, and everything else is stored.

This is the most frequently updated part of your WordPress site. This is why you need to create database backups more frequently.

Why Not Just Backup All The Files and Database Everytime?

You should create a full backup of all your WordPress files and database at least once a month. For busier websites, you can create full backups once a week or even once a day.

However, you need to keep in mind that creating full backups is resource intensive. If you are on shared WordPress hosting, then this could hog your server resources. It may result in a slow website or may even make your site inaccessible.

Storing large backup files on the cloud would take up your storage space. Transferring large files can also be difficult for shared server, which may result in unfinished uploads or corrupt backups.

Having said that, let's see what should be an ideal strategy to backup your WordPress site?

Create Multiple WordPress Backup Schedules

The best way to setup a backup is by using multiple schedules. You can create multiple backup schedule like this:

Full WordPress backup each month

Partial WordPress backup every week

Database only backup every day

Most good WordPress backup plugins allow you to setup multiple schedules. We will show you how to do that in BackupBuddy. For other plugins, check their documentation for instructions.

If this is your first time using BackupBuddy, then it will automatically take you to quick setup wizard.

quick setup wizard in BackupBuddy

Follow the on-screen instructions and BackupBuddy will create your first complete backup.

After that come back to BackupBuddy » Backups page. You will notice two buttons for database-only and complete backups.

Click on the plus icon next to them to add a new backup profile.

Add new backup profile button

Next, you will you see two fields. Choose 'Files only' from the dropdown menu and then provide a name to this backup profile, e.g. Partial Backup.

Setup and Add Backup Profile

After that you need to click on the gear icon next to your newly created profile.

Customize your backup profile

This will bring up a popup where you can customize how this profile creates backups.

First you need to uncheck the box next to 'Use global defaults for files to backup?' option. This will show you WordPress files and folder structure.

customizing backup profile

Simply take your mouse to folder and files you want to exclude, and then click on the minus button. Repeat to improve wp-includes and wp-admin folders, files in root folder, and plugin created files inside wp-content folder.

Click on the Save profile settings button when you are done.

Now you need to visit BackupBuddy » Schedules page to add a new schedule.

Give this schedule a name and then select your backup profile. After that you can choose a backup interval. BackupBuddy lets you choose from a range of options starting from once hourly to once yearly.

Adding a new schedule

For partial files backup, we recommend once or twice a week schedule.

Click on the remote destination button to select where to save the backup. Click on the add new schedule button to save your changes.

That's all, BackupBuddy will now create a partial backup of your files based on the schedule defined by you.

You can add more schedules and backup profiles to make sure that your backups are not too bloated, can be reliably moved, and easily restored.

We hope this article helped you learn which WordPress files should you backup? And the right way to do it. You may also want to see our 13 vital tips and hacks to protect your WordPress admin area.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post Which WordPress Files Should You Backup? And the Right Way to do it appeared first on WPBeginner.