In today’s digital and content-hungry world, a well-designed website that’s easy to update is critical for businesses that want to get and keep the attention of their audience. For many companies, the way to meet those needs is through WordPress.

In fact, according to Kinsta, WordPress is the most popular website platform in the world… and by a wide margin. Approximately 35% of websites use it, with second place going to a platform called Joomla, with just 2.6% of the market. WordPress has achieved this level of domination with consistent growth of 1-4% for nearly a decade.

WordPress is also the world’s most popular content management system (CMS). A CMS is used to create, edit, and publish content to an existing website. In terms of this functionality, WordPress has 62% of the market with Joomla at 4.6%.

Consequently, there’s a good chance that your company’s website is built and maintained with WordPress. And if it’s not, there’s a similarly good chance you’ll run into the platform at some point down the road.

Why Is WordPress so Popular?

What’s behind the WordPress platform’s impressive growth and large market share? A number of things, including:

UX. People tend to love the user experience with WordPress.
E-commerce capabilities. The system has powerful functionality to support e-commerce websites, including through the WooCommerce plugin.
Search engine optimization. WordPress is, by far, the most SEO-friendly platform available, in part because of the availability of the Yoast plugin.
Free + paid plugins. Additional features and functions can be added to websites at no cost or for a minimal fee using plugins.
Customization. WordPress websites are easy to customize to meet specific business needs.
Multilingual. WordPress’s ability to support multilingual websites has grown considerably in recent years.
LMS. The platform is great for managing websites that have a learning management system.
Themes. WordPress offers a wide variety of beautiful themes. Many people think the large “theme market” is a major factor in the system’s popularity.
Cost. The platform tends to be among the most cost-effective systems available.

Is WordPress the “best” website platform and CMS? That depends on your needs. But its features are very appealing to most businesses.

Note: It’s important to be aware that there are “.org” and “.com” versions of WordPress. The .org version is for self-hosted websites; the .com is for websites hosted by WordPress.

WordPress Performance Tips

In order to maximize the performance of your WordPress website, you’ll want to use these proven techniques:

● Install a WordPress caching plugin
● Keep your WordPress site updated
● Optimize background processes
● Use excerpts on the homepage and archives
● Don’t upload audio/video files directly to WordPress
● Use a theme optimized for speed
● Use faster plugins
● Reduce external HTTP requests
● Reduce database calls
● Optimize the WordPress database
● Limit post revisions
● Disable hotlinking and leaching of your content
● Use a DNS-level website firewall
● Fix HTTPS/SSL errors without plugin

Tactics specifically related to increasing the speed of a WordPress website (and pleasing Google in the process) include that you should:

● Ensure you are on PHP 7
● Use Redis
● Reduce JavaScript
● Queue
● Use sub-queries
● Optimize images
● Leverage lazy-loading
● Use the Varnish page cache
● Use the CDN cache tool

Keep in mind that website designers are not always familiar with how to improve the performance of a WordPress site. Be sure to ask them about their skill in this area and get assistance from a technical expert if needed.

Basic Security Best Practices

Because WordPress is so popular, it is also one of the platforms most frequently targeted by hackers. That means it’s critical to know how to secure your WordPress site. Below are some key considerations and actions to take.

● Make frequent backups
● Get an SSL certificate
– Force HTTPS connections
● Remove all unnecessary WP plugins
– The more plugins you have, the greater your attack “surface area”
● User accounts: Don’t share credentials, disable unnecessary user accounts, rotate passwords, and only grant needed permissions for each user
● Use two-factor authentication (Google Auth Plugin)
● Use a strong admin password for the actual login page
● Rename the login page since everyone knows what the default names are (iThemes Security)
● Install a plugin that implements a lockout policy (iThemes Security)
● Keep your plugins and WordPress current with security updates
● Change the default admin username
● Don’t log into WP admin panel from untrusted networks
● Don’t use FTP to access WP site code/files
– Use SSH, SFTP, or at least FTPS instead
● Choose a security-minded web hosting company
– You often get what you pay for
● Maintain/update servers, especially Apache and PHP packages

Advanced Security Best Practices

Beyond the basics, there is even more you can do to prevent anyone from tampering with or disabling your WordPress website.

● Lock down SFTP/SSH access to hosting environment
● Bastion hosts, VPN, and automated deployment process
● Rate limiting to reduce inertia of brute force attempts
● Dedicated hosting instead of shared hosting
● Disaster recovery and maintaining a code repository
● Disable weak/insecure SSL/TLS protocol versions and ciphers
● Miscellaneous Apache/server hardening
● Remove the Apache server banner to obfuscate version info
● Apache Options should include “-Includes”
● mod_security or other WAF solutions
● Protect the wp-admin directory using OS/web level authentication (password protect the directory)
● Protect your wp-config file by moving it to a higher level outside of the root directory
● Disable directory listing on the server. In Linux Options All -Indexes.
– Use the check box option in Windows IIS to do the same thing
● Ensure folder permissions are set up properly. Typically setting directory permission to 755 and file to 644 does a pretty good job on *NIX systems. While on Windows, you can make your folders read only and accessible only to the IUSR user account while only allowing write (no execute) permission only where and when needed.
● Protect yourself against DOS/DDOS attacks by using a platform such as Cloudflare that monitors bandwidth and acts against DOS attacks. You can also use other services that provide an application firewall such as Amazon AWS, Google’s GPC, or Microsoft Azure. Alternatively, you can host your site on a platform that scales dynamically (AWS EC2 scaling groups) so the more bad actors try to attack, the more resources you provide to handle the load. (The issue with this approach is that it will cost you a lot!)
● A big part of hacking is recon. Removing your WordPress version information will make it that more difficult to get information on your system to then know what type of attack to launch. To do this, you can use a security plugin (mentioned above) or, in the functions.php file, add the following:
● function wpbeginner_remove_version()
{
return ”; //The version info will be blank or you can change it to whatever you want by placing any string between the quotes, e.g. ‘9999985’
}
add_filter(‘the_generator’, ‘wpbeginner_remove_version’);

Making WordPress Work for You

WordPress is a powerful, flexible, and affordable website platform and CMS that can meet the needs of virtually any type of business. And if there’s functionality you require that the system doesn’t offer, somebody out there has developed it or we can develop it for you. Then you can use the intuitive interface to upload and publish new content on an ongoing basis to keep your site interesting, engaging, and useful to your customers and prospects.