When a developer doesn’t want to fire a client, but puts off doing work for them, that’s called ‘orbiting’. It’s not only unprofessional, but it’s a waste of time and energy you could be spending on other clients. Ending the relationship in a positive way, on the other hand, is a win-win situation.

In this article, we’ll talk a bit more about what orbiting is and how it can affect you. Then we’ll offer three tips for making a clean break from clients who aren’t a good fit. Let’s talk business!

What Does Orbiting Your Clients Mean?

If you’ve ever been in a situation where you didn’t enjoy working with a client, you know it can get uncomfortable. You may put off answering emails, deliverables can get delayed, staying on the same page is nearly impossible, and so on.

When you’re in that situation, but you put off the decision not to work with the client anymore, you’re ‘orbiting’ them. That is to say, you’re staying close enough that you may get more work from them, but you’re not investing any real effort into the relationship.

If you’re a freelance developer, this situation becomes even trickier. Freelance work can be very feast-or-famine, so the idea of firing clients is often anathema. Even so, if you can’t give a project or a client your all, then you’ll need to ‘leave their orbit’, so to speak.

By making a clean break, you can regain control over your time and focus on other projects you do enjoy working on. What’s more, you’ll be respecting your client’s time and recognizing that, while they may not be a good fit for you, they might get along great with another developer. Going your separate ways now enables both parties to pursue their needs optimally.

How to Make a Clean Break from Your Client (3 Key Tips)

Breakups tend to be messy in general, and that includes separating from a client. However, when it comes to work-related breakups, it’s essential that you keep things professional. You’ll want to make a clean break, but it’s best not to burn any bridges in the process. Let’s talk about how to do that!

1. Give Enough Notice

There’s a reason most workplaces ask you to give notice at least a few weeks before you quit. If you simply wake up one day and send an email that says: “I’m not feeling this project, I’m out!”, that makes you look unprofessional and forces the client to look for a replacement immediately.

Ideally, you’ll want to give your client notice that you need to move on from a project. How early you should provide that notice depends on the nature of the project and the relationship. However, the two-week rule of thumb is a good start, even for remote work.

Here’s what the first draft of your email might look like:

Hello [Client Name],

Unfortunately, due to scheduling problems, I won’t be able to keep working on your website after April 14th. I’ll wrap up all outstanding tasks during that period, and make sure you have everything you need to continue development.

Please let me know if you have any questions!

When it comes to giving notice, it’s important to provide a clear date, although you can negotiate it with the client depending on what they need. In any case, if you’re at this point then your mind is probably made up, so be firm in your decision.

2. Explain the Scope of the Work You’re Going to Complete

Let’s say you’re developing an app, and you decide you’re not a good fit for the project. Along with simply telling the client that you’re quitting, you’ll need to offer some critical information – what work you’re going to complete before you leave.

When breaking up with a client, it’s important to define the scope of the work that’s left over. That way, you’ll avoid situations where clients keep asking you for more and more, and you can’t go until they’re satisfied.

Let’s rewrite the email from the previous section to include that information:

Hello [Client Name],

Unfortunately, due to scheduling problems, I won’t be able to keep working on your app after April 14th. I wanted to let you know well in advance, so you can decide how to move forward.

Before I move on, I’m going to take of the following tasks:

• Finish working on the app’s login functionality
• Improve the app’s performance

I’ll also be sending you all the credentials you need to keep working on the project (or hire someone else to do so). Please let me know if you have any questions!

Unless the project at hand is very simple, it’s best to be as detailed as possible at this stage to avoid misunderstandings. For a shorter project, it may make more sense to wrap it up, and then take advantage of that opportunity to make a clean break with the client.

3. Don’t Over-Explain the ‘Why’ Behind Your Decision

It’s vital to be professional at every point when working with a client, even while you’re breaking up with them. Here’s a (somewhat exaggerated) example of how you shouldn’t do things:

Hello [Client Name],

I won’t be able to keep working on your website after April 14th because my girlfriend broke up with me, my car broke down, my dog left me for my neighbor, and I’m losing my hair.

However, I’ll wrap up all outstanding tasks during that period, and make sure you have everything you need to continue development.

Please let me know if you have any questions!

Unless you have a personal relationship with a client, they don’t need to know all the details of why you’re leaving a project. That’s even more important if the truth happens to be: “I don’t like working with you and I think we should collaborate with other people”.

Over-explaining your decision not only makes you sound unprofessional, but it can encourage the client to try and change your mind. Once you send that breakup email, your choice should be set in stone. So keep it short and concise, and don’t leave any room for negotiation.

Conclusion

A lot of developers are intimidated by the idea of firing clients. If you work on your own, letting business go can be particularly scary. However, if you’re certain that you aren’t a good fit with a client, it’s better for both of you to make a clean break and spend your energy in more efficient ways.

Of course, just because you want to part ways doesn’t mean you need to be unprofessional about it. Here’s how you can stop orbiting a client and stay classy about it:

1. Give them enough notice.
2. Explain the scope of the work you’re going to complete.
3. Don’t over-explain the ‘why’ behind your decision.

Do you have any questions about how to end a client-developer relationship the right way? Let’s talk about them in the comments section below!

Image credit: Pixabay.

The post Orbiting Your Clients, and Why It’s a Bad Idea (For Both Parties) appeared first on Torque.

Many WordPress users simply install a single security plugin and think that’s enough to prevent malicious attacks. However, your site’s security plan should be a little more complex. There are actually three main areas you’ll need to focus on if you want to lock your site up nice and tight.

In this post, we’re going to introduce the ‘holy trinity’ of website security solutions – a firewall, an application-level security tool, and a robust backup plugin. We’ll also introduce some solutions you can use to implement each one. Let’s get to work!

Why a Multi-Tiered Security Solution Is Vital for Your Website

As a website owner, you have a lot to worry about. You need to design your site, create quality content for it, communicate with its visitors, and a lot more. Sometimes, security is a concern that can get lost in the shuffle.

In particular, it can be easy to assume your web host is keeping your site safe, or that installing a specific security plugin is all you need to do. However, attacks can come at your site from many angles. If it’s not protected in a variety of ways, you may end up the victim of a hack or other malicious event.

If your website is hacked, it could result in:

• Breaking certain features of your site, or even bringing the entire thing down.
• The loss of data or content (or the addition of malicious content to your site).
• A compromise to sensitive information, such as your users’ personal and financial data.
• Financial setbacks, if the hack temporarily or permanently prevents you from doing business through your site

To avoid these scenarios, it’s vital to put together a full security plan for your website. This includes protecting it from various directions of attack, and having a fallback in place should anything go wrong. Let’s look more closely at what this plan might look like.

How to Secure a Website With the ‘Holy Trinity’ of Site Security (3 Key Tools)

While there are plenty of ways to secure your website, there are three we would argue are most vital. In fact, we like to refer to these techniques as the ‘holy trinity’ of website security, because they’re that important.

More specifically, you’ll need the right kind of firewall, an application-level security plugin, and a backup solution. Over the next few sections, we’ll look at each of these tools in turn.

1. Protect Your Site with a Web Application Firewall (WAF)

You’re probably familiar with the concept of a firewall, at least in a basic sense. Firewalls set up a barrier between a system and the outside world, and attempt to keep anything out that might cause harm to it.

There are various types of firewalls, but your website needs a Web Application Firewall (WAF). This is set up between your server and the rest of the internet. It monitors incoming traffic and data to your site and blocks anything it finds to be harmful. A quality WAF is also updated regularly, so it’s able to recognize the latest threats and keep them out.

It’s worth checking your site’s web hosting provider, to see if it provides a decent WAF. If it doesn’t, or if you just want to be extra safe, you can also install your own solution. There are plenty of options available, although Cloudflare’s offering is an excellent place to start.

This popular Content Delivery Network (CDN) provides a variety of scanning and monitoring features in addition to its core features, helping you keep a close eye on your site’s activity. In addition, the premium version includes a robust WAF that protects your entire server. This tool can be an investment worth making, particularly for business and e-commerce sites.

2. Install an Application-Level Security Plugin

A WAF will do a lot to keep malicious traffic away from your site. However, it’s not enough to set up a barrier between your site and the rest of the web. You’ll also need to build safeguards into the site itself, to protect it from more direct attacks.

One of the most common ways websites are hacked is by users who force their way in via the login screen and other key entry points. These ‘brute force attacks’ are the equivalent of someone knocking down your site’s door and forcing their way in. To extend the metaphor, you’ll need to lock up all of its doors and windows tightly if you want to prevent that from happening.

The best way to do this is to install an ‘application-level’ security plugin. This is a tool that adds features to the site itself, rather than operating at the server level (as a WAF does). A quality application-level plugin will offer a variety of options for protecting your site, focusing on the most common entry points for malicious traffic.

For an example of the kind of plugin we’re talking about, you can check out Defender:

This aptly-named tool adds to your site’s security in a number of ways. It can perform regular scans and provides reports to let you know what’s happening on your site. In addition, Defender:

• Limits login attempts, so would-be hackers can’t try to log into your site over and over again until they get it right.
• Blocks bots that look for vulnerabilities in your site, and locks out suspicious IP addresses.
• Adds Two-Factor Authentication (2FA) to your site’s login screen, making it much harder for unauthorized users to get in.
• Changes security keys regularly, reducing the chance of them being compromised.

In other words, a plugin like Defender adds a variety of protections and safeguards directly to your site. If you’re a more advanced user, you can also customize many aspects of the way it works, in order to ensure your site’s unique needs are taken into account.

3. Back Up Your Site Regularly

At this point, we need to share a little bad news. While a WAF and an application-level security plugin together can prevent the majority of attacks to your website, no solution is 100% perfect. New attacks and threats appear every day, and a dedicated hacking attempt can make it through even the most effective set of safeguards.

That’s why, in addition to locking up your site tightly, you also need a ‘plan B.’ If your site is hacked or compromised in any way, you’ll want a quick and easy way to address the situation. Enter backups.

This is simply a copy of your site and its data, stored in a safe location. If you create regular backups, and your site is attacked, you can simply restore the latest one to return your site to its fully-functioning state. This is a lot faster and simpler than trying to address the attack directly and can be a lifesaver if important data is deleted or your site is brought down completely.

Backups are so vital that there are hundreds of solutions for creating them. Once again, your web host may provide you with the tool you need, or even handle backups for you. If not, you can simply install a WordPress backup plugin on your own.

When it comes to backing up your site, you can’t beat UpdraftPlus:

This plugin is used on over a million WordPress installations, and for good reason. It’s highly customizable, easy to use, and integrates with a lot of third-party cloud storage solutions. You can use UpdraftPlus to create both manual and automatic backups, save them somewhere secure, and restore them if it ever becomes necessary.

As for how often you should back up your site, we’d recommend doing so at least on a daily basis. You can set this up to happen automatically, so it won’t even take up any of your time. In addition, it’s also wise to manually back up your site right before making a significant change, such as installing a new plugin or theme.

Conclusion

Protecting your website isn’t something you can do with a single action or tool. Keeping it safe will involve developing a multi-faceted plan – one that considers all the ways something might go wrong.

While there are many ways to safeguard your WordPress site, there are three essentials you’ll want to address first. They are:

1. Protect your site with a WAF.
2. Install an application-level security plugin.
3. Back up your site regularly (at least on a daily basis).

Do you have any questions about how to use the plugins we’ve introduced in this post? Ask away in the comments section below!

Image credit: Wikimedia Commons.

The post How to Secure a Website With the ‘Holy Trinity’ of Site Security appeared first on Torque.

A better approach would be to combine WordPress with a dedicated e-commerce platform. That way, you can use the CMS for creating and managing your store, and an e-commerce platform to power its functionality. This is referred to as a ‘headless e-commerce’ approach.

In this article, we’ll talk about how headless e-commerce works, and whether it’s a good option for you. Then we’ll go over how to implement this type of solution using WordPress and an e-commerce plugin. Let’s get to it!

An Introduction to Headless E-Commerce (And Its Benefits)

There are a lot of ways to set up an online store. For example, you might use a dedicated e-commerce platform to take care of the whole setup. Another approach would be to use a CMS and combine it with a standard e-commerce plugin.

Both of those approaches work, but there are of course many ways to tackle e-commerce. Another solution would be to develop an entirely new platform from the ground up, suited to your site’s specific needs. However, that’s not usually a viable solution for small- to medium-sized businesses.

Another approach that’s been gaining popularity is called ‘headless e-commerce’. To put it simply, this involves using one platform to handle what’s called the ‘presentation layer,’ and another for the e-commerce functionality. The presentation layer refers to all those features not related to online sales, such as content creation and management.

It may sound a bit unusual, but this approach offers several exciting benefits:

• It can help improve performance, by keeping both layers separated.
• It’s easier to update either ‘side’ of your store safely.
• Scaling an online store is simpler with a headless architecture.
• This system is a lot more flexible than traditional approaches to e-commerce.

That last part is the key selling point of headless e-commerce for most users. With this architecture, you’re free to use whichever platform you want to handle both the presentation and e-commerce layers. If you’re a WordPress fan, for example, you can use the CMS to create, design, and manage your store. Then you can integrate it with any e-commerce platform that its API supports.

Is Headless E-Commerce the Right Choice for You?

As we mentioned before, there’s no one-size-fits-all approach when it comes to e-commerce. If we’re talking about a sheer number of features, then some e-commerce platforms are clearly in the lead. However, it’s important to understand that not every online store requires the same level of complexity.

For example, let’s say that you want to add e-commerce functionality to an existing website, in order to sell a specific e-book or another type of digital product. In this case, WordPress plus a basic plugin like WooCommerce or Easy Digital Downloads might be a perfect fit.

Now, let’s imagine that you don’t want to sell just one or a handful of items. Instead, you have a catalog that spans hundreds of products. WooCommerce stores can sometimes have issues when it comes to ‘scalability’. In other words, the platform isn’t always able to grow smoothly with your store as it expands. With that in mind, it might be best to consider using a headless e-commerce structure in this scenario.

We’ve already talked about the benefits of headless e-commerce. To build on that, here are some situations where it makes sense to use it:

• You’ll need access to more advanced functionality than what an e-commerce plugin can provide.
• You intend to run an operation that handles a broad catalog.
• You’re looking to maintain and update both layers of your store separately.
• You already have a presentation layer set up, and you want to add online sales to it.

It’s also important to consider performance. Using a headless approach can keep your online store feeling fast, even if you’re managing hundreds of products. That’s key because reductions in performance can lead to a significant drop in sales.

How to Get Started With Headless E-Commerce in WordPress

As you might know, we’re big WordPress fans due to the CMS’s ease of use and customization potential. Those qualities make it the perfect platform to power the presentation layer of a headless e-commerce setup.

That still leaves us with the question of which software to use in order to power our site’s e-commerce functionality. For the headless approach to work, you’ll need to use an e-commerce platform with a robust API that enables you to access the functionality you need.

Some examples of e-commerce platforms that work well with a headless approach include Magento, BigCommerce, and CommerceTools. However, since we’re talking about integrating with WordPress, then our vote goes to BigCommerce:

In addition to its powerful APIs and direct channel integrations, this particular platform offers a dedicated e-commerce plugin that enables you to combine its functionality seamlessly with WordPress:

The advantage of this approach is that implementation is much simpler, at least when compared to putting together a manual integration. Plus, BigCommerce also enables you to manage multiple direct sales channels from a single dashboard, and that functionality works even with a headless WordPress structure.

Other advantages of this combination include BigCommerce’s extensive selection of payment gateways and its user-friendly checkout experience. To see how well both platforms play together, you’ll just need a WordPress website and a BigCommerce account – then you can use the plugin to connect the two. After that, you can start selling!

Conclusion

Traditionally, when people think about running an online store with WordPress, they imagine using a popular ‘starter’ plugin. However, headless e-commerce can be a much more scalable approach to online sales, and it’s not as hard to implement as you might imagine.

If you want to try creating a headless e-commerce setup using WordPress, the good news is that you don’t have to be a developer. You can pick an e-commerce plugin that will connect WordPress to a fully-featured platform, and integrate the two smoothly. That way, you get the benefits of both ease of use and flexibility.

Do you have any questions about how to implement headless e-commerce using WordPress? Let’s talk about them in the comments section below!

Image credit: Pixabay.

The post An Introduction to Headless E-Commerce (And Why It’s Worth Your Time) appeared first on Torque.

Fortunately, user privacy isn’t an impenetrable topic. There are a few key elements you’ll need to consider, as well as some tools that can help you put the optimal policy in place. There’s the obligatory WordPress plugin solution, but also comprehensive third-party offerings that constantly update based on changes made to your site’s elements.

In this post, we’ll explore what a privacy policy is and why you need one. Then we’ll cover five different ways to implement a privacy policy on your website. Let’s get started!

What a Privacy Policy Is

In a nutshell, a privacy policy is a legal document outlining your approach to managing user data. It explains what data you collect, how it’s used, where it’s stored, and anything else appropriate that your users need to know about the privacy of their collected data. For example, we have our own privacy policy linked to within the footer of every page:

Privacy policies are part of the same family as ‘cookie notices’ (i.e. website banners displaying whether a site collects cookie information). This is because both are implemented to clearly inform users that their data is being collected, as well as why and how.

As you can imagine, privacy policies can run to either a few lines or reams of detailed legal verbiage (although that would likely hamper the reader’s understanding). In short, you’ll usually find the following:

• Clarification on what constitutes a user, the website, and any other relevant party.
• Information on how data is collected on your site.
• An overview of how the collected data is used once it’s been obtained.
• What the visitor can do to make sure their data is deleted.

You may find that some privacy policies don’t include some of this information currently. However, as we’ll explain, all websites will shortly be required to add these elements, with heavy penalties facing those who do not comply.

Why a Privacy Policy Is Necessary For WordPress Websites

As we mentioned, the EU Cookie Law is almost a precursor to initiatives being introduced this year. The GDPR radically overhauls compliance for practically every website, and in contrast to the current Cookie Law, will include stiff penalties for those not complying with the directive.

While the GDPR, Cookie Law, and implementing a privacy policy, in general, is platform-agnostic, for WordPress users the waters become a little more muddied. For starters, there are many cogs that turn to drive the entire platform – elements such the plugins and themes you use will log data, for example.

What’s more, many users will have third-party tools and solutions that help them manage a site day-to-day, which is to be expected. If you or your clients use tools such as Google Analytics or InspectLet, these will also capture user data, meaning your privacy policy needs to reference this too.

It’s definitely a minefield, but one you will have to traverse if you want to stay on the right side of the law. Our advice is that if you’re considering this option solely based on the amount of work it will take to implement, it’s not a wise idea. The GDPR will mean authorities have the power to dish out millions of dollars worth of fines to non-complying sites. In short, the buck stops with you.

5 Solutions For Implementing a Privacy Policy on Your Website

Let’s take a look now at how to implement your privacy policy simply and effectively. Each of the solutions below is GDPR-friendly and are comprehensive enough (or have the scope) to handle any custom user privacy situation you or your clients may have. Let’s take a look!

1. Manually Create a Privacy Policy

First off, there’s nothing wrong with manually creating your own privacy policy if you feel it’s warranted. After all, it’s usually just a detailed statement of how you’ll capture and use visitor data. For websites with either zero or very little in the way of data collection, this method may be ideal.

We’ve mentioned what a privacy policy should contain already, but just to reiterate, you should include:

• Details on the information you collect, and how you do so.
• Why you’re collecting the information.
• Whether third-party services associated with your site collect information, and the details (such as ad networks).
• Clear guidance on whether users can opt out of data collection, and contact details in order to discuss things further.

However, unless you get the wording exactly right, your privacy policy could land you in hot water should any data breaches occur. Of course, you could get your privacy policy looked over by a legal professional, but you may find more value in a dedicated service. Let’s take a look at the rest of the options.

2. iubenda

In our opinion, iubenda is the most comprehensive and easy to use service available, and we really like the concept. Because many websites (especially WordPress-powered ones) are made up of many moving parts, you’ll likely have various data collection points throughout your site’s code. Keeping tabs on all of these could be difficult, but iubenda’s module-based system makes the process a breeze.

In short, you’ll piece together your privacy policy from a comprehensive list of services, resulting in a complete, ready to roll page that can be embedded or linked to as you wish. What’s more, each module is updated automatically when required. It’s going to be a great timesaver for high-traffic sites, or those handling sensitive data. However, it’s probably overkill for smaller blog-type sites.

As for pricing, it’s incredibly reasonable at its core. Ultimately, while there’s a free plan, you’re likely better off purchasing a license starting at $27 per year for one site, or a multi-license for $9 per month.

3. Shopify Privacy Policy Generator

The Shopify Privacy Policy Generator is (unsurprisingly) from the Shopify team – a leading non-WordPress specific ecommerce solution. Given that their business is heavily-focused on leveraging user data, it makes sense that they provide helpful tools for their user base. This particular service will be suitable for any e-commerce site owner, and what’s more, it’s completely free to use.

In a nutshell, this solution is just like creating your own privacy policy. Once you provide some essential details, you receive a tailored privacy policy in text form, which you can then paste into a post or page:

It’s arguably the quickest and simplest solution available, which makes it great for Minimum Viable Products (MVPs) and startups in need of a quick launch. However, because it’s essentially a one-size-fits-all solution, it could miss out vital aspects of your site. In addition, it’s not WordPress-specific, so it won’t offer the same detail as other policies.

4. Auto Terms of Service and Privacy Policy

As for WordPress plugins, Auto Terms of Service and Privacy Policy is one of the best available for creating clear-cut, and comprehensive privacy policies. By using this plugin, you’ll be amending the Terms of Service (TOS) and privacy policy of Automattic – the developers of WordPress – meaning it’s totally free to use.

It’s similar to Shopify, in that you’re adding your own details to a template privacy policy. However, Auto Terms of Service and Privacy Policy allows you to configure a more robust solution tailored to the specific requirements of your website. It’s also extremely easy to use.

Overall, Auto Terms of Service and Privacy Policy is going to be great for those needing a quick way to protect themselves temporarily, and the fact that it’s a WordPress plugin is a major plus.

5. TermsFeed

Finally, we have TermsFeed. This is one of the more popular third-party privacy policy generators, and it works in a similar vein to iubenda. In essence, you select what to include, and TermsFeed generates a privacy policy you can link to or embed, which is then updated automatically.

The main perk of TermsFeed is the vast number of different policies you can generate:

We’d arguably put this aspect ahead of iubenda’s, although both services are pretty similar overall. However, where TermsFeed falls down is its ambiguous approach to pricing. While there’s a clause-limited free service, premium policies require a one-time payment that is calculated upon creation. Because of this, it’s likely not going to be a solution for the budget-conscious.

Conclusion

Making sure you have a privacy policy in place before ‘GDPR doomsday’ should, naturally, be a high-priority task. It’s not necessarily easy, but one you’ll want to undertake given the potential to be fined for a misstep.

This post looked at five ways to create a GDPR-friendly privacy policy for your website. Let’s recap them quickly:

1. Manually create a privacy policy. If you can access the legal know-how, writing your own privacy policy is a great option.
2. iubenda. A comprehensive service ideal for the vast majority of websites.
3. Shopify Privacy Policy Generator. This solution can’t be beat for a quick e-commerce privacy policy template.
4. Auto Terms of Service and Privacy Policy. As WordPress plugins go, this is a must-have for generating a quick privacy policy.
5. TermsFeed. While this is also a comprehensive solution, you’ll likely need a decent budget to create your privacy policy.

Do you have a question about how to implement a privacy policy on your WordPress website? Ask away in the comments section below!

Featured image: mohamed_hassan.

The post A Beginners’ Guide to Privacy Policies appeared first on Torque.

As we discussed in a previous article, code injection attacks – such as Cross-Site Scripting and SQL injection – remain a high-priority concern for many website owners. Fortunately, protecting your site from these intrusions is simply a case of using some common-sense techniques, along with a snippet or two of code.

In this post, we’ll take a cue from the official WordPress developer website, and run through some of the most common attacks the platform has to contend with. Plus, we’ll also discuss how to fix them. Let’s get started!

What WordPress Already Does to Fight Hackers

It’s worth mentioning up front that WordPress is already highly secure, which is what you’d expect from a platform that powers so much of the web. However, if you were to go by WordPress’ portrayal in the media, you’d be forgiven for thinking it was an insecure platform not suitable for professional use. Of course, nothing could be further from the truth.

On their security page, the WordPress team clearly outlines their commitment to closing off potential hacker entry points. This includes:

1. Presenting fixes on an almost constant basis, via regular incremental and point updates.
2. A commitment to backward compatibility, which encourages users to install those regular updates.

Despite all of this effort, WordPress – much like every web application and Content Management System (CMS) – still needs an occasional helping hand to stop intrusions. The good news is that this is something completely within your control.

3 Common WordPress Attacks You Can Stop in Their Tracks

As we mentioned above, no platform can ever be completely safe. In this section, we’ll cover three of the most common attacks according to the WordPress development team, and discuss how you can keep them at bay.

1. Cross-Site Scripting (XSS)

First up, Cross-Site Scripting (XSS) is one of OWASP’s top ten security risks, so it’s worth paying special attention to. It’s a member of the ‘injection’ group of attacks and happens when JavaScript is loaded via vulnerable dynamic site elements – such as contact forms and other user input fields. A notable case of a severe XSS attack occurred in 2013, targeting Yahoo. This attack left user accounts in the hands of hackers.

As you can imagine, an XSS attack could severely reduce the trust customers place in your (or your client’s) business. As such, taking the measures necessary to prevent such an attack should be a priority. Fortunately, you can stamp out XSS by simply escaping your outputs correctly, and stripping away unwanted data.

Take this piece of HTML, for example:

<img src="<?php echo esc_url( $great_user_picture_url ); ?>" />

The esc_url() function is specific to WordPress and replaces certain characters to prevent XSS attacks. For another example, check out this snippet:

$allowed_html = array(
    'a' => array(
        'href' => array(),
        'title' => array()
    ),
    'br' => array(),
    'em' => array(),
    'strong' => array(),
);
  
echo wp_kses( $custom_content, $allowed_html );

Here, wp_kses() has been used to allow only the specified HTML elements and attributes to occur in a string.

These are two handy WordPress-specific functions to combat XSS in your own projects. Using these and similar measures is a smart way to tighten your site’s security.

2. SQL Injection

SQL injection is closely related to XSS, in that it requires a vulnerable entry point based on your sanitization efforts. However, the difference here is that these attacks directly affect your database, which can have disastrous consequences. SQL injection can affect any site, most notably NASA way back in 2009. Fortunately, WordPress makes it relatively easy to stave off SQL injection attacks.

The standard WordPress APIs provide a number of functions to help protect inputted data from SQL injections. For example, add_post_meta() offers you a secure way of using SQL’s INSERT INTO command, meaning you don’t have to add database calls manually to your code.

Of course, some of your SQL queries aren’t going to be this simple, and there’s a chance the API won’t account for them. In these situations, you’ll want to turn to the wpdb class. Here’s an example of how that works:

$wpdb->get_var( $wpdb->prepare(
  "SELECT something FROM table WHERE foo = %s and status = %d",
  $name, // an unescaped string (function will do the sanitization for you)
  $status // an untrusted integer (function will do the sanitization for you)
) );

As you can see, we’ve used the $wpdb->prepare() function, which escapes the SQL query before executing it. This is just the tip of the iceberg, and there’s plenty more under the hood of WordPress to help halt SQL injection attacks.

3. Cross-Site Request Forgery (CSRF)

Finally, we have CSRFs – pronounced “sea-surfs.” In short, this is where an oblivious user is tricked into performing an action of the attacker’s choosing. To understand how this attack works, it’s worth considering how simple requests (such as clicking a link) work under the hood. Ultimately, these requests are one of two types: GET or POST. The former is a request for a page, and the latter is when data is sent to the server.

Consider a Google search for WordPress, where browsing to Google initiates a GET response, and searching for WordPress becomes the POST request. A CSRF is when this happens without the user’s consent. YouTube is one of many websites to succumb to this attack, and if a site that prominent can be vulnerable, you’ll need to do all you can to keep your site as safe as possible.

The solution here is to use ‘nonces’ – single-use security tokens designed to protect URLs and forms from being compromised. Take a look at this code example:

<form method="post">
   <!-- some inputs here ... -->
   <?php wp_nonce_field( 'name_of_my_action', 'name_of_nonce_field' ); ?>
</form>

Here, we’ve used the wp_nonce_field() function to add a nonce to our form. This will guarantee that the user intends to perform the action (i.e. submitting the form) as expected and that there’s nothing they need to do on the front end.

Validation of the nonce doesn’t require setting any specific parameters, but there are options relating to the input action and name that can make your nonce more secure. What’s more, there are also functions to add nonces to a URL, as well as a custom format that’s ideal for AJAX requests.

Conclusion

A platform that powers about 30% of the web needs to be rock-solid, and this is definitely true of WordPress. However, no platform can guarantee 100% security. Some attacks can cripple a WordPress website, so you need to do what you can to ensure that malicious users have a hard time trying to hack your website.

To get you started, we’ve looked at three common WordPress attacks and how to fix them. Let’s recap each quickly:

1. Cross-Site Scripting: This attack can be fixed by correctly escaping your outputs.
2. SQL Injection: This related attack takes advantage of poor data sanitization to access your SQL database.
3. Cross-Site Request Forgery: WordPress nonces can help validate a user action, and guarantee that it’s legitimate.

Have you ever been affected by any of these vulnerabilities, and if so, what was the outcome? Share your stories in the comments section below!

Featured image: dimitrisvetsikas1969.

The post 3 Common WordPress Attacks You Can Stop In Their Tracks appeared first on Torque.

While there are a wide array of articles on the subject being produced regularly, you’ll want to keep track of additional sources of information. For example, WordPress’ own reaction to the GDPR should be closely monitored, along with the responses of various developers and businesses connected to the platform.

In this post, we’ll round up a number of resources related to the GDPR that will help prepare you for its rollout. We’ll also mention some choice articles from the Torque archives to further inform you on the subject. Let’s get started!

A Brief History of the General Data Protection Regulation (GDPR)

For the uninitiated, the General Data Protection Regulation (GDPR) is a ‘mutation’ of sorts of the previous data protection legislation and the EU Cookie Law. It’s a European Union directive stating that site owners need to declare the use of cookies to visitors. However, the GDPR takes things further by looking at user privacy and data as a whole.

It contains a complex assortment of guidelines for compliance that ultimately boil down to three simple elements. Users must be given:

1. The right to access their data.
2. The right to be forgotten.
3. A method for porting their data elsewhere if needed.

If your site doesn’t comply with these three requirements, the penalties could be catastrophic. For example, non-compliance could mean incurring a fine of 4 percent of your annual turnover, or up to $25 million.

Essentially, the GDPR is intended to help ensure that users gain more control over their data, and that site owners are more transparent about what they do with the data they collect. With over 50 percent of companies using so-called ‘Big Data’ tactics, the time is ripe for legislation.

The GDPR rollout date is May 25, 2018. For this reason, practically all concerned parties are working hard to ensure that their websites are compliant – including WordPress.

How WordPress Is Handling the Implementation of the GDPR

Given that it currently powers over 30 percent of the web, WordPress is one of the key players when it comes to GDPR compliance. Some users may feel that their WordPress-powered websites are exempt because they simply don’t collect data openly. However, this is incorrect. All WordPress sites collect data by default.

The only real source of news on the GDPR as it relates to WordPress is a constantly-updated page on WordPress.com, outlining how Automattic’s business philosophy aligns with the goals of the GDPR. Although we are confident that WordPress is working hard behind the scenes to ensure that the platform is compliant, they have been slow to respond to inquiries from the community regarding the GDPR.

We’ll take a look at the GDPR for WordPress initiative in more detail shortly. For now, what’s important to know is that the whole community is pulling together to make sure WordPress and its outlying elements are all fully compliant.

A Comprehensive List of GDPR-Related Resources

By now, you’ll hopefully understand just how important GDPR compliance is. Given that, you’ll want to use only trustworthy resources when researching the ways you can make sure your site is compliant.

The following list is a guide to reliable GDPR resources. While we recommend starting with this very article, the second place you should go is the official website.

Articles

As you may expect, the internet has become pretty obsessed with GDPR-related articles. This means there’s lots of information to assimilate, and no shortage of advice on how to become compliant. Of course, it can be difficult to know where to start (as well as how to tell which articles are reliable).

We’d be remiss if we didn’t mention our own piece on the GDPR initiative, and we’d humbly suggest that it’s a great first step for site owners who are new to the subject. US website owners will also want to check out this piece by PCMag UK. The article covers how the GDPR impacts US users specifically, and why it’s necessary for companies to employ a Data Protection Officer (DPO) to help ensure that GDPR requirements are met.

Finally, you’ll likely want to read up on how Automattic itself is tackling the GDPR. The first port of call here should be the official statement on WordPress.com. WooCommerce users should read this dedicated GDPR page, which also includes some handy additional resources. Although Jetpack has a tag set up specifically for GDPR, the only article within is short and directs to the previously-mentioned WordPress.com page.

Tools and Plugins

As for dedicated plugins you can use to help ensure that your site is compliant, there are a smattering of choices (although we expect there will be more in the future). The first plugin you might want to try out is WP GDPR Compliance:

This plugin lets you add elements to your current form plugin to make sure it’s GDPR-friendly. So far, Contact Form 7, WordPress’ comments, Gravity Forms, and WooCommerce are supported, with more on the way. There’s also a handy checklist included so you can see at a glance what aspects of the form are compliant, and which still need addressing. While reviews thus far have been mixed, it represents the best option currently available.

For a feature-heavy plugin that’s extremely handy for recording how your site is used, you’ll want to look at WP Security Audit Log:

This plugin records every action taken on your website relating to user activity, and we’ve talked about it in our own GDPR article. Needless to say, we’re big fans of the plugin for the flexibility and power it gives you.

Finally, if you’re a developer, you’ll want to make sure your products are also compliant – especially plugins. A good primer on the subject was presented by Heather Burns at WordCamp Belfast in 2016, although you’ll likely want to supplement this with more current information. To actually whip your plugins into shape, check out the GDPR for WordPress initiative:

This ultimately lets you work with hooks to provide anchors that tell others where your plugin provides compliance. It’s a project that’s constantly moving forward, and as Kåre Mulvad Steffensen alluded to in this post, its tools should be integrated into the WordPress core within the next couple of revisions.

Conclusion

The GDPR is taking up much of the WordPress community’s focus in 2018, and for good reason. Quite frankly, user data is vital for income. By not protecting it (and the users who gave it to you), you’re doing them a disservice and potentially impacting your own cash flow to boot.

Therefore, keeping up to date with all things related to the GDPR is vital. This post collated a number of resources, articles, and tools to help you guarantee compliance. In our opinion, you’ll want to start at the official website, but also take a look at how the WordPress bigwigs are getting the platform prepared. Developers will also want to check out the community-led initiatives to help you comply with the GDPR.

Do you have any questions about the GDPR or any resources to add? Let us know in the comments section below!

Featured image: TheDigitalArtist.

The post A Comprehensive List of GDPR-Related Resources appeared first on Torque.

One-page sites are similar in many respects to landing pages, in that they both feature a prominent Call To Action (CTA) and straightforward contact information. When implemented correctly, a one-page design can turn your sprawling website into a streamlined conversion machine.

In this piece, we’ll provide some examples of one-page websites, look at their key elements – such as a linear hierarchy and an effective CTA – and explain how to build them effectively. Let’s get started!

The Rise of One-Page Websites (And Why You Should Take Notice)

As you’re no doubt aware, the traditional approach to structuring a website is to include many pages, each full of specific content relating to a particular topic. This has always been a solid approach, and can be used to develop a site with a strong structure and hierarchy.

However, mobile browsing among consumers is increasing. For this reason, ease of navigability, speed, and data usage are now prime considerations for improving a site’s User Experience (UX). Having lots of links relating to navigation (and reloading pages whenever the user wants fresh information) can impact traffic negatively. These, of course, are issues that don’t occur on a one-page site.

There are many other benefits of one-page sites that are worth considering. These sites:

• Take writing for the web to its natural conclusion, given the need for brevity and directness.
• Are usually lean if created correctly (cramming in too much information will naturally have a bloating effect).
• Can be useful for funneling readers towards a goal (just like a landing page should be) so they can help you achieve greater conversion rates.

The one-page approach is likely going to appeal to those needing their website to pull ‘double duty’ as a conversion machine. It’s also a good approach for those wanting to create a quick and informative primer for a business venture. That’s why web developers, designers, and other creatives should take notice of this trend.

5 Key Elements of a One-Page Website

Let’s take a look at five elements we consider vital to a compelling, highly converting one-page website. Plus, we’ll explain how each can be used most effectively on your own site.

1. A Linear Structure That Guides the Visitor

The structure and hierarchy for any site plays a crucial role in its ability to succeed. This is doubly true for one-page sites. Without a linear structure focused on keeping the reader scrolling down the page, a one-page site is completely redundant. As such, structure constitutes the most important element of its design.

Fortunately, achieving the optimal structure in WordPress is simply a matter of choosing the right theme from the start. There are plenty of available options, meaning you’ll likely find something that fits the bill. Coupling this with a quality page builder plugin can help both you and your clients create pages faster.

We’re partial to Elementor, and it’s a solution we’ve mentioned previously here on Torque. Being able to drag and drop elements will supercharge your ability to develop effective one-page websites.

2. A Prominent Primary Call To Action

While the structure of your site has more to do with its ‘feel’ (in an abstract sense), your Call To Action (CTA) represents the first ‘touch’ element. For the uninitiated, your CTA is essentially what you’d like the visitor to do on your site. This could be to sign up for an email list, make a purchase, or anything else that will further your site’s goals:

Not including a CTA front and center will sap your one-page site of its effectiveness (especially when it comes to conversions). This is why they are frequently used on landing pages, generally accompanied by a ‘hero image’ to further encourage action.

For more information on how to implement stellar CTAs on your site, we recommend checking out Neil Patel’s blog post on the subject. The Kissmetrics posts covering the psychology behind CTAs and how to write them are also worth your time.

3. Concise Descriptions of Your Core Products and Services

It may seem counter-intuitive to put a CTA at the top of your page before leading onto other content, but the sections underneath can provide the backstory of what you’re offering, and explain why you’re in business. Each subsequent section, if implemented correctly, can further add to that story. Your core products and services play an important role here, as they further enhance your site’s ‘scrollability’:

It goes without saying that without descriptions of what you’re offering, visitors will have no meaningful reason to convert. You should be able to see how this relates to your initial CTA, and to how the rest of your site is structured.

Of course, you’ll want to keep descriptions concise, designed to match the available space and the overall goal. You’ll also want to focus on the reader’s needs, rather than simply “We do X, Y, and Z…”. For more information on this topic, we recommend Kissmetrics’ excellent piece on how to write product descriptions. ThriveHive also offers more specific advice on writing product and service page content for your site.

4. ‘Humanity’ and Social Proof Markers

Social proof markers inform visitors as to what your business is all about, and how your products impact your already-converted customers. This is a significant leveraging element for many sites, and gives you a way to showcase your business philosophies in a less direct way. It’s also an efficient method for adding a more personable and ‘human’ touch to your site:

Unlike a landing page (which typically would not include company information), your one-page site should offer a brief overview of your business, the team, and your overall company ethos. However, when it comes to social proof, there’s much more to consider. Testimonials are the most common example, since they provide an unbiased ‘thumbs up’ from a customer.

You can also include badges and seals related to the security, trustworthiness, reputation, and standing of your website and business. This is especially relevant if you use payment gateways on your site. In fact, this is such an important consideration that we recommend reading a comprehensive article on the subject, such as this one from ConversionXL. It’s well worth taking the time to learn the ins and outs of this powerful, lead-generating technique.

5. Clear and Easy-to-Use Contact Information

After implementing the above steps, your site should be configured for optimal customer appeal. The final step is to give potential customers a way to contact you. Too often these days, we see social media icons in place of a proper contact form. This is not recommended, as it’s a less direct method of communication. If you think about it, visitors are being told to leave your site, head to another location, and send a potentially public message to get in touch. This isn’t ideal from a customer service standpoint.

Instead, implementing an easy-to-use contact form keeps the potential customer on your website. Plus, it gives them a streamlined way to reach you. The simplest way to do this (especially if you’re a WordPress user) is to install a dedicated plugin. Given the wealth of choice available, it can be hard to settle on the right tool. Our recommendation is to try out either Jetpack’s dedicated module, or a plugin such as Ninja Forms:

When creating your contact form, you’ll want to research some of the most high-converting techniques out there, and then refine and optimize your form accordingly. Since the contact form represents one of the last points in your conversion funnel, it’s important to invest the time needed to optimize it.

Conclusion

Your website is a vital cog in the machine that is your conversion funnel. Simply maintaining a passive ‘calling card’ type of site isn’t going to cut it – at least, not as far as consistent income is concerned. With that in mind, you’ll need to make sure each element of your one-page site is outstanding, as they all play a part in winning new clients.

This post looked at five key elements you’ll need to include on your one-page website. Let’s recap them quickly:

1. A clear structure that takes readers on a journey from A to Z.
2. Prominent CTAs that focus the reader’s attention on what you want them to do.
3. Concise, clear descriptions of your products and services (targeted towards your visitors’ needs).
4. A human element, and proof from previous customers or clients that you can provide real value.
5. Easy-to-find contact information that will help visitors transition from potential to paying customers.

Is there an element you think we’ve missed from our list? Let us know about it in the comments section below!

Featured image: skyangel.

The post 5 Key Elements of a One-Page Website appeared first on Torque.

Fortunately, the Open Web Application Security Project (OWASP) exists to help improve software security. Recently, this organization published an invaluable top-ten list of security vulnerabilities from the past year (2017). This can give you a valuable head start when it comes to keeping your site, as well as the data it collects, safe and sound.

In this post, we’ll examine these top ten security risks, and outline what you can do to minimize their impact (or eradicate them if possible). However, first let’s take a quick look at OWASP and what it does for online security!

An Introduction to the OWASP

The Open Web Application Security Project (OWASP) is an open-source, not-for-profit organization, committed to helping increase the security of the software we use daily. It’s been active since 2001, and its staff is widely considered to be experts in their field.

OWASP produces its top ten security vulnerabilities on a yearly basis, but that’s not all it does. There are a number of other active projects it runs that concern security. For example, it offers the:

• WordPress Security Implementation Guideline. This is a comprehensive and constantly-updated guide to making sure your WordPress installation has watertight security. It’s a useful tutorial for preventing malicious intrusions.
• WordPress Vulnerability Scanner. This tool detects any weak links in your WordPress installation, enabling you to fix them and protect your site from attacks.

You can check out a full list of OWASP projects on the organization’s website. For this piece, however, we’re going to focus on the yearly top ten security risks.

A Breakdown of the OWASP Top 10 Application Security Risks for 2017/18

Assimilating the contents of this top ten list is vital for keeping your website secure. Not paying attention to each risk could lead to intrusions, compromised data, or much worse. We’ll present the list in order from the biggest threat to the least important one (although all are worth paying attention to). Let’s take a look!

1. Injection Flaws

Injection flaws occur when untrusted data is sent as part of a command or query. You’ll find that SQL injection is most common, although other types do exist. In some cases, un-sanitized user data is an entry point, which makes this vulnerability wide-ranging and dangerous.

As you can imagine, the WordPress team takes this issue very seriously. Developers have a set of functions and APIs to help increase protection from unauthorized code injections, as well as to sanitize data correctly. Some users have also gone as far as restricting file type uploads and sizes, which (depending on your needs) can be a smart idea.

2. Authentication Issues

If administrative accounts fall into the wrong hands, attackers can easily compromise user credentials, such as usernames and passwords. This usually occurs when authentication and session management solutions are implemented incorrectly.

As you may imagine, solving this issue relies heavily on the user in question, although there are things an administrator can do as well. For starters, choosing a solid password is a must, as is setting up multi-factor authentication. Finally, a plugin such as WC Password Strength Settings will help you force users to choose strong passwords.

3. Exposing Sensitive or Personal Data

This vulnerability is very similar to the previous one, although it concerns compromises to user-inputted data. Think about how catastrophic exposing details such as personal addresses and payment information can be – not only for customers but for the business itself.

Fortunately, WordPress provides defenses against this risk out of the box. For example, passwords are salted, hashed, and made strong via the built-in password generator. What’s more, the permissions system takes care of most other entry points.

To heighten security further, you can encrypt data by implementing Secure Sockets Layer (SSL). We’ve previously talked about how to do this, using the open-source and free solution Let’s Encrypt.

4. XML External Entities

This next vulnerability might sound dauntingly complex, so we’ll try and keep the description simple. Essentially, this is an injection-style attack carried out through malicious code, within Extensible Markup Language (XML) files.

The first fix is to simply use a less complex data format than XML where possible (JSON, for example). WordPress actually disables custom XML entities from loading, to help prevent attacks. You can find out more about this complex issue (and how to fix it) directly from OWASP.

5. Broken Access Control

Much like our earlier discussion about authentication, access controls (i.e. controls that determine user permissions) can also become broken. Of course, a user without correct permissions (more specifically, with more permissions than they should have) could wreak havoc.

Once again, WordPress is coded to help ensure that this issue doesn’t occur. The platform checks for proper authorization before a request is carried out (especially for ‘function-level’ access controls). While this risk is part of the top ten, it’s something you’ll rarely have to worry about.

6. Misconfigured Security

Misconfigured security issues can be code-related, but you’ll often find that this vulnerability occurs due to user error. Regardless, the consequences are much the same as with other permissions-based vulnerabilities.

The good news is that you can address this risk in a number of simple ways. For example, basic WordPress security – such as not using default usernames and keeping themes and plugins up to date – will protect you. For further peace of mind, you may want to carry out some advanced hardening of WordPress.

7. Cross-Site Scripting (XSS)

Given how much content exists about Cross-Site Scripting (XSS), you’d be forgiven for thinking that it should be higher on this list. It’s part of the ‘injection’ family of vulnerabilities, taking advantage of dynamic site elements to hijack the user’s browser and computer. As such, making sure it’s not an issue is vital for trust and ongoing good relationships with your users.

Given the impact of XSS, WordPress developers work under the hood to make sure that users are protected. For example, content submitted by untrusted users (i.e. those who are not Administrators or Editors) is filtered by default. What’s more, there are a number of functions available to help WordPress developers with validation and escaping of user data.

8. Insecure Deserialization

This is another complex vulnerability. In short, untrusted data that is being serialized and deserialized is potentially open to exploitation, which can result in data being exposed. This type of data includes caches, databases, API authentication tokens, and more – all common elements of modern WordPress websites.

During our research for this article, we found no real instances of this vulnerability causing problems in the past. That doesn’t mean it should be ignored. In our opinion, however, the fact that we found no examples of this issue is a testament to WordPress’ inherently secure nature.

9. Insecure Themes, Plugins, and Other Components

It’s easy to forget that many elements of WordPress – themes, plugins, etc. – can potentially compromise your site. Any of the vulnerabilities on this list can be caused by a poorly coded theme or plugin, so extending your concerns to the tools you’re using is crucial.

Fortunately, plugins and themes found in WordPress’ directories have already been checked for quality, so they shouldn’t cause problems. However, this quality assurance isn’t foolproof. We recommend carrying out a thorough check of your own, using a site such as WPScan’s Vulnerability Database, before installing any tool on your site:

For additional peace of mind, WordPress also monitors the libraries and frameworks it contains for exploits. In some cases, it will patch third-party tools to help keep users safe.

10. Insufficient Logging and Monitoring of Your Site and Its Data

Our final vulnerability isn’t actually a direct exploit, although it can do just as much harm to your website. If you fall victim to any of the above vulnerabilities, you may not even be aware of it if you aren’t monitoring and logging what happens on your site. This leaves your site open to even more malicious attacks and can erode any trust you’ve gained with your user base.

This is a subject we’ve touched on before when talking about how to comply with the General Data Protection Regulation (GDPR). Ultimately, using a quality security logging plugin such as WP Security Audit Log should be a priority:

This plugin logs practically every action taken on your website, and should become a central component of a regular security routine. In a nutshell, if an action looks out of place in the log, investigating it thoroughly can unearth any exploited vulnerabilities. This means you can deal with them before they result in catastrophe.

Conclusion

Security should be of paramount importance for any website admin. However, knowing which areas to pay the most attention to can be tough – and if you choose poorly, the consequences could be severe for both you and your users.

The OWASP initiative comes to the rescue on this front, as this organization produces an annual report breaking down the top ten vulnerabilities you should pay attention to. For WordPress users, many of these risks can be contained using plugins such as Wordfence and WP Security Audit Log. Others (such as not using insecure themes and plugins) are solely down to you and your conscientiousness. Either way, keeping tabs on these security risks should be an ongoing concern.

Do you have any questions about the top ten security vulnerabilities and how they can affect you? Let us know in the comments section below!

Featured image: TanteTati.

The post A Breakdown of the OWASP Top 10 Application Security Risks for 2017/18 appeared first on Torque.

Fortunately, you don’t need to speak multiple languages to translate your site – the process of doing so is simple with the Weglot Translate plugin. Using this, you can automatically translate every part of your WordPress site, and manually fine-tune your translations in a snap.

In this article, we’ll discuss why you might want to translate your website. Then we’ll introduce the Weglot Translate plugin and its key features, and walk you through how to use it to add more languages to your site. We’ll also explore some of the plugin’s key customization options. Let’s get started!

Why You Should Translate Your WordPress Website

It’s estimated that there are nearly 7,000 different languages in the world, and yet over half of all websites use just a single one: English. This makes some degree of sense, as it’s the language most commonly spoken by internet users. However, it’s by far the only one. In terms of the number of speakers, it’s almost tied with Chinese, which appears on less than 2 percent of all websites. Similarly, while half a billion users speak Spanish, only just over 5 percent of sites use the language.

In a nutshell, by only delivering your site in English, you’re effectively limiting its scope. If your site has an international focus, such as an e-commerce business, you shouldn’t expect all users to be fluent in a single language. Therefore, many sites are taking steps to provide translated content in order to become more welcoming to a wider audience. For example, WordPress has its Polyglots team, who are working to translate the platform into as many languages as possible.

Beyond making your site more accessible, translating it also has a number of benefits for you:

• You’re able to target a larger audience.
• It improves your Search Engine Optimization (SEO) ranking if you create a unique URL for each translated version of your pages.
• It increases the number of potential conversions as people are more likely to convert if the site is in their native language.
• You can build trust with your audience.

With all this in mind, you should think about making your site more international. However, before you do, let’s look at some key considerations.

What You Need to Consider Before Translating Your Site

Before you translate your site, there are some things you should bear in mind. First, you need to think about implementation and compatibility. We’ll discuss this in more detail later, but you need to use a solution that is easy to implement on your site, such as a WordPress plugin.

You also need to consider which languages you want to use. This can be done by investigating your site’s analytics to see where your visitors are based. You should also perform keyword research with a focus on multilingual keywords. This should give you a solid idea of who your visitors are, and which languages may help you grow your audience.

We also recommend researching ‘language pairs’. Basically, this is a combination of the language your content is currently in, and the potential translated language. In short, consider the most common language pairs and which ones make the most sense for your site.

Finally, you need to find a translation solution that works for you. Let’s look at some right now.

A Look at WordPress-Specific Translation Solutions

The most basic way you can translate your website is to simply hire a translator. While this can yield good results, it’s not without problems. You’d likely need a translator for each language you’d like to use, which can get expensive. If your site is quite big, it would also take a significant amount of time, not to mention the upkeep as your site grows.

A more efficient option is to use machine translation. If you’ve ever used Google Translate, you’ll be familiar with the concept. Essentially, this is an automatic process that translates your site without human interaction. This is a lot less time-consuming and often cheaper, but it’s also notoriously imperfect. For this reason, you need to ensure the solution you use enables you to customize the generated translations.

There are several WordPress plugins you can use, such as Weglot Translate, WPML, and Polylang. You need to make sure the plugin you choose is compatible with both your site and your other plugins. For instance, if your site runs WooCommerce and your plugin is incompatible, large chunks of content will be left untranslated.

Introducing Weglot Translate

Weglot Translate is a plugin that enables you to automatically create a fully-translated version of your entire WordPress site. This plugin is one of the easiest options available to use and can translate your site in seconds. It offers over 100 different languages and is fully compatible with all themes and plugins, including e-commerce solutions such as WooCommerce. Weglot also has links to professional translators, giving you the option of ordering translations if required.

Key Features

• Translates your entire WordPress site and is fully compatible with any theme or plugin, including WooCommerce.
• Requires minimal configuration due to the quick plug-and-play setup.
• Automatically applies Google’s SEO best practices for multilingual pages.
• Gives you full control over your content and translations, enabling easy collaboration.

Price: Weglot offers a free version and several premium plans, starting at around $12 (€9.90) per month.

How to Translate Your WordPress Website Using the Weglot Translate Plugin

Let’s now put all of this theory into practice by translating a site using Weglot Translate. We’ll be using a site running WooCommerce and the Storefront theme, but Weglot Translate is compatible with all WordPress sites, regardless of theme and plugins.

Our site is currently only available in English but we want to create a version in Swedish. Here’s the original site:

To start, you’ll need to download, install, and activate the Weglot Translate plugin from the WordPress.org Plugin Directory.

Next, you’ll need an API key, which you can get for free by signing up for a Weglot account. You’ll see your API key appear, as well as a link to your personal dashboard. We’ll return to that in a minute, but for now, copy your key and return to your WordPress site.

Click on the new Weglot option in your WordPress dashboard, and you’ll be taken to your translation configuration page. Here, you can create new translations for your site and determine how it will appear within WordPress:

Start by pasting your API key in the first field, then begin creating your first translation. Keep the original language set to English and then select Swedish as the Destination Language.

The next section lets you determine how the language selector will appear on your site. You can set its appearance, and also where it should appear on your pages by default:

Finally, you can add exclusions to restrict translations to certain parts of your site:

Click Save Changes when you’re done and your site will now be multilingual! In order to check out the result, open your site and find the selector you created. By default, it will appear in the bottom-right corner:

Select Swedish and the site will load with a new extension to the URL that represents the language. In this case, /sv/.

This is looking great, but because the translation is automatic it may need some minor fine-tuning to get it perfect. You can do this easily by returning to your Weglot dashboard, which you can access via the Main configuration page in WordPress:

Click Edit my translations to access your dashboard. Here you can click Translations List to see all of the translated elements on your site:

You can see that all elements have been machine-translated, but you can edit one by simply selecting the translation and typing in a replacement.

You’ll notice that the translated element will be saved automatically and marked as Human reviewed. It will also be updated in real-time on your site:

You can also use the Weglot Visual Editor to add and edit translations directly on your page.

When you click Start Editing, your current site will load. By hovering over any page element, you will notice a green button overlay appear:

You can click this to add or edit a translation for the selected element. A pop-up will appear where you’ll see the original text and the current translation:

Change this to your requirements, then click OK to save. The new translation will appear immediately on your site, just like before. With that, we’ve created an entirely new translation for our site! Of course, you should repeat this for however many languages you’d like to translate for.

Conclusion

Translating your site into multiple languages might seem like an impossible goal, especially if you’re not multilingual yourself. However, thanks to the Weglot Translate plugin, you can quickly create a site that reaps all the benefits of catering to non-native speakers, but without the time-consumption and hassle.

In this article, we’ve discussed these benefits in full, including how it enables you to reach a broader international audience, and increase your SEO rankings and conversions. We recommend taking time to consider which languages your site would benefit from, then use Weglot Translate to add translations to your site with ease!

Do you have any questions about translating your WordPress website? Let us know in the comments section below!

Image credit: geralt.

The post How to Translate Your WordPress Website Using the Weglot Translate Plugin appeared first on Torque.

The good news is that WordPress ‘starter’ themes or frameworks (also called ‘blank’ themes) can do some of the initial heavy lifting for you. This is because they include foundational base code for you to work from. They can help you implement essential functionality, and start you off with some best practices relevant to the task at hand.

In this article, we’ll discuss what starter themes are and why they can be so useful. Next, we’ll run through some of the top performers, such as Underscores, FoundationPress, and Bones. Let’s dive in!

An Introduction to Starter Themes

For the uninitiated, a starter theme – otherwise known as a ‘blank’ theme – provides a basic skeleton you can develop on top of. However, unlike standard WordPress themes, they only include very basic structural code. There’s just enough there to get the theme to work, and let you implement any foundational functionality. They’re also not meant to be used as parent themes themselves, but as the basis for your parent theme.

Starter themes can be extremely handy for development purposes. Here are just a few of the reasons why:

• You get a head start on coding the essential foundations of your theme.
• They provide insight into the best practices you’ll want to follow.
• You have the flexibility to code a custom theme, while still getting a quality base to work from.

Of course, no starter theme is perfect, and you’ll need to consider a few things before deciding whether it’s worth using one. For example, you’ll still be playing by another developer’s rules, and they get to decide what functionality is considered foundational. This means the theme could be packed with snippets that don’t actually help you create the kind of theme you need.

In addition, you may still need some time to pick through the code to get a handle on what the theme does out of the box. Of course, starter themes aren’t necessarily ready to roll by default, which can be a confusing concept to grasp at times.

All the same, unless you’re working with a particular theme (for example, we’ve seen developers using themes such as Divi and Avada as their base), we think starter themes are an excellent tool for the majority of WordPress developers. If you decide to implement one, the next important question is which to choose.

5 Top WordPress Starter Themes to Consider for Your Next Project

In another article here on Torque, we looked briefly at a larger collection of starter themes. However, we’ll now take some of the standout options and examine them more closely. The solutions in the list below are mostly free, but we’ll clearly mention when there’s a price involved.

Let’s start with a theme that definitely has the WordPress seal of approval.

1. Underscores

Underscores is arguably the best-known starter theme available. It’s developed and maintained by Automattic (i.e. WordPress’ developers), and was originally a fork of the Toolbox theme. The tagline for Underscores is that it offers you a “1,000-hour head start” when developing themes.

In fact, every default theme worked on by WordPress (from Twenty Twelve onward) uses Underscores as a base:

Of course, the main selling point here is that you’re getting WordPress’ best practices in one handy package. It’s going to be simple, therefore, to create a valid theme based on WordPress’ requirements. However, unless you have some deft coding chops, it’s also very easy to accidentally create another ‘me too’ WordPress theme.

If you’re interested in trying out Underscores, we previously published The Beginner’s Guide to Creating a Theme With Underscores, which does exactly what it says on the box. You may also want to look at the WordPress Theme Development Guide, as this will also show you how the code is structured at a base level.

2. FoundationPress

Next up, FoundationPress is an open-source starter theme built on Foundation 6, which uses SASS and Grunt. It was released in 2013, continues to be regularly updated by a community of developers, and is billed as the “most advanced mobile-first framework in the world”.

You’ll usually see FoundationPress used to develop custom themes for specific businesses and groups. The GitHub page has a showcase outlining the many websites currently using the starter theme. This includes the Harvard Center for Green Buildings and Cities:

This theme is ideal if you’re looking to develop for business-specific purposes. On the flip side, that means there aren’t as many themes you can download to get a feel for how FoundationPress is used in the ‘real-world’. Your best bet is to take a look at the Kitchen Sink template, and read through the theme’s thorough documentation.

3. Bones

Bones is another free, mobile-first starter theme with built-in SASS integration. However, the primary focus here is on speed. For example, Bones comes with a light header out of the box, which is in contrast to many other WordPress starter themes. What’s more, it gives you a ‘leg-up’ when getting to know its inner workings. That’s because Bones comes pre-loaded with custom dashboard functions and post types, so you can see how they work by default.

While ease of use is a perk of Bones, this also presents some drawbacks. Given the amount of helpful code included by default, more experienced users of the theme may be annoyed at having to strip away all the elements they don’t need. There’s also no showcase available, which makes it difficult to determine how Bones will translate into a real-world theme.

Even so, following a decent tutorial can help you have a working theme ready in a flash. Getting hands-on immediately is never bad thing when it comes to a new tool, and Bones makes it very simple to do that.

4. The Genesis Framework

For our penultimate theme, we’re going off the beaten track to look at a ‘framework’ – more specifically, the Genesis Framework. This is the only premium solution on our list (with plans starting at $60), and it requires you to develop using child themes rather than editing the framework directly. Even so, it’s probably the most developer-friendly theme on this list. Plus, it uses WordPress’ hooks to assist you in creating your themes.

There’s a burgeoning market for Genesis child themes. You’ll find a plethora of examples on the StudioPress website, along with third-party developers offering their own themes (such as Imagely):

Without a doubt, the wealth of resources and documentation available is a stand-out benefit of Genesis. Developers such as Carrie Dils are well experienced with the framework, and her Lynda portfolio contains a number of Genesis-specific courses worth checking out. However, there is a cost involved. Also, the need to develop child themes for use with the framework can translate into extra hassle that a client may not want.

As we mentioned, Carrie Dils is the go-to Genesis queen. As far as we’re concerned, her courses on Learning Genesis for WordPress and WordPress and Genesis: Building Child Themes From Scratch can be considered the ‘gospel’ for developing with this framework.

5. HTML5 Blank

HTML5 Blank rounds off our list, and is no less powerful than some of the other options. It’s an open-source theme, similar to Bones and FoundationPress, but it prides itself on delivering a simple way to convert standard HTML and CSS into WordPress:

Unfortunately, much like some of the other starter themes on this list, HTML5 Blank doesn’t have a showcase. So finding real-world success stories can be tough. However, the theme does follow WordPress’ coding standards, and the GitHub profile contains plenty to sink your teeth into when beginning your development.

HTML5 Blank is the only theme on this list to have little third-party documentation available on how to get started with it. That’s a shame, because it has a lot of support and can be an excellent tool. If you are a beginner to starter themes, however, you may need to look elsewhere to get your feet wet.

Conclusion

Using WordPress starter themes in your workflow can help you create a ready-to-go WordPress theme in less time than if you started completely from scratch. For this reason, they should be a go-to development tool, regardless of your expertise.

This piece has looked at five of the top starter themes available. Let’s quickly recap each one:

1. Underscores: Automattic’s offering is a great option, regardless of your initial expertise.
2. FoundationPress: This is a mobile-friendly, open-source starter theme that’s great when creating custom themes for specific purposes.
3. Bones: This is arguably the best beginner theme on the list, given the wealth of handy tips and advice it provides.
4. Genesis: The only premium option here, this framework has the backing some of WordPress’ biggest names.
5. HTML5 Blank: Finally, this is a bare-bones starter theme that will help translate standard HTML into WordPress-friendly code.

Do you have any questions about how to use starter themes, or have a suggestion for one we’ve missed? Let us know in the comments section below!

Featured image: strecosa.

The post A Simple Guide to WordPress Starter Themes appeared first on Torque.