WordPress has gone from strength to strength, being widely regarded as one of the most flexible powerful CMS packages on the market. According to BuiltWith.com 26% of the top 10k websites are using WordPress, so a good understanding of how to customise and optimise should be on every digital marketers skill list.
4 Experts in WordPress
- Andy Veal
- David Lockie
- Jono Alderson
- Allyn Thomas
The four guys I persuaded to contribute to this post I have seen first hand their knowledge and understanding of the platform is incredible. In 2016 I worked closely with Allyn at Just Eat on global WordPress templates, TakeItOffline (TIO) has as part of the team a true Web “Guru” (Andy Veal), Jono is an old friend of mine one who is attending the TIO January technical event and finally David Lockie who I first came across many many years ago has been my goto guy when anyone needed a commercial WordPress company.
Choosing a theme
One thing I have realised after setting up half a dozen blogs is that theme choice is actually important, with some having some awesome features but others limit the functionality built into WordPress, critically some are riddled with spam and security issues. Other than being responsive, what else should you look out for?
Jono – “It depends on what you’re building, and your long-term plan. If you’re building a conventional blog, it’s not unfeasible that you might want to periodically update the look and feel; in which case, as long as you’re picking something which is well-built and flexible (you can use the Theme Check plugin to evaluate how well it adheres to WP standards), it doesn’t really matter. You want to maintain a clear separation of theme functionality and plugin/widget functionality, so that if you change either, your whole site doesn’t fall down – so I’d avoid themes which try and add too much plugin-like behaviour (e.g., themes which come with customisation settings which change functionality, behaviour, etc, rather than just look and feel). However, if you’re building a business site – something more than just a blog, which doesn’t just have ‘recent blog posts’ and paginated series of posts – you probably want to be building your own theme from scratch (or, as a child of a framework theme, like Genesis, for example).”
Allyn – “Before looking for a theme, or getting a custom theme made, the kind of content needed for your website should be the first thought. Some themes work great for simple blog updates, but ill suited to lots of static, design heavy pages. There are also themes that try to do it all but are often bloated with features that you’ll never need to use. They may even load extra css and js that then goes unused, slowing down pages but most people won’t know this is happening to their website. By knowing what you want on your site you can easily narrow down your choice of theme from thousands to a handful. If you can work a dev console it’s worth checking what the theme is loading in and crucially how big the first load of your landing pages are and the loading time of each asset.”
David – “For sure theme choice is a critical decision. There are basically three types of theme:
- available from the wordpress.org themes repo. These themes have been through a review process, free (or freemium) and updates are directly available through the WP repo;
- from commercial marketplaces such as Themeforest
- custom coded (either from scratch or based on a framework like Genesis, Sage or _s. Our recommendation usually comes down to a distillation combination of budget, timescale, requirements and fit (availability of a theme that does exactly what you need anyway). Often one of those factors determines the choice, but sometimes it’s just a judgement call and recommendation to the client. Whichever route you go down, it’s important to ensure your client understands the options.”
Andy – “I often find people find a theme, download it and then are disappointed when they see it on their website. Just because you’ve seen the demo – doesn’t mean it’s going to match directly.
As Allyn mentions, before you get to the theme stage, you need to have a rough plan of your content. What pages you plan to have, how much copy is going on each page, potential feature image, or a gallery, or a form, or whatever! From that idea, you can then go and find your perfect theme. Being a Web Dev, I’m a little bias and prefer a custom coded theme, _s or FoundationPress. Themeforest marketplace is definitely my favourite commercial website – it’s pretty much got every kind of theme out there.”
Choosing plugins
Plugins are core to WordPress functionality, the most famous being Yoast for SEO which is typically one of the first I install onto every installation, that said I am increasingly becoming a fan of hardcoding rather than using plugins, that way maintenance, security and spam risks are reduced.
Any plugin recommendations, and anything to avoid?
Jono – “there’s always a line between want and need, and tradeoffs on performance overheads and complexity. For functionality which just affects content, layout and the front-end (shortcodes, CSS/JS, etc), you might want to consider hard-coding into your theme so that you can take minimise impact. Chances are that the functionality you want to add relates closely to the layout, look and feel of your site, so it’s fine to tie the functionality directly into that. However, there are some meaty back-end plugins which overhaul or enhance large areas of WP functionality (or add capabilities, or provide frameworks to build on) which you should definitely be taking advantage of, which don’t make sense to try and replicate yourself. Some of my favourites are
- WP Rocket,
- Query Monitor,
- Advanced Custom Fields (pro),
- EWWW Image Optimizer,
- Redirection, Sucuri Security,
- WP LESS,
- WP SMTP Mail.
Allyn – “When needing to add a new feature to a WordPress site I first look to see what plugins that are available that may do the job needed. If I’m lucky enough to find one that matches my requirements I always take a look under the hood, check how many additional files are added, how heavy it is and to make sure it doesn’t break any other part of my theme. If I find something that’s both inexpensive on performance and does the job I’m not going to make life harder for myself, I’m going to use it. However, a feature may be needed that requires a lot of dev time that I don’t have, and the person needing the feature needs it yesterday. I’ll begrudgingly install a plugin that is bloated with more features than I need and look to develop my own version that works better with the theme at a later time.
Plugins I have found that do the trick are “simple image sizes” for managing image sizes and resizing old images to work with a new theme –
- Yoast for seo,
- Hide post – for managing post and page visibility across the website,
- Delicious brains aws offload – for moving assets into a cdn and
- wp smush – for compressing images.
David – “crikey that’s a hard one. So massively dependent on requirements. There are some good ones already listed.”
Andy – “My favourites have already been mentioned, definitely wp-smush, yoast, securi. Backupbuddy is really good too (you’d want your web-host to be doing backups too!). I always recommend to try and not stuff the website full of plugins – there are some simple ones out there that can provide functionality in about three lines that could just be added to your functions.php file instead of having a plugin that loads an interface to manage something that you’ll never change (as well as loading a CSS & JS file on every page load too)”
Security
HTTPS has now gone from being something that is an optional recommendation to a must have, 2017 will see most new sites being HTTPS first rather than migrating over later – in WordPress this doesn’t typically create any issues, but migrating over is more challenging.
One big issue with WordPress is the sheer volume of sites that run on it, as such it becomes a target for dedicated hackers, any recommendations on WordPress security ?
Jono – “I run a whole bunch of stuff, including Securi (for filesystem scans, detecting compromised files, etc), and a couple of backup services (including Vaultpress) to make sure that if the worst does happen, I can roll back quickly and mitigate any damage done. I’m also a huge fan of Cloudflare for just blocking a whole bunch of nasty requests before they even hit the site. You also want to be micro-managing your Apache and PHP configs (through something like WHM, for ease of use), which is a good excuse to get off shared hosting and into an environment which you control. Also, that HTTP to HTTPS migration is ‘challenging’ is a bit of a myth; the only real barrier is if you’re reliant on ad networks which don’t have a great fill rate for secure resources (but if that’s the case, you’ve got a bigger problem with your ad network quality), or if your site has been built in a way which leaves protocol-specific references everywhere… In which case your challenge is site maintenance, not HTTPS specifically…”
Allyn – “Some tips I’ve picked up. Making the theme load assets protocoless, so the theme is https ready but websites that don’t yet have https can still run the theme. All front end side calls to the server should run through admin-ajax.php. Never directly access the db. Keeping WordPress up to date when you can but this isn’t always possible if running an old version of php on a server you can’t update.”
David – “We’ve always (well, since like 2012 relied on a managed hosting platform to provide a strong core security stance. Whenever we’ve done security testing on WordPress sites on non-managed hosting e.g. AWS, the security issues that come back are all around web server / infrastructure config. A managed provider like WP Engine has that stuff locked down and tested regularly.
There are tons of other things to do and additional layers of network security like Cloudflare and Sucuri WAF offer, and additional lock-down/monitor/out plugins like Sucuri, Limit Login Attempts, iThemes Security, etc. Don’t forget updates. The Panama Papers initial network entry point was apparently through a non-updated plugin. Don’t forget that often theme/plugin licenses give you access to updates – if you don’t renew your licenses you might not realise you have vulnerable versions on your site. Also, just don’t install anything you don’t need!”
Andy – “Updates. Just get them done. That includes the theme! If you’ve got any disabled plugins, just delete them. You can reinstall them later down the line if you need to… As David mentioned, a good host is a key. Their security is your security, so you want to do your research. If you’re not that technical, there are some great ones out there that do a little bit more to keep you upto date and secure. The folks at 34sp.com are on the pulse with regards to security! Sucuri is amazing for security, for those technical, I’d recommend wp-scan for checking your site over. I also recommend subscribing to wpvulndb.com, it sends out an email blast when an vulnerability is published – useful if you know the list of plugins off the top of your head.”
Speed & AMP
Out of the box WordPress is typically fairly fast, but with a few plugins, a heavier theme and some large images it can rapidly slow to a crawl. I have seen and read a lot of posts on using cloudflare, utilising CDNs and with Google pushing for more mobile AMP based content. Any tips for lightning fast WordPress?
Jono – “I recently migrated from W3 Total Cache to WP Rocket, and I’m still on the fence. Both are great at building and maintaining a static HTML version of the site (which is an absolute must), as well as heavily caching requests and objects – but both come with drawbacks. W3 Total Cache has a lot more flexibility in its config, but is poorly maintained. WP Rocket is very well supported, but less transparent and configurable. Those aside, Cloudflare or similar is a must, for a whole bunch of reasons (reduced latency to origin, caching of resources, header optimisation, etc). Also, a lot of people are finding that TTFB (time until first byte) is increasingly their biggest bottleneck, so exploring things like upgrading to PHP 7 (and using object-orientated rather than procedural PHP), making better use of indexes in MySQL tables, and optimising the way in which WP templates and themes buffer and output and lead to big wins. If you want to get really deep, look into micromanaging things like WP’s use of admin-ajax.php, your Heartbeat configuration, your use of cron jobs (both virtual and system), and transient storage/expiry. Plugins like Query Monitor give you a great starting place to spot bottlenecks and opportunities.”
Allyn – “I’ve been working through google’s recommendations on page speed insights. My theme for Just Eat now loads all js and css async and only files based on configured features. There’s a small amount of css inlined in the head for above the fold rendering and minifying html as well as css and js. WordPress isn’t configured well to work with google’s page speed tests and as a big part of ranking I’d like to see WordPress deal with this natively. CDN for images are a great way to lighten a server and speed up a page and delicious brains has a great plugin for handling this. It’ll also handle js and css too, but this is where it becomes more difficult, as the caching on the CDN and the server running WordPress may not sync up making it difficult to update without something breaking.”
David – “Again, a vote for a managed platform. WP Engine has multiple layers of caching and performance engineering (database objects, NGINX, Varnish and CDN integration for starters). For the cost difference, unless you love messing with sysadmin stuff, the extra cost saves so much time. Be very aware that as soon as you have a user login, the caching is for nothing. So if you’re running a membership site or WooCommerce, or any other stateful WordPress site, you’ll need to pay for much heavier hosting. For static-ish sites, just cache the living heck out of it and then you don’t need to worry about WordPress speed, just the speed of your cache.”
Andy – “PHP7, as Jono said is an instant speed increaser. CDNs are often overlooked, most have a plugin available to make everything easier, plus they’re not expensive; it’s definitely something I’d recommend over time! Get some caching setup, David’s covered that above! Compressing is pretty key.
I bloody love AMP – get on that bandwagon, with WordPress it’s pretty simple as Automattic have released a plugin!”
Whats next for WordPress
David – REST API, more automated testing, more command line control.
Andy – If you haven’t seen the Twenty Seventeen theme that shipped with 4.7, I’d take a look at that – the video header is pretty kool. Check out the REST API too – there is more development planned on it and it’s going to be used more and more. Oh, and the WYSIWYG editor is going to be worked on…
Thanks to …
Jono Alderson @jonoalderson
Now working at Distilled as a Principal Consultant and with over a decade of experience in SEO, CRO and web development is well known for talking at conferences on everything from futurology to data. Jono is an obsessive organiser, gin drinking techie and a rabid karaoke addict. He also founded Days Of The Year and you can hear him talk everywhere including search elite.
Allyn Thomas @iamallyniam
Allyn Thomas has been working with Just Eat for two years, as a developer and designer, prior to that Allyn developed Flash games, mobile apps and more – but I believe his secret passion lies in cartoons. Recently Allyn became a father and he is also Welsh, that bit I believe is less recent (I probably should have asked Allyn to write his own bio, as I am terrible at these!).
David Lockie @divydovy
David Lockie is the Founder and Director of Pragmatic which he set up in January 2012 after freelancing as a WordPress Developer for a number of years. David loves delivering websites that add value to businesses and organisations and has been invited to speak at international conferences WordCamp and WordSesh, sharing his insights on becoming a successful WordPress freelancer and revealing how WordPress can save the world.
Andy Veal @AndyVeal
Andy Veal is a freelance Web Developer and part of the TIO team. He’s usually knee deep in some code, whether it be PHP or Ruby; trying to make everything run at lightspeed. He loves a post-it note and always wins at rock paper lizard scissors spock.
