How to Install and Activate Hyper Cache Extended

wplang in wp-config file manager cpanel

To me Hyper Cache Extended is the best cache plugin ever! It makes your site fast and saves you money by allowing you to use shared hosting when you technically should be paying for dedicated server). Although Hyper Cache extended is easy to use, if you are new to WordPress and cPanel you might get confused when this plugin will request to edit wp-config.php file. This is a quick post to explain you how to use it.

After installing and activating Hyper Cache extended, go to cPanel –> File Manager (NOT Legacy File Manager).

file manager

Click on that, choose web root (public_html) and click Go.

choose directory cpanel

Now you will see all WordPress files. You will need to find wp-config.php (NOT wp-config-sample.php)

wp-config in file manager cpanel

Before you do any changes to wp-config back it up by downloading or copying and pasting it to plain text editor. This is VERY important, because any mistake there and you are offline until you figure out what you did wrong. If you have backup, you can simply reupload it immediately and you are back online, although I hope you will not need to do this.

Open wp-config.php (right click + Edit) and find the line that says:

 * For developers: WordPress debugging mode.

Paste the code just BEFORE it:

define("WP_CACHE", true);

like this:

hyper cache

Click Save. Semicolon is MEANT to be there too, so don’t forget it. And please do not copy code from this site, copy it from your dashboard.

Refresh your site and see if it works OK to make sure you didn’t mess it up accidentally.

Please be careful not to add any extra space anywhere in that file or erase something accidentally.

Then go back to your WordPress dashboard and find Hyper Cache Extended plugin settings, review them and see if you want to change anything. For example, you can exclude some pages from caching. I exclude my upcoming sales page so people can see changes I do there immediately. If you don’t have anything like that just save on default and it should be fine. You are done! It will take anywhere from a few minutes to a couple of hours for you to notice changes in speed, because it generates cache page by page.

Some of you may notice that Hyper Cache Extended actually tells you to paste its code before define('WPLANG', '');. The reason why we don’t do that anymore is because the latest version of WordPress doesn’t have that line. If you have an older version with define('WPLANG', '');, then of course go ahead an paste it right after it. Here is how it was supposed to look in older versions of wp-config.php:

So that you understand better what happens, WP is driven by database. Right now every time you load a page php code in your cPanel has to communicate to database and pull data every single time you load page. This makes your site slow and is also bad for resources. If you don’t have much traffic you won’t notice any difference, but for moderately high to higher traffic sites it is difference between paying $10 a month hosting and $120 a month hosting.

What this plugin does is it generates a static version of every page and presents it to visitor every time somebody tries to load your page. That is much faster and better for everyone – you, your host, your visitor and Google rankings. You should also know that this means that because your page is cached, when you make some changes to it, your visitors will not see them immediately. If you keep settings on default, your visitors will see new changes only after about 24 hours. If you make an important change you want everyone to see immediately, you can always go to Hyper Cache Extended settings and clear cache, but don’t do it too often. Only when necessary.

Do not install any other cache plugins when you have this one. You should only have one cache plugin at a time and, in my experience, this is the best one although very few people seem to recognize that. There are other more popular cache plugins but I found problems with each of them.

Again, back up wp-config.php before any changes and be careful when editing.

WordPress Security Tip: DO NOT Delete Admin User, Disarm Him!

Wordpress Security Tip: DO NOT Delete Admin User, Disarm Him!

Some tools like QuickInstall will allow you to install and configure WordPress in under one minute, however you’ll typically end up with default user name “admin”.

Wordpress Security Tip: DO NOT Delete Admin User, Disarm Him!For those who are just starting out with WordPress, there are many different types of users who can actually use your site in different ways. How they use your website and what they can do is defined by permissions and these permissions are different for each type of user. You can have contributors, authors, editors, spectators etc.

The installation and website management requires administrative access to your site and it’s only logical that your default username is “admin”, however the problem is that malicious bots “know” that and this is precisely what they are looking for.

The most common advice is to never be “admin” in the first place, but if you happened to be “admin” for whatever reason you are typically advised to create a new user with another name, give him administrative capabilities and then delete old “admin” (after assigning all old content to new author).

However even better way is to create a new user with long complicated name, give him administrative permissions and then edit “admin’s” permissions and make him, let’s say, a subscriber or a visitor. This type of users cannot do any changes to your site and even if malicious bots will succeed in guessing “admin’s” password they won’t get access to real admin dashboard, hence won’t be able to do any harm to your site or blog. So you will not delete “admin”, you will only limit what “admin” can do.

You should actually CREATE admin

In addition, if you already have long and complicated user name and do not have “admin”, I suggest that you actually create one. Of course you aren’t going to give him administrative capabilities, you are going to make him someone totally harmless, like spectator. Why to create “admin” when almost everyone advises otherwise? To mislead stupid bots.

WordPress has one problem – it tells too much. If you enter wrong username, it will tell you specifically that this username doesn’t exist. To be precise, it will say “invalid username”, so you know the problem is not in password, it’s in username. This saves hackers tons of time. If they know “admin” doesn’t exist they won’t waste time guessing “admin’s” password. They will try to guess your real username instead. But if you actually have that little harmless user called “admin”, WordPress will tell them it’s password that is incorrect so they will waste lot’s of time guessing admin’s password only to find out that all they can do is to read publicly available content.

Security-wise, it’s best to have “admin” user with limited capabilities and not do delete it altogether.

More on WordPress security here »

When Your Shortcode Stops Working… How to Create Your Own Shortcode!

Free plugins are awesome and most can be used with no fear, but let’s face it, bad things do happen at times. Yesterday I discovered that author of my Adsense plugin decided he could earn from my site. All my ads disappeared and were replaced with his ads 😐

The plugin was quite simple, it was basically shortcodes that I had to insert manually to all my pages. Although there are automated solutions, I prefer it this way, because I control how and where my ads appear.

Needless to say, I got rid of his plugin immediately. There was no serious harm to my site, but I still needed a solution for my ads.

Having to install another plugin didn’t seem like an attractive idea. Going through hundreds of pages removing his shortcodes and replacing with something new was out of question. I needed to get my old broken shortcode work the way it did without plugin.

His shortcode looked like this


It was inserted into each post of my site. Normally it was displaying ads, but now my visitors were seeing ugly [wp_ad_camp_1] in between paragraphs…

Fortunately, this was easy to fix. I went to my WordPress files in cPanel wp-content –> Themes –> My Current Theme folder –> functions.php

I added this to my functions.php (at the end)

function MyPersonalShortcode() {
    return 'AD CODE GOES HERE';
add_shortcode('wp_ad_camp_1', 'MyPersonalShortcode');

Voila, I am a big girl now. My ads are running. I don’t need your plugin!

Pay attention: I made sure I have wp_ad_camp_1 in the last line, because it should match the old shortcode exactly. Anything would work, but the whole point is to get your old broken shortcode do what you want it to do. So if you ever find yourself in similar situation, make sure you insert exactly same shortcode name as your old shortcode. Function MyPersonalShortcode can be anything you wish.

Obviously, AD CODE GOES HERE has to be replaced with your ad or piece of text you want to display.

1. Backup your functions.php before editing.

2. When you edit, make sure you leave no empty spaces in your functions.php – that is before the first line of code and after the last line. It’s really easy to leave spaces without realizing and what you get is that you can’t access your WordPress admin area – you’ll get a blank screen instead. If you manage to access your dashboard, you are likely to have issues with Media gallery, and when saving any new modifications. You’ll be getting blank screen every time. While it sounds and looks very scary, the fix is easy – go back to your functions.php and remove empty lines. Hit Save and you should be fine.

3. This code is very simple. There are more sophisticated ways of doing this. However this is enough to insert an ad or a piece of text in place of your shortcodes.

4. If your site is completely messed up after modifying functions.php, you did something wrong :p Don’t worry, just get rid of any new code you just inserted and hit save again. You’ll be back to your old version. Now you can take time to think what you did wrong then try again.

WP Adsense Plugin Alert

This is a quick post to alert anyone who is using WP Adsense plugin by Naeem (here is his site). For quite a long time I used Naeem’s plugin and was very thankful, however after latest update my ads were gone and replaced with his ads.

I want to believe it’s a mistake of some kind, but let’s face it, it isn’t. I have no idea how he thinks, but he puts his own Adsense account in danger first and foremost.

If you are using this plugin deactivate it immediately. I suggest removing all his files, as you never know what else he is up to. Once you deactivate the plugin things will be back to normal, except of course that your ads will not work.

5 Steps to Making Your WordPress More Secure

old fashioned pc in a safe

I am not sure what are exact numbers today but just a couple of years ago it was said that WordPress powered over 60 million websites with 100,000 more popping up each day. The only thing I know that this numbers didn’t decrease. WordPress is a robust, flexible, 100 percent free platform for building all types of websites – personal, e-store, magazine – anything. Because the code is available to everyone and because so many people use it, WordPress has become an attractive target for hackers.

old fashioned pc in a safeFortunately, with such a huge community, WordPress doesn’t leave any issues unresolved for very long. However, this doesn’t mean you shouldn’t educate yourself and take appropriate steps to secure your WordPress.

There are so many ways to harden your WordPress and I will admit that I am not taking an advantage of them all, but here are just a few simple steps you can do today to significantly reduce your chances of being hacked. It’s something I tried and found very easy to implement.

Before you begin back up your .htaccess file and wp-config.php file and save somewhere safe. You are going to do changes to these important files and while you probably will be fine save the original copy just in case anything went wrong. It could be as simple as deleting a character without realizing and voilà – your entire site displays server error. Don’t blame me in that case, okay? This by itself doesn’t do anything bad to your site, only good. But you might miss something without realizing or have whatever special configuration I can’t know about. Backup your files and save the copy of this post for future reference.

Deny access to wp-config.php

One of the first things you want to secure is wp-config.php It contains sensitive information such as your database username and password.

Open your .htaccess file and paste this at the very top (before anything):

<files wp-config.php>
order allow,deny
deny from all

Some suggest to exclude your own IP, but the official WordPress recommendation seems to be this particular code as mentioned here, so that’s what I am currently doing.

Protect your wp-includes.php

Following recommendations of the same source here I protect my wp-includes.php by placing this code in my .htaccess

# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

Prohibit Directory Views

If you aren’t friends with your cPanel you might be not aware that your site consists of multiple folders. Unless each of this folders contains its own index.html ot index.php you (or anyone for that matter) can navigate there and see your file structure. It would look like this

This is dangerous. I used to create index.html with clever messages to hackers in each folder before, but recently I learned that you can simply add

Options -Indexes

to your .htaccess and have it fixed all at once.

Disable Theme and Plugin Editors

WordPress allows admins to edit PHP files, which might be handy when you want to edit theme files or plugins. Unfortunately this comes with its price by making your website vulnerable to hackers as it’s the first tool the attackers will typically use (according to WordPress Codex here)

You can disable the editors by adding this line to your wp-config.php

define('DISALLOW_FILE_EDIT', true);

Protect your install.php

Install.php is located in your wp-admin folder. Generally once the installation is done you don’t need it anymore but it’s still there unless you delete it of course. In some cases if your database fails this file might “assume” there is no WordPress installation on your site and load an installation wizard. This will allow anyone to create a new installation with admin account on your domain. There is a number of things you could do to protect yourself from this, including simply deleting this file. I personally chose to add this to my .htaccess

# PROTECT install.php
<Files install.php>
 Order Allow,Deny
 Deny from all
 Satisfy all

You can learn more about other solutions for install.php here.

Last but not the least, always keep your WordPress installation and all plugins and themes up to date. Install only necessary plugins and get rid of anything you don’t use. Some things can be done without plugins by working with raw code. For example, Google Analytics can be inserted right into template. Automatic database backup can be set up using cron jobs. If you have sufficient skills for this, consider doing it yourself.

Obviously, there are many more ways to secure your WordPress, but even if you implement only these simple steps you will much more secure than before.

One more security tip here »