WordPress Plugins vs. Cloudflare Apps

Cloudflare Apps are a lot like WordPress plugins. Each App adds specific functionality to my website. Like plugins, Apps are available in multiple categories such as SEO, Security, Social & Communication, etc. Another similarity – some Apps are free, some are not.

A major difference is that unlike a plugin, which is installed and runs on my site, an App adds its functionality to my pages as they pass through Cloudflare.

Here’s an example … Most of my sites use the same basic kind-of-plain design. This is intentional, since I want user focus to be on content. On a for-fun site though, I’d like to add a touch of whimsy. I log into CF, select my site, click the Apps tab, and start browsing. I find an App called Particles that looks promising. Its description reads “Fill your site’s background with interactive particles”. It has 82% positive rating. Importantly for me, it is free.

I select Particles and click ‘Preview on your site’. I get a screen that shows my site with the new functionality – interactive moving background particles in this case – on the right, and configuration options on the left. I experiment with the configuration options to fine-tune the look.

I decide I like it, so I click ‘Install on all pages’. And … instead of immediately installing, CF serves a pop-up: ‘Cloudflare will share your email address with the developers of Particles’. Well, that’s damn annoying. I decide I like the App enough to risk a few spam emails. I click ‘Continue’.

That’s it. I now have cool background particles on my Micromismanagement site.

Great things about CF Apps in comparison to WP plugins:

  • I don’t have to install or run anything on my site, saving me a few bytes of disk space and a few CPU cycles.
  • The App provider takes care of upgrading to new versions.
  • I can preview the new functionality on my site before deciding whether to install it.
  • Installing and uninstalling are quick and easy.
  • The new functionality is served from the CF node closest to the user for high performance.

Great things about WP plugins in comparison to CF Apps:

  • Selection – there are many thousands of WP plugins are to choose from, compared to a few dozen CF Apps.
  • WP plugins typically have more configuration options. For example I tried the Social Icons App but could not get the icons placed the way I wanted them on my site. I use a plugin instead.
  • Many WP plugins are widely used. They are discussed in the WP user forums and elsewhere. Recommendations, reviews, and peer support for the more popular plugins are ample. By comparison, CF Apps seem to have a much smaller user base. There isn’t much discussion about them in the CF user forums, or anywhere else for that matter.

My point of view … I love the concept of CF Apps. I hope the selection continues to grow and the user base multiplies. For now though, selection is key. I can almost always find the right WP plugin for whatever I need. Particles is the only CF App I currently use.

Arrg! Me Pirate Form plugin be walkin the plank.

Shiver me timbers! Me favorite contact form plugin – Free and Simple Contact Form by Pirate Forms – be abandoning ship. Pirate Forms was acquired by WPForms, who are retiring my favorite contact form in favor of a migration path to their signature WPForms Lite. Either by remarkable coincidence or due to a wry sense of humor,  the scallywags at WPForms made the announcement on International Talk Like a Pirate Day.

When a favorite plugin is lost at sea.

I find full-featured form plugins like the deservedly popular Contact Form 7 to be overly complex for my meager needs. I need just a simple contact form with no ‘advanced’ features to get in my way. Pirate Forms was perfect. To be fair, WPForms is also awesome. The final version of Pirate Forms includes a migration tool to make conversion to WPForms as painless as practical. And WPForms provides a very nice balance between powerful features and ease of use – kinda halfway in between Pirate Forms and Contact Form 7. But WPForms includes one mildly annoying characteristic that I just could not get past – a hideously ugly lime green background on the confirmation message.

OK, “hideously ugly” is overstating it, but it does not fit well with the look of my sites. It should be a relatively straightforward matter to change the look of the confirmation message with a bit of custom CSS. But no matter what I tried, I could not get it to work. In desperation I finally edited the plugin CSS directly – an obviously bad practice that I will likely have to re-do every time the plugin is updated. But, like I said, I could not live with the lime green.

Ah, much better.

WP Malware Scanners

I take a number of security precautions to keep my sites free of malware. But what if malware gets past my defenses? I need to be able to detect it so that I can eradicate it. With WP malware scanners, as with everything else WP, I prefer free. I know of three types of free WP malware scanners: Host-based; Web-based; and Plugins.

wp malware scanners

The malware scanner offered by my host – and by many other hosts – built into cPanel, is ClamAV, although it is labeled simply “Virus Scanner”. It has the advantage of scanning not just my WP site but my entire home directory, including email. On a neglected legacy site with about a decade and a half of email in multiple accounts, I was shocked to find hundreds of infected emails, which ClamAV dutifully exterminated for me.

There are a number of web-based scanners. Three that I know of that are free and do not require me to create an account are Sucuri Site Check, Quttera, and WP Scans. A big advantage of all three is super convenience. I just visit the website and run a scan. Which works best? I have no idea. I suspect each has its plusses and minuses.

And the plugins. There are several. The two that I’ve tried are WordFence and NinjaScanner. The advantage of a plugin scanner is that it works from inside my WP site, so presumably it can find things that external scanners miss. I have a quibble – actually a couple – with WordFence, so I prefer NinjaScanner.

So, which of these WP malware scanners should I use? Why not all of them? They presumably all have strong points. Using multiple scanners would seem to increase my chances of catching even obscure malware. During my monthly site maintenance I alternate among ClamAV, Sucuri Site Check, Quttera, and WP Scans. Annually, I run NinjaScanner.


Is Gutenberg the beginning of the end of WP?

Is Gutenberg the WP Waterloo? An editor too far? The doomed charge of the CMS brigade?

Is Gutenberg the beginning of the end of WP
The Battle of Waterloo by Clément-Auguste Andrieux

Ah, no. At least I don’t think so, although there is a lot of speculation about it. Moving Gutenberg into WP core is an inexplicable misstep by the WP People in Charge (PIC), an arrogant act of incompetence, an imposition of the unwanted on the unwilling by the unaccountable. But it’s not like WP PIC haven’t stepped on their dicks before and recovered from it.

As I relate in another post, I have test driven Gutenberg and – despite its still-persistent bugs – I don’t hate it. It works about as well for me as the classic TinyMCE. What I do hate is the arrogant, despotic tyranny of forcing it on a community of loyal users who overwhelmingly do not want it. But will this kill WP?

Again, I don’t think so. The PIC – reluctantly, I imagine – provided a reasonably easy way to stick with TinyMCE and evade Gutenberg, at least for the time being. Also, WP is way too popular, way too excellent in very many ways, and generally well-maintained and supported by the usually-awesome PIC, to slip into permanent decline over this kerfuffle.

What would I do – switch to Joomla? I would have to change the name of this blog to JoomlaPOV, and that’s not even alliterative.

Images, Copyrights, and the Pixabay Plugin

Choosing images to use in my pages and posts can be a minefield. How do I steer clear of unintentional copyright infringement? I could pay for commercial images from a reputable supplier, but that would violate my guiding principal of not paying for web stuff when at all practical. My preference is to always use images that are verifiably public domain. When I can’t find or create an applicable public domain image I resort reluctantly to Creative Commons, though I cringe at the hypocritical requirements and restrictions.

When it comes to public domain, the ‘verfiably’ part can be tricky. Google can tell me that an image is “Labeled for reuse with modification”, but is it labeled correctly, and by whom? Tracing a specific image back to its source can be difficult to impossible. So, I don’t trust a blanket Google search.

I decided to trust Wikimedia – they seem to do their homework pretty thoroughly. I also sometimes search Gutenberg to find images published before 1923 – the current cutoff date for copyright protection in the United States. And I use a lot of public domain font characters (e.g. webdings) that I enlarge to image size.

Recently I stumbled onto the Pixabay Images plugin. The plugin has been around for awhile, and Pixabay has been around much longer, so not sure why it took me so long. As best I can tell, the people at Pixabay do their homework thoroughly too. The plugin takes most of the drudgery out of finding and using public domain images. It is a huge time-saver, and is my new first choice when I need an image.

WP Accessibility

WP AccessibilityAn interest of mine, in addition to WP, is document accessibility. Over the years I’ve learned quite a bit about it, in particular relating to PDF files. My website on the topic is TaggedPDF.com. I know much less about web accessibility, just have never made it a focus of study since from an income perspective (another interest of mine) it seems to be well-covered by others. So, I got to wondering, how are my sites when it comes to WP accessibility?

It turns out WP does a pretty good job on accessibility. The WP core team has published an Accessibility Handbook that provides great information – if a bit more focused on generic html than specifically on WP issues. WP core is accessibility-ready, and the WP Themes directory includes an abundance of themes tagged as accessibility-ready, although my theme – Responsive Mobile – is not among them. There is even a WP Accessibility plugin, by Joe Dolson. I used the plugin for a while. It offers great features and I really wanted to love it, but my sites were glitchy with it installed. I don’t blame Joe, I think my theme or other plugins have some conflicts with it.

So, it should certainly be practical to make a reasonably accessible WP site. But how accessible are mine? After testing, I think not quite perfect but pretty good. Keyboard navigation seems to work fine. This site passes the WAVE accessibility checker from WebAIM with no errors – though the checker does offer some suggestions for improvements, i.e. ‘Alerts’. My results are not too much worse than those of WebAIM’s site, or Joe Dolson’s.

All that being said, if I were making a site that had to be fully compliant with WCAG 2.0 accessibility guidelines, I would use flat html, not WP or another CMS. I would probably use a text editor like NotePad++. It would be a visually hum-drum site, because I’m not very good at html, but I could control every aspect of the design.

Health Check Plugin

The free WP Health Check plugin is a relatively new arrival, having been introduced a few months ago by “The WordPress.org community”. It has a remarkably polarized set of user reviews – divided almost exclusively between 5s (“Works great!”) and 1s (“Warning! Broke my site!”).  The authors strongly urge to backup your site before installing and using this plugin – always a good idea.

wp health check plugin

For me, the plugin works perfectly and is a superb addition to my WP troubleshooting toolbox. Among it’s features …

  • On the Health Check tab, “The health check shows critical information about your WordPress configuration and items that require your attention.” In my case it seems to show a couple of false positives, but for an extremely useful free plugin I can live with that.
  • On the Debug Information tab, a ton of detailed data. Most of it I don’t understand, but if I ever need it I’m sure I will be very happy it’s there.
  • Most important – the Troubleshooting tab. A standard, basic WP troubleshooting step is to deactivate all plugins and switch to the default 20-something theme. This has gotta be confusing to anyone who happens to be visiting my site at the time. The appearance of my site completely changes, and a bunch of theme and plugin-dependent stuff stops working. The Health Check plugin solves that problem by deactivating plugins and switching themes just for me – site visitors continue to see the normal, functioning site. I can selectively turn on specific plugins and my usual theme as I troubleshoot.
  • On the PHP Information tab – lots more detailed data.
  • I especially love the Tools tab. I can verify the integrity of all WP core files – an important step in my periodic maintenance to be confident I have not been hacked. I can also verify that wp-mail is working.

Reminder – backup your site before installing and using this plugin. It works perfectly for me but has broken some sites.

Essential Plugins

This is my point of view on which popular, free WP plugins are essential for me. Choice of plugins is dependent on the needed functionality as well as personal preference. There is no list of essential plugins that is right for everyone. In general I try to limit my number of plugins, and use only those that I very much need.

which popular, free WP plugins are essentialThat being said, most sites benefit – or would benefit – from some sort of …

Other plugins that are essential for me:

  • Akismet for spam avoidance – only on sites that permit user comments.
  • Menu Icons for adding, well, you know.
  • Meta Slider for adding visual interest to an otherwise boring page.
  • Sticky Menu (or Anything!) on Scroll to keep my site logo and Top of Page link on screen.
  • WP Mail SMTP because my host turns off PHP mail (Update: Switched hosts. Switched back to PHP mail for now.)

Automatic updating WP, themes, and plugins

The vast majority of hacked WordPress sites were compromised due to outdated plugins, themes, or WP core. I need to keep my site updated. But should I update manually, or automatically? If I choose automatic, updates will be more timely but there is always a small chance that an update will break something. If I update manually, I can make a full site backup first, and restore if anything breaks – but I am at more risk of a hack occurring in between my manual updates.

Automatic updating WP, themes, and plugins

I had always kept my WP, themes, and plugins up to date manually, as a item on my monthly maintenance checklist. After the WP REST API exploit debacle, I decided to switch to automatic updating. I now auto-update everything – major and minor core releases as well as plugins and themes. I am choosing better hack protection over oops-the-update-broke-my-site risk.

Configuring auto-updates is easy-breezy. I just add the following to my child theme functions.php file, or better yet to my custom plugin.

// Automate updates for WordPress core
add_filter( 'allow_minor_auto_core_updates', '__return_true' );
add_filter( 'allow_major_auto_core_updates', '__return_true' );

// Automate updates for themes and plugins
add_filter( 'auto_update_theme', '__return_true' );
add_filter( 'auto_update_plugin', '__return_true' );

I have to keep in mind that ‘automatic’ does not mean instantaneous. PHP is not a continuously running process, something like a page load has to trigger it. And since my pages are globally cached for blazing site speed, I can never be sure when a trigger will happen. In practice though, even my low-traffic sites are staying updated much more timely than with my previous manual method.

Update: Explicitly setting automatic updates for minor core releases (i.e. maintenance and security releases) may seem redundant. This is default behavior since WP 3.7. However, WP 4.3 broke this feature, and most sites that were upgraded to 4.3 could not auto-update to 4.4. With the explicit setting in my custom plugin, my sites auto-updated to WP 4.4 just fine. Sometimes redundancy can be a good thing.

Caching Plugin

LiteSpeed cache logoI chose my web host carefully. My sites are hosted on a LiteSpeed web server, so I am able to use the remarkable free LiteSpeed Cache (LSC) plugin. LSC provides much more than just lightning-fast server-side caching. In also includes a suite of optimization tools such as: Database optimization; Image optimization – which seems to be equal to or better than the paid/premium versions of competing plugins; Connection to CloudFlare so I can put CF in development mode or purge the CF cache; and Miscellaneous settings like ‘Remove query strings from static resources’.

Using my two favorite website speed checkers, WebPageTest.org and GiftOfSpeed.com

  1. LSC Off | CF in Development Mode (baseline site)
  2. LSC On | CF in Development Mode (significant speed increase over baseline)
  3. LSC Off | CF Caching On (a significant speed increase over LSC)
  4. LSC On | CF Caching On (no significant speed change over CF alone)

A few observations:

  • On my relatively static sites like this one, I use a CloudFlare page rule for blazing site speed. On these sites I am not able to squeeze out any more speed by using a caching plugin – even an exceptional one like LSC. So why run LSC on these sites? Because of the other optimization features that LSC offers, and because it boosts site speed when CF is in development mode or doesn’t have a page cached for some reason.
  • On sites with dynamic content, I use CF with default cache settings. On those sites, I do get a nice increase in speed by using LSC in addition to CF.
  • Kinda funny how my Compress Images grade on WebPageTest jumped between A and B even though all tests used the same images. I guess my images must be borderline A- / B+.
  • Strait A’s on the final test. Yea me!

Many LSC features only work on sites hosted on LiteSpeed web server. For sites hosted on Apache, I like Comet Cache for its plug-and-play simplicity as well as performance. The very popular W3 Total Cache (W3TC) is another excellent choice.