All the plug-ins you need for WordPress

WordPress is one of the most common way to get your business online, with its CMS mindset, plug-ins and themes. Its truly the best flexibility a business needs to get going. If you’re not making use of plug-ins, then you’re missing out on some of  the platform’s best features.

Searching for a plug-in is hard work, there’s so many out there and multiple different plug ins do the same thing. Some aren’t compatible with your version, some don’t look right, or have low reviews. Its a minefield that’s difficult for the average person to navigate.

Its start with the basics.

  1. Look for ones that are compatible with your version of WordPress
  2. Only install ones from the WordPress plug-in menu, that means they are trusted
  3. Check the amount of installs already, the more the better

Let’s talk about some of the plug ins we think you should use


Yoast is a search engine optimisation (SEO) plug-in that takes a lot of the legwork out of optimising your WordPress site.

If things like robots.txt, .htaccess files and permalink URLs mean nothing to you, then not to worry – Yoast does this kind of technical stuff in the background.

It also helps with keyword optimisation, and provides a readability check so you can be sure readers will lap up your content.

It really is a must-have for all WordPress sites.

Contact Form 7

Need a way for potential customers to get in touch with you? Then Contact Form 7 is the plug-in you need.

It’s quick and easy to create forms, and you won’t need a developer to install them on your site.

You can also tailor the fields in your forms to meet your exact needs, making it easy to make sure you have all the information you need in order to follow up all those juicy leads you’ll be generating.

And even if you just need a way for people to get in touch when they have a query, Contact Form 7 has you covered.

Social Media Share Buttons & Social Sharing Icons

A quick and easy way to help people share your content is a good way to help get your content shared. As the name suggests, Social Media Share Buttons & Social Sharing Icons does exactly that.

It covers the major social media networks, and it’s remarkably easy to configure. So if you need a social sharing solution for your WordPress site, give this plugin a try.

Limit Login Attempts

Another WordPress plug-in that does exactly what the name suggests. But why would you want to limit the number of login attempts to your site? Well, if someone is trying to get unauthorised access to your site, they may use a programme which automatically tries to quickly guess different passwords.

With Limit Login Attempts, you can restrict access to the blog if someone keeps entering an incorrect password, making your site more secure.

Google Analytics for WordPress by Monster Insights

Google Analytics is a great way to understand how people interact with your website, but it can be difficult to install if you’re not a web dev. That’s where this plug-in from Monster Insights comes in.

It allows you to install Google Analytics on your WordPress site with just a few clicks – no need for coding.

And once that’s done, you can benefit from all the usual statistical insights that Google Analytics provides.

Really Simple SSL

Another plug-in that takes removes the need for a spot of coding. Really Simple SSL allows you to run your site on https – all you need is a valid SSL certificate.

SSL is important as it encrypts any data that’s sent via your site – such as card details and addresses. If you’ll be collecting any kind of customer data, then you’ll need an SSL.

You can get your SSL certificate with any of our hosting plans for free (if you don’t have one already) and then use this plug-in to get it up and running on your WordPress site.

WP Super Cache

Without going into technical details, WP Super Cache makes your WordPress site load more quickly for the vast majority of visitors, which improves user experience.

If you’re a WordPress beginner, then this plug-in’s “simple mode” is a great way to get speed gains that you wouldn’t normally be able to access.

Summing up

Don’t be scared of plug-ins, using them wisely is a great way to increase the functionality of your website! Go out and explore

How to enable HTTP Strict Transport Security (HSTS) for your site

Some of you that use SEMrush might have noticed this;

3 subdomains don’t support HSTS”

So HTTP Strict Transport Security (HSTS as we call it), this is a quick and easy fix and will help remove those notifications.

Firstly, you must have a SSL certificate enabled, without one (and enabling HSTS) will break your site.

What is HSTS

HTTP Strict Transport Security (HSTS) instructs web browsers to only use secure connections for all future requests when communicating with a web site. Doing so helps prevent SSL protocol attacks, SSL stripping, cookie hijacking, and other attempts to circumvent SSL protection.

How do I enable HSTS

When HSTS is enabled for a site, web browsers automatically change any insecure requests (http://) to secure requests (https://). All you need to do to enable HSTS is add a header to your site’s .htaccess file. Web browsers read the .htaccess file and recognize this header, then it’ll take care of the rest without any further intervention on your part.

To enable HSTS for your site, follow these steps:

  1. Using SSH or the File Manager, navigate to the ~/httpdocs directory.
  2. Open the text editor to open the .htaccess file.
    If the .htaccess file does not already exist, create it.
  3. Copy the following line, and then paste it into the .htaccess file:
    Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
  4. Save your changes to the .htaccess file. HSTS is now enabled for your site.
    When the web server sends this header, any browser that accesses the site over HTTPS will be unable to access the unsecured HTTP site for the specified length of time (in this case, 31,536,000 seconds, or one year). Therefore, as soon as you enable HSTS, you should not stop using SSL on your site. If you do, returning visitors will be unable to access your site.


One more SEO problem fixed!

Our first DDOS attack, what happened and what we’ve learned…

DDOS, or distributed denial of service attacks are becoming more common place on the internet. There are a large list of articles online telling you everything you need to know about what these attacks are, so we’re not going to re-invent the wheel.

According to Digital Attack Map a DDOS attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources.

They go on to say that you can currently buy a DDoS for as little as a $150, there are more than 2000 daily attacks, and 1/3 of all server downtime is due to a DDoS attack. So they are incredibly serious and very difficult to avoid, in our case we had a 10gb attack that lasted just short of 2 hours started on the 24th January 2018. This attack was aimed at one of our shared hosting servers’ shared IP addresses and effectively overloaded its ability to handle the data incoming.

We did prepare for this…

We had prepared as much as we thought but even with a Fortigate firewall with specs including 200Mbps Threat Protection and 2.5 Gbps protection, 4 separate Gb cables to each server combined into a active/passive bind, and monthly maintenance windows, there was no way to prevent such a devastating attack.

Reviewing the firewalls we pulled the following images to show you the effect of the attack;

firewall attack


You can see the difference in the traffic to the server, it was drastic compared to our normal traffic, but the firewall wasn’t struggling.

Firewall attack 2

You can also see on these images that we’re used to constant attempts to access the server and bypass our security. In fact if you look at earlier in the day there was a more focused attempt to access everything and it didn’t affect our services.

The server affected noticed the spike in traffic, as shown in this graph, it wasn’t struggling but the traffic was clearly increasing.

Xenserver graph


The server that was attacked also registered the increase network spike but it was still only half of the physical limit of the devices.

So if everything was working fine, why did everything stop?

The problem we faced was capacity, we share the racks in the data centre with other customers and with an attack of this scale the data centre registered the attack and immediately noticed the degradation of service for the entire cabinet. If one server is being attacked it can affect all the servers in the rack, meaning the data centre have to make difficult choice to protect 35 other servers over the one being attacked.

Server Rack
Examples of 1U servers

By disabling the attacked site/server the attack has nowhere to go and simply stops. The DDoS is effectively still running but it doesn’t have a target, so the bot net running it will just keep trying for as long as it was paid to run.

So what can we do in the future to avoid this?

The difficult reality is avoiding it is near impossible but mitigating it is possible. DDoS are a normality of internet life, what we need to do is educate and improve our security for next time. We have started investigating our data centre setup to see if we can do something else next time, moving equipment, further redundancy, anything physical we can do and  any investment we can take. These all  take time and testing but we’ll get it done.

There’s a lot a user can do (yes you the reader), Cloudflare offer caching and DDoS protection for websites as standard, and we offer Cloudflare as standard on our servers. If you turn this one, it re-directs your domain name to them and caches your site on their systems, this means if the attack is aimed at you, Cloudflare will be hit first and can handle the attack for a few hours, hopefully by which time the attack ends and no one notices. If the attack is against us, your website is cached at Cloudflare and is still able to run (in a limited fashion) meaning no one knows.

We’re also going to split our customers up into IP groups, this means that if the attack happens again, we’ll only loose a few customers not them all. We’ll be organising this over the coming weeks.

Finally, a few of us had Office 365 as our email provided. This meant that our websites were down but our email was still running. We could reply, deal with the data centre and still manage the support desk.

We’re not done and no amount of bullying will stop us from providing excellent service.