Contact Form 7 & spam filtering

A lot of our clients use Contact Form 7 for their contact forms. With a couple of additional plugins you can mitigate most spam and bot submissions.

First, you probably already have Akismet, you definitely do if you’re a WP Support HQ customer. If not, it’s worth getting and might be free depending on your use.

This is great because it’s already supported by Contact Form 7.

To use it you need to add the follow special tags to the From Name and From Email fields in your form.

[text* your-name akismet:author]
[email* your-email akismet:author_email]

Next we add something called a honeypot. This is a special field that normal users don’t see, but bots and other automated scripts will. If it’s filled out, then Contact Form 7 knows it was a bot or spam. I like this because it’s a user friendly way of filtering. Invisible to users actually.

Install the Honeypot Module for Contact Form 7. After you activate it, on your form edit page, add the honeypot field. It will look something like this:

[honeypot honeypot-37]

You’ll want to change the default naming to something that looks like an actual field that should be filled out. I often use “interests” or “categories”.

[honeypot interests]
After the changes for Akismet & Honeypot

That should take care of most spam and leave a good user experience. If you need or what to be more restrictive you can checkout setting up a ReCAPTCHA.

Configuration & setup for new WordPress sites

When you setup your new WordPress site, there are a couple of things that will help make things more secure. You can do them later too, but it’ll require a bit more work.

First, use a different table prefix from the default ‘wp_’. It’s easy to change this is from the setup screen, but a bit harder later. Either way, it’ll make SQL injection attacks harder. The table prefix is a prefix WordPress uses for it’s database tables names. Using something like ‘wp_234a2234_’ is perfectly fine.

Secondly, don’t use ‘admin’ as the username. This was the default early on and now attacks often try this username. If you already have an ‘admin’ user, I’ll show you how to change it at the end of this post.

Now that the site is setup, you’ll want to do some additional cleanup by removing some of the install files that are no longer needed, updating the wp-config.php file, and adding some code to the functions.php file. Sounds like a lot, but it’s pretty easy once you have SFTP setup.

On the server

You’ll need SFTP access for these next steps. This guide will help you get going if you don’t already know how to use SFTP. I recommend FileZilla, it works on Window, Mac, and Linux You should use SFTP over FTP if you can. Most hosting companies have SFTP available. What’s the difference? Security!

Make sure you take a backup now!

The easy part… deleting the following files.

  • readme.html
  • wp-config-sample.php
  • wp-admin/install.php

Now you’ll want to setup custom salts and disable debugging support in the wp-config.php. This file is in the root of your website, usually in a http_docs or public folder.

Download the current file and edit in with a text editor. In the section that starts with define(“AUTH_KEY”), look to make sure there is random text for all the values. It should NOT look like this:

define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');

If it does, go here to create your own random values and replace the ones in your file.

Turn off debugging & web based file editing.

While helpful when developing or initially setting up your site. You should turn the following options off when you’re not using them. They can give attackers helpful information and access to files.

The add the following to the end of wp-config.php file, but before the /* That's all, stop editing! Happy blogging. */ line.

## Disable Editing in Dashboard
define('DISALLOW_FILE_EDIT', true);

// Enable WP_DEBUG mode
define( 'WP_DEBUG', false );

// Enable Debug logging to the /wp-content/debug.log file
define( 'WP_DEBUG_LOG', false );

// Disable display of errors and warnings
define( 'WP_DEBUG_DISPLAY', false );
@ini_set( 'display_errors', 0 );

// Use dev versions of core JS and CSS files (only needed if you are modifying these core files)
define( 'SCRIPT_DEBUG', false );

Here’s a quick video showing how to make these changes w/ FileZilla.



This change after a site is setup require a bit more work. And are best done using SQL. What is SQL? It’s how you talk to databases. It’s not support complicated, but you can ruin your database, so make sure you have a current backup before hand!

Fixing admin login on an existing site.

WPBeginner has a good post with a few ways to change the username. I recommend method 3.

Changing the database prefix on an existing site.

WPBeginner has another good post outlining how to change the prefix.

How We Manage WordPress Sites at WP Support HQ

When a new site signs up we do a number of things to make sure it’s backed up, updated, secure, and running smoothly. We think our WP management service is a great value, but we also think these are things every WordPress site should do. So for the do-it-yourselfers out there, here’s how we do today.


First thing we do is make sure there are backups so we can fix anything that might go wrong. It usually doesn’t, but a back up is nice. We use UpdraftPlus for all our backups. It’s a great plugin and stores everything to Amazon’s’ S3 storage solution for safe keeping. We configure it to automatically run every day.

Now that’s done, we see what needs updated. If the site hasn’t been updated in a while, then we need to do some research to make sure the plugins and themes will work with the latest stuff. Check the Updates screen and many plugins will state whether or not they work with the latest.

Compatibility with WordPress 4.5.3: 100% (according to its author)

For those that don’t, we find the plugin in the Plugin Directory. Checking the reviews and support tabs will usually surface any issues. If WordPress itself is really out of date, then the Directory is helpful to see if the current version is supported.

Next we check the theme. Although we don’t automatically update themes, it’s good to know if there are updates available and if they’ll work. This is something we just report on.

Next we remove any disabled plugins. They aren’t running on the site, but WordPress still loads them and they can be a security risk.

Are there any active plugins that aren’t used on the site? It’s pretty hard to tell without doing a more thorough audit. But sometimes there are obvious ones, like Hello Dolly, the sample plugin installed with WordPress. We disable and remove those too.

Next up is Akismet. Comment spam protection. If comments are turned off everywhere, then this can be removed. If comments are on and Akismet not set up with an API key, we set it up.

Anti-malware. We love the Anti-Malware Security and Brute-Force Firewall plugin and set it up next. Not only is it an amazing anti-malware scanner, it repairs issues it finds and also protects from some very common attacks, including Brute-force logins. Brute-force logins, arguably the most common way sites are hacked, are a program that just tries to guess the password by logging in over and over very fast.


To keep up on things we setup some automation. We already have the backups running every day. But what about updates and security scans?

WordPress core can automatically update itself and now that we’re starting from an up-to-date site, we make sure it does. In the wp-config.php file, we add the following if it’s not there.

define( 'WP_AUTO_UPDATE_CORE', ‘minor’ );

This allows WordPress to auto update any minor updates, this includes security fixes. We don’t enable everything in here, because major updates and plugin updates can break a site, we like to make sure that doesn’t happen.

For the rest of the updates we use MainWP. This keeps an eye on everything and lets us auto update plugins we’re confident won’t break a site. For everything else, we manually update and verify those once a month.

MainWP also includes some other great features, like fixing common security configuration problems and scanning the site with Sucuri.


Lastly we take a look at performance. The biggest things that affect performance are too many plugins, caching, and images.

We’ve already audited the plugins, but if there are still a lot, like 15 or more this could be an area of improvement.

Next is caching. Some hosting companies take care of this at the server level. For the rest a caching plugin is helpful. We use WP Fastest Cache. It’s easy to setup and works really well.

Lastly, images. Not everyone knows how to optimize images for the web, and big images can cause slowness. WP Smush will automatically optimize images and speed things back up.

Done. Almost!

With everything set up. We’re set until the next update cycle, except for one thing.

Watch for security alerts. These are usually bugs that allow attackers in so we want to catch them as soon as possible. Usually there’s an update that we can install, other times the plugin has to be disabled until an update is ready.

We hope you find this helpful to keep your site updated and secure. If you want us to handle it, you can sign up for WP Support HQ here.

Photo by Jamiecat *

WordPress News and Updates on Conversion

As a business using a WordPress website, you want to get the most from your online efforts. You have invested time and money on the design and promotion of your website so that it gets traffic and converts well. However, if you aren’t using A/B conversion testing, your website is under performing in both the traffic it attracts as well as its conversion of that traffic.

If you are familiar with A/B testing, you may be wondering what testing has to do with increasing your traffic levels. If your web page or blog post titles don’t inspire traffic in the SERPs to click through, you aren’t getting the greatest return on your SEO efforts since that traffic is passing up your web page in favor of one of your competitor’s. Improving your titles with testing takes care of the problem.

Likewise, your web page design elements are under performing if you haven’t optimized them with A/B testing. For those unfamiliar with A/B testing, it means testing variations of different page elements to see which improve your conversions.

The fascinating thing about testing is that even small changes can cause big increases in conversion rates. For example, landing page conversion rates are substantially improved when they have images of people. However, you can’t know this for sure on your website without testing because the behavior of traffic can vary depending on the niche. You may also want to test images of different people to further improve conversions.

Nelio A/B Testing

One of the best and most comprehensive testing services for WordPress sites is Nelio A/B Testing. It doesn’t require coding or any other technical skill and works from within your WordPress dashboard. It can test your headlines, pages, posts, products, menus, widgets, and even themes.

The possible range of tests and experiments is enormous. It also includes heat maps that give you a better idea of which page elements produce the most interaction. If you have an e-commerce site based on WooCommerce, you can test product descriptions, images, and names. If you wish, you can allow the software to automatically select the winning test variation and update your website with it.

If you are worried about the processing power requirements slowing down your server, their plugin merely transfers the processing load from your server to theirs in the cloud. This is a service rather than a standalone product purchase. To learn more about its capabilities, you can test it out with their free trial. For more WordPress news and updates that make a difference in how you blog, contact us at WP Support HQ.

Best Plugins for Improving WordPress Speed

Faster-loading websites tend to provide a better user experience. With a platform as open-ended as WordPress, sites sometimes get bogged down, which leads to slow loading times and, worse—frustrated users. Not to worry, as the WP community is prepared to tackle this problem with a host of intuitive plugins to improve WordPress speed.

Make Use of Caching with W3 Total Cache

This plugin tends to fly under the radar, but it’s great for improving the overall speed of your WordPress site. It improves a website’s load time using caching, as well as offering the ability to store information on a cloud-based server. This decreases the load on your server and greatly reduces overall loading time, thus improving the user experience.

Get Rid of Broken Links with Broken Link Checker

Have you ever visited a website, only to leave a short time later because none of the navigation links work properly? Broken links not only slow your site down, they negatively affect the user experience to a huge extent. Your SEO suffers, your users suffer—it’s an all-around bad problem to have.

But who has time to manually click on every link within your website? Thankfully, you don’t have to. Broken Link checker is a simple tool that does exactly what its name implies.

Eliminate Digital Waste with WP Smush

This is an excellent plugin that improves your site’s performance by eliminating the kind of bulky hidden information that attaches itself to images and other site features. Pages will load faster, and images will remain high-res, but the useless junk information is left out. This is a great tool for improving site speed, and thus user experience.

Want to know more about WordPress? Feel free to contact us.