Imagine waking up in the morning, checking your site, and it’s an absolute mess. Your browser flashes a malware warning, your homepage is advertising questionable hair-growth pills, and your website logo has been replaced by a dancing raccoon.

Meanwhile, your inbox is exploding with emails from customers asking if the “crypto investment opportunity” sent by your “company representative” is real or not.

This might sound exaggerated, but the threats behind it are very real. If you don’t take security seriously, any one of them could hit your website sooner rather than later. Here’s how to keep your website secure against common threats.

What is website security?

Website security refers to the steps you take to protect your website from cyber threats and unauthorized access. It involves every level of website architecture, from the server and website files to login credentials and user privacy.

Strong website security builds trust with visitors, keeps your site online, and protects you from potential legal action and other negative outcomes.

What are some common website security threats?

The first step in protecting your site is understanding what you are trying to prevent. Threats include:

• Password breaches: This often happens through brute force, where hackers automatically try out username and password combinations until they gain access to your site.
• Defacement: This is the online form of vandalism. An attacker changes the appearance of your website, often with a message that you’ve been hacked.
• Ransomware: This blocks access to your website and encrypts your files until you pay the attacker.
• Data breaches: Hackers steal confidential information saved on your site to sell on the black market or use for their own purposes.
• Malware infection: Malicious software is injected into your site to spread to visitors, for example, to hijack their computers.
• Denial of service attacks: DoS or DDoS attacks aim to overload your server with traffic or large amounts of data in order to make your website slow or completely inaccessible.
• Cross-site scripting (XSS): Malicious scripts are inserted into web pages so attackers can harvest login credentials and other information from user browsers.
• SQL injections: Code to run database commands and change, delete, or steal data is injected into a site. This may include creating a new user with administrator rights to your website.
• Spam: Filling your website with unwanted ads and malicious links.
• Phishing: Fake login or input forms designed to trick users into entering personal information.
• Botnet recruitment: Hijacking your site and server resources as part of a larger network of compromised sites to carry out attacks.

The scope and variety of online threats make security an issue even for basic websites.

Why does this matter?

The possible outcomes of having your website compromised include:

• Loss of revenue: Downtime, ransom demands, or an otherwise non-functional website can immediately impact your income, especially for e-commerce websites. Plus, recovery usually comes with a price tag.
• Reputation damage: A website that has been defaced, contains spam links, or fails to protect customer data erodes visitor trust and can permanently damage your brand.
• SEO damage: Search engines may lose trust in your site as well, blocking it and tanking your search rankings and traffic in the process.
• Legal problems and fines: Exposing sensitive user data may violate data protection laws like GDPR or HIPAA, leading to potentially hefty fines. People whose personal information was stolen may also sue you.

Lack of website security can greatly damage your business and income — sometimes to the point of no return. And don’t think your site being small means you’re safe. Most hacks are automated, aimed at gaining access over stealing data, and a matter of opportunity, not targeted action.

How to secure your website

Once you understand the risks, the next step is to protect your site. Website security is all about layering protections, not single fixes. Secure your site with these simple steps:

1. Change default CMS settings

Many attacks against WordPress target its default configuration. Therefore, an easy step to make your website safer is to change them. For example:

• Avoid using the username “admin” during setup.
• Use a unique database table prefix instead of the default “wp”.
• Customize your login URL to reduce automated login attempts.

2. Use a secure hosting provider

Your hosting provider is your website’s first line of defense. For that reason, you want to pick one that prioritizes security.

Choose the right type of web hosting for your purpose and skill level. For example, shared hosting runs a greater risk of cross-contamination from other sites on the same server that get hacked. With isolated site infrastructure such as that on WordPress.com Business and Commerce plans, this isn’t an issue.

In traditional hosting, most of managing website security is your responsibility; your hosting provider only takes care of the server. A managed WordPress hosting provider, on the other hand, is much more involved in securing your website. For example, when you host your site on WordPress.com, you benefit from:

• Server environments optimized for WordPress
• Automatic software updates
• Domains with domain privacy
• Downtime monitoring
• A dedicated security team
• Expert WordPress support

Plus, if you host your website on WordPress.com and it gets hacked, we will clean it up for free.

3. Use SSL/HTTPS

HTTPS encrypts the data transferred between your website and visitors’ browsers. This is an effective way to protect sensitive information against cross-site scripting (XSS), man-in-the-middle, or similar attacks. It also displays as a secure padlock icon in the browser and is a sign of trust for your audience.

To enable HTTPS encryption, you need an SSL certificate, which is usually easiest to obtain from your hosting provider. For example, SSL is included by default on all WordPress.com sites, with no setup needed.

4. Configure file permissions correctly

File permissions define who can modify which files on your server. They help prevent unauthorized users or scripts from modifying core files. You can modify file permissions with SFTP/SSH.

On WordPress.com, permissions are set to the above settings by default and should only be changed if it’s absolutely necessary and you know what you’re doing.

On WordPress, files should typically be set to permission level 644 and directories to 755. This balances functionality and security. Avoid setting anything to 777, which allows full read, write, and execute access.

5. Set up security headers

Security headers add an extra layer of protection by controlling how browsers handle your site’s content. They can help prevent vulnerabilities like cross-site scripting and clickjacking, and are an important part of every website.

This topic is very technical, so it’s best to read up on security headers in depth. You can find out if your site is already using them with a security headers scanner. If they’re missing, options to enable them include:

• Using a firewall
• Using some CDNs
• Using WordPress plugins
• Editing server files

6. Implement a web application firewall

A web application firewall (WAF) has the ability to filter and block malicious traffic before it reaches your website. This helps defend against common threats like SQL injections and brute force attacks.

You can get a firewall through your hosting provider, plugins, or external providers. On WordPress.com, Business and Commerce plans include a built-in, managed firewall.

7. Use a content delivery network

A content delivery network (CDN) distributes your website’s content across multiple servers worldwide.

This reduces server load and is often a tool used to improve performance. It helps mitigate DDoS attacks by adding a layer between attackers and your origin server that can absorb some of the excess traffic. Cloudflare is a popular option.

WordPress.com includes CDN functionality powered by more than 28 data centers across six continents.

8. Force strong usernames and passwords

Weak login credentials are one of the most common ways hackers gain access to websites. 

Here are some best practices to prevent that from happening:

• Avoid predictable usernames like “admin” or “user.”
• Use strong passwords with a mix of letters, numbers, and symbols for all entry points to your website, including your FTP, database, and hosting account. You can generate them with the help of a password generator.
• Require the same for all users with access to your site, if necessary with a plugin like Password Policy Manager.
• Consider using separate accounts for site administration and content creation, so as not to display the admin username on your site.
• Be sure to balance safety and usability.

To keep your login pages safe, WordPress.com offers out-of-the-box brute force protection and single sign-on (SSO).

9. Set up multi-factor authentication

Multi-factor authentication (MFA) adds an extra layer of protection to site logins. It requires a second verification step, such as inputting a code from an app or text message. This makes it much harder for attackers to log in, even with stolen credentials.

You can add this functionality to your WordPress site using MFA plugins. WordPress.com supports two-step authentication for all users by default.

10. Apply sensible user roles and permissions

WordPress offers several user roles with clearly defined permissions. These let you control who has access to your site and what they can do on it. Here is the full list:

• Administrator: Full access to all site features and settings.
• Editor: Can manage all content, including posts, pages, comments, categories, tags, and media.
• Author: Can create, edit, upload media to, and publish their own posts.
• Contributor: Can write and edit their own posts but cannot publish or upload media.
• Viewer: Can read and comment on private site content.
• Subscriber: Follows your site and receives updates.

It’s a good idea to use the principle of least privilege when assigning roles, which restricts user access to only the functions needed for each job. This reduces the risk of someone breaking something by accident and provides extra protection if an account gets hacked.

You can upgrade permissions temporarily if needed, but be sure to review and update user roles regularly, especially after team changes.

11. Install a security plugin

Security plugins provide extra safety with features like malware scanning, firewalls, and security headers. 

For self-hosted WordPress sites, security plugins cover gaps not managed by your hosting provider. Popular choices are:

• Wordfence
• Really Simple Security
• All-in-One Security

Plugin-enabled sites on WordPress.com don’t require a security plugin, because they come with Jetpack and many other protections built in. Installing a separate security plugin on these sites would likely lead to conflicts.

12. Use trustworthy extensions

Plugins and themes allow you to use WordPress for any purpose and use case, from blogs to personal websites to one-page sites.

At the same time, they can also be a security risk. Poorly coded or abandoned extensions can introduce serious vulnerabilities. In addition, plugins from untrustworthy sources can contain malware, back doors and other unpleasant surprises.

To avoid this, only install plugins and themes from reputable sources, like official WordPress directories. Everything you find there goes through a thorough vetting process before it can be installed on websites. Read reviews, check the update history, and confirm compatibility with your WordPress version before installing.

13. Delete unused plugins and themes

Even inactive plugins and themes can create security risks if they’re outdated or vulnerable. You should deactivate and fully delete anything you’re not actively using.

You should also regularly audit your installed extensions for what you can get rid of. Fewer extensions mean fewer potential points of attack.

14. Keep your website up to date

Updates to WordPress and its plugins and themes often include patches for known security vulnerabilities. For that reason, it’s a good idea to regularly apply them on your site.

As a managed hosting provider, WordPress.com automatically handles core updates and provides tools to update plugins and themes either automatically or manually. You can test updates on a staging site before publishing updates.

15. Set up automatic backups

Backups are one of the most central tools for website security. If you have a recent working version of your site saved somewhere safe, you can restore it to mitigate problems.

For that reason, you should regularly back up both your site files and database, preferably with an automated solution. Be sure to store backups in a secure, off-site location like cloud storage or a separate server.

On WordPress.com, real-time backups and one-click restores are included in the Business and Commerce plans.

16. Limit personal and sensitive data saved on your site

You can’t lose what you don’t have. If your website gets hacked, attackers can only gain access to data that’s stored there. For that reason, be sure to only collect and store the information you need from your users, and follow data protection laws like GDPR when handling personal information.

17. Use an anti-spam plugin

Comment spam is an inconvenience every website owner has to live with. But if you’re not adept at recognizing it, you might inadvertently post links to malicious websites or software on your site, creating legal and SEO risks.

Akismet is an anti-spam plugin that automatically filters out the majority of spam submissions using machine learning and AI. It is included on all WordPress.com plans with no extra setup.

18. Log website activity

Activity logs track user actions and changes made on your site. They make it easier to trace what happened in the event of a breach or other problems.

There are many plugin options to add them to your site and WordPress.com also offers built-in activity logs.

19. Stay informed on current threats

Security threats constantly evolve, so staying informed is essential in order to respond and strengthen your defenses quickly.

Two good resources for the latest vulnerabilities and best practices are:

• US Cybersecurity and Infrastructure Security Agency (CISA)
• Open Web Application Security Project (OWASP) (for developers)

In addition, sign up for security newsletters or alerts from your hosting provider or plugin vendors.

20. Educate and train all website users

Your website security is only as strong as your least-informed user. For that reason, make sure all team members understand security best practices. Train them to recognize phishing attempts and suspicious activity, use strong passwords and MFA, and to not share accounts and reuse credentials.

Keep in mind that website safety includes device security, so be sure to implement malware scans and other security measures on your team’s computers.

21. Scan your site regularly

Scanning your website helps catch vulnerabilities, malware, or suspicious changes early. It lets you know if there is a problem in real-time and prevents threats from going undetected on your site.

You can use automated tools or services to schedule scans daily or weekly. OWASP has a detailed list of options.

On WordPress.com, Jetpack Scan checks every site daily for dangerous plugins, themes, malware, and other vulnerabilities. On higher-tier plans, you also get access to a history of threats identified on your site.

22. Have a recovery plan

No matter how diligent you are, the risk to your website is never zero. If the worst-case scenario happens, advanced preparation will help you stay calm and mitigate the potential damage. 

Put together a recovery plan with information such as:

• Step-by-step instructions for different scenarios
• Who to contact in case of emergency and how
• How to let customers know what’s happening
• Legal requirements for reporting security breaches

Practicing your recovery process ahead of time can save hours or even days during a real incident. And remember, with a WordPress.com plan, site recovery is free.

An ounce of prevention is worth a pound of cure

Investing in security measures for your website is essential for protecting your content, users, and reputation. Threats are real, common, and often automated, and everyone is a target. Fortunately, many of the most effective protections are simple to implement. If you use a high-quality managed hosting provider like WordPress.com, you’re already ahead of the game.

Just keep in mind that security is not a one-time task, but an ongoing process. Regularly review your systems and processes to continue staying safe. If a breach happens, don’t panic, just recover, analyze, and make sure it can’t happen again.

 [#item_full_content]

In April, we launched our AI website builder, opening the door for anyone to turn their ideas into a WordPress.com website—no expertise required. We’ve been listening to your feedback and regularly rolling out improvements and new features that put more creative power in your hands.

Whether you’re dreaming up a business, building your portfolio, or sharing your passion, our goal is to make website creation inspiring, personal, and truly yours—with all the flexibility and ownership WordPress.com is known for. Here’s a quick look at what’s new—so you can spend less time building, and more time growing your ideas

Improved color palettes and font pairings

You asked for more customization, so we delivered! The AI website builder now offers an expanded range of color palettes and designer-curated font pairings — instantly generated to fit your vibe, style, or brand. Personalizing your site is faster and easier, whether you want bold, minimal, playful, or classic — all without any design experience.

Hero sections that stand out

Your homepage hero area is your website’s first impression — and now, our AI website builder creates even more modern, eye-catching hero areas. Instantly get modern layouts, bold headers, flexible intros, and cover images that help your homepage make a strong first impression.

Smarter, custom logos

Site logos just got a big upgrade. Our AI website builder now generates cleaner, more customizable site logos using the latest AI models — including playful cartoon styles, niche aesthetics, bola typography, or anything in between. Just describe the vibe you want, and you’ll get a logo that’s truly yours.

Better images

No more scrambling for the right photo. Now you can whip up fresh images, cover photos, or hero backgrounds for your site in seconds — just by describing what you want (“a cozy café at sunset” or “vibrant tech workspace”), and the AI helps you find or create visuals that fit your vibe.

Edit more, in more places

You can now use the AI website builder to edit your site’s templates — not just individual pages. That means you can easily update your homepage, about page, or any template, and make global changes to layouts, colors, or fonts — all from one place, without jumping between menus. With full template editing, you get even more flexibility and creative control across your whole site — no extra steps required.

What’s next?

We’re committed to making our AI website builder even better. That means regular bug fixes, smarter intelligence, better taste, and an even smoother experience, all designed to help you go from idea to live website with minimal effort. Have a feature you’d love to see? Let us know—your voice shapes where we go next.

Curious? Get started with our AI website builder today.

 [#item_full_content]

​Our favorite zero-drop, minimalist footwear will let you feel the ground beneath your feet. 

​Read More

 Gear, Gear / Buying Guides, Gear / Products / Health and Fitness, Gear / Products / Outdoor, Buying Guide Gear, Gear / Buying Guides, Gear / Products / Health and Fitness, Gear / Products / Outdoor, Buying Guide

WordPress powers over 40% of the web, and much of its flexibility comes from plugins. Plugins are self-contained bundles of PHP, JavaScript, and other assets that extend what WordPress can do—powering everything from simple tweaks to complex business features. If you’re a developer new to WordPress, learning how to build plugins is the gateway to customizing and scaling the platform for any need.

In this guide, you’ll learn the essentials of plugin development, set up a local environment using Studio by WordPress.com, and build a fully functional example plugin. By the end, you’ll understand the anatomy of a plugin, how hooks work, and best practices for a maintainable and secure code.

Table of Contents

• Setting up a local development environment
• Creating your first plugin
• Understanding hooks: actions and filters
• Loading assets the WordPress way
• Optional: Adding a settings screen
• Complete plugin code
• Best practices for plugin development
• Next steps and resources
• Your plugin journey starts here

Setting up a local development environment

Before you write a single line of code, you need a local WordPress environment. WordPress Studio is the fastest way to get started. Studio is open source, maintained by Automattic, and designed for seamless WordPress development.

Follow these steps:

Step 1: Download and install Studio

Visit developer.wordpress.com/studio and download the installer for macOS or Windows.

Step 2: Create your first local site

To create a local site, launch Studio and click Add Site. You’ll see a simple window where you can name your new site. After entering a name and clicking Add Site, Studio automatically configures a complete WordPress environment for you—no command line knowledge needed. Once complete, your new site appears in Studio’s sidebar, providing convenient links to view it in your browser or access the WordPress admin dashboard.

Step 3: Open your WordPress site and its admin section

Click the “Open site” link to open your site in the browser. You can also click the “WP Admin” button in Studio to access your site’s dashboard at /wp-admin. You’ll be automatically logged in as an Administrator. This is where you’ll manage plugins, test functionality, and configure settings.

Step 4: Open the code in your IDE

Studio provides convenient “Open in…” buttons that detect your installed code editor (like Visual Code or Cursor) and let you open your project in your preferred editor. You can configure your default code editor in Studio’s settings. Once opened in your code editor, you’ll have complete access to browse, edit, and debug the WordPress installation files.

Once you have your local environment for WordPress development set up and running, locate the plugins folder . In your project root, navigate to:

wp-content/
  └── plugins/

This is where all plugins live. To build your own, create a new folder (e.g., quick-reading-time) and add your plugin files there. Studio’s server instantly reflects changes when you reload your local site.

Creating your first plugin

Every plugin starts as a folder with at least one PHP file. Let’s build a minimal “Hello World” plugin to demystify the process.

1. In wp-content/plugins/, create a folder called quick-reading-time.
2. Inside that folder, create a file named quick-reading-time.php.

Your file structure should look like this:

wp-content/
  └── plugins/
    └── quick-reading-time/
      └── quick-reading-time.php

Add the following code to quick-reading-time.php:

<?php
/*
Plugin Name: Quick Reading Time
Description: Displays an estimated reading-time badge beneath post titles.
Version:     1.0
Author:      Your Name
License:     GPL-2.0+
Text Domain: quick-reading-time
*/

This header is a PHP comment, but WordPress scans it to list your plugin in Plugins → Installed Plugins. Activate it—nothing happens yet (that’s good; nothing is broken).

Tip: Each header field has a purpose. For example, Text Domain enables translation, and License is required for distribution in the Plugin Directory. Learn more in the Plugin Developer Handbook.

Understanding hooks: actions and filters

WordPress plugins interact with core events using hooks. There are two types:

• Actions: Triggered when WordPress does something (e.g., loading scripts, saving posts).
• Filters: Allow you to modify data before it’s displayed or saved.

Let’s add a reading-time badge using the the_content filter:

function qrt_add_reading_time( $content ) {
    // Only on single posts in the main loop
    if ( ! is_singular( 'post' ) || ! in_the_loop() || ! is_main_query() ) {
        return $content;
    }

    // 1. Strip HTML/shortcodes, count words
    $plain   = wp_strip_all_tags( strip_shortcodes( get_post()->post_content ) );
    $words   = str_word_count( $plain );

    // 2. Estimate: 200 words per minute
    $minutes = max( 1, ceil( $words / 200 ) );

    // 3. Build the badge
    $badge = sprintf(
        '<p class="qrt-badge" aria-label="%s"><span>%s</span></p>',
        esc_attr__( 'Estimated reading time', 'quick-reading-time' ),
        /* translators: %s = minutes */
        esc_html( sprintf( _n( '%s min read', '%s mins read', $minutes, 'quick-reading-time' ), $minutes ) )
    );

    return $badge . $content;
}
add_filter( 'the_content', 'qrt_add_reading_time' );

This snippet adds a reading time badge to post content using the the_content filter. It checks context with is_singular(), in_the_loop(), and is_main_query() to ensure the badge only appears on single posts in the main loop.

The code strips HTML and shortcodes using wp_strip_all_tags() and strip_shortcodes(), counts words, and estimates reading time. Output is localized with esc_attr__() and _n(). The function is registered with add_filter().

With this plugin activated, each post will now also display the reading time:

Loading assets the WordPress way

To style your badge, enqueue a stylesheet using the wp_enqueue_scripts action:

function qrt_enqueue_assets() {
    wp_enqueue_style(
        'qrt-style',
        plugin_dir_url( __FILE__ ) . 'style.css',
        array(),
        '1.0'
    );
}
add_action( 'wp_enqueue_scripts', 'qrt_enqueue_assets' );

Create a style.css file in the same folder:

.qrt-badge span {
    margin: 0 0 1rem;
    padding: 0.25rem 0.5rem;
    display: inline-block;
    background: #f5f5f5;
    color: #555;
    font-size: 0.85em;
    border-radius: 4px;
}

Best practice: Only load assets when needed (e.g., on the front end or specific post types) for better performance.

With this change, the reading time info on each post should look like this:

Optional: Adding a settings screen

To make the average reading speed configurable, let’s add a settings page and connect it to our plugin logic. We’ll store the user’s preferred words-per-minute (WPM) value in the WordPress options table and use it in our reading time calculation.

Step 1: Register the setting

Add this code to your plugin file to register a new option and settings field:

// Register the setting during admin_init.
function qrt_register_settings() {
    register_setting( 'qrt_settings_group', 'qrt_wpm', array(
        'type' => 'integer',
        'sanitize_callback' => 'qrt_sanitize_wpm',
        'default' => 200,
    ) );
}
add_action( 'admin_init', 'qrt_register_settings' );

// Sanitize the WPM value.
function qrt_sanitize_wpm( $value ) {
    $value = absint( $value );
    return ( $value > 0 ) ? $value : 200;
}

This code registers a plugin option (qrt_wpm) for words-per-minute, using register_setting() on the admin_init hook. The value is sanitized with a custom callback using absint() to ensure it’s a positive integer.

Step 2: Add the settings page

Add a new page under Settings in the WordPress admin:

function qrt_register_settings_page() {
    add_options_page(
        'Quick Reading Time',
        'Quick Reading Time',
        'manage_options',
        'qrt-settings',
        'qrt_render_settings_page'
    );
}
add_action( 'admin_menu', 'qrt_register_settings_page' );

This code adds a settings page for your plugin under the WordPress admin “Settings” menu. It uses add_options_page() to register the page, and hooks the function to admin_menu so it appears in the dashboard. The callback (qrt_render_settings_page) will output the page’s content.

Step 3: Render the settings page

Display a form for the WPM value and save it using the Settings API:

function qrt_render_settings_page() {
    if ( ! current_user_can( 'manage_options' ) ) {
        return;
    }
    ?>
    <div class="wrap">
        <h1><?php esc_html_e( 'Quick Reading Time Settings', 'quick-reading-time' ); ?></h1>
        <form method="post" action="options.php">
            <?php
            settings_fields( 'qrt_settings_group' );
            do_settings_sections( 'qrt_settings_group' );
            $wpm = get_option( 'qrt_wpm', 200 );
            ?>
            <table class="form-table" role="presentation">
                <tr>
                    <th scope="row">
                        <label for="qrt_wpm"><?php esc_html_e( 'Words Per Minute', 'quick-reading-time' ); ?></label>
                    </th>
                    <td>
                        <input name="qrt_wpm" type="number" id="qrt_wpm" value="<?php echo esc_attr( $wpm ); ?>" class="small-text" min="1" />
                        <p class="description"><?php esc_html_e( 'Average reading speed for your audience.', 'quick-reading-time' ); ?></p>
                    </td>
                </tr>
            </table>
            <?php submit_button(); ?>
        </form>
    </div>
    <?php
}

This function renders the plugin’s settings page, displaying a form to update the WPM value. It checks user permissions with current_user_can(), outputs the form using settings_fields(), do_settings_sections(), and retrieves the saved value with get_option(). The form submits to the WordPress options system for secure saving.

Step 4: Use the setting in your plugin logic

Update your reading time calculation to use the saved WPM value:

function qrt_add_reading_time( $content ) {
    if ( ! is_singular( 'post' ) || ! in_the_loop() || ! is_main_query() ) {
        return $content;
    }
    $plain   = wp_strip_all_tags( strip_shortcodes( get_post()->post_content ) );
    $words   = str_word_count( $plain );
    $wpm     = (int) get_option( 'qrt_wpm', 200 );
    $minutes = max( 1, ceil( $words / $wpm ) );
    $badge = sprintf(
        '<p class="qrt-badge" aria-label="%s">%s</p>',
        esc_attr__( 'Estimated reading time', 'quick-reading-time' ),
        esc_html( sprintf( _n( '%s min read', '%s mins read', $minutes, 'quick-reading-time' ), $minutes ) )
    );
    return $badge . $content;
}

This function adds a reading time badge to post content. It checks context with is_singular(), in_the_loop(), and is_main_query() to ensure it runs only on single posts in the main loop. It strips HTML and shortcodes using wp_strip_all_tags() and strip_shortcodes()), counts words, and retrieves the WPM value with get_option(). The badge is output with proper escaping and localization using esc_attr__(), esc_html(), and _n()).

With these changes, your plugin now provides a user-friendly settings page under Settings → Quick Reading Time. Site administrators can set the average reading speed for their audience, and your plugin will use this value to calculate and display the estimated reading time for each post.

Complete plugin code

Before we wrap up with best practices, let’s review the complete code for the “Quick Reading Time” plugin you built in this guide. This section brings together all the concepts covered—plugin headers, hooks, asset loading, and settings—into a single, cohesive example. Reviewing the full code helps solidify your understanding and provides a reference for your own projects.

At this stage, you should have a folder named quick-reading-time inside your wp-content/plugins/ directory, and a file called quick-reading-time.php with the following content:

<?php
/*
Plugin Name: Quick Reading Time
Description: Displays an estimated reading-time badge beneath post titles.
Version:     1.0
Author:      Your Name
License:     GPL-2.0+
Text Domain: quick-reading-time
*/

// Register the WPM setting during admin_init.
function qrt_register_settings() {
    register_setting( 'qrt_settings_group', 'qrt_wpm', array(
        'type' => 'integer',
        'sanitize_callback' => 'qrt_sanitize_wpm',
        'default' => 200,
    ) );
}
add_action( 'admin_init', 'qrt_register_settings' );

// Sanitize the WPM value.
function qrt_sanitize_wpm( $value ) {
    $value = absint( $value );
    return ( $value > 0 ) ? $value : 200;
}

// Add a settings page under Settings.
function qrt_register_settings_page() {
    add_options_page(
        'Quick Reading Time',
        'Quick Reading Time',
        'manage_options',
        'qrt-settings',
        'qrt_render_settings_page'
    );
}
add_action( 'admin_menu', 'qrt_register_settings_page' );

// Render the settings page.
function qrt_render_settings_page() {
    if ( ! current_user_can( 'manage_options' ) ) {
        return;
    }
    ?>
    <div class="wrap">
        <h1><?php esc_html_e( 'Quick Reading Time Settings', 'quick-reading-time' ); ?></h1>
        <form method="post" action="options.php">
            <?php
            settings_fields( 'qrt_settings_group' );
            do_settings_sections( 'qrt_settings_group' );
            $wpm = get_option( 'qrt_wpm', 200 );
            ?>
            <table class="form-table" role="presentation">
                <tr>
                    <th scope="row">
                        <label for="qrt_wpm"><?php esc_html_e( 'Words Per Minute', 'quick-reading-time' ); ?></label>
                    </th>
                    <td>
                        <input name="qrt_wpm" type="number" id="qrt_wpm" value="<?php echo esc_attr( $wpm ); ?>" class="small-text" min="1" />
                        <p class="description"><?php esc_html_e( 'Average reading speed for your audience.', 'quick-reading-time' ); ?></p>
                    </td>
                </tr>
            </table>
            <?php submit_button(); ?>
        </form>
    </div>
    <?php
}

// Add the reading time badge to post content.
function qrt_add_reading_time( $content ) {
    if ( ! is_singular( 'post' ) || ! in_the_loop() || ! is_main_query() ) {
        return $content;
    }
    $plain   = wp_strip_all_tags( strip_shortcodes( get_post()->post_content ) );
    $words   = str_word_count( $plain );
    $wpm     = (int) get_option( 'qrt_wpm', 200 );
    $minutes = max( 1, ceil( $words / $wpm ) );
    $badge = sprintf(
        '<p class="qrt-badge" aria-label="%s">%s</p>',
        esc_attr__( 'Estimated reading time', 'quick-reading-time' ),
        esc_html( sprintf( _n( '%s min read', '%s mins read', $minutes, 'quick-reading-time' ), $minutes ) )
    );
    return $badge . $content;
}
add_filter( 'the_content', 'qrt_add_reading_time' );

// Enqueue the plugin stylesheet.
function qrt_enqueue_assets() {
    wp_enqueue_style(
        'qrt-style',
        plugin_dir_url( __FILE__ ) . 'style.css',
        array(),
        '1.0'
    );
}
add_action( 'wp_enqueue_scripts', 'qrt_enqueue_assets' );

You should also have a style.css file in the same folder with the following content to style the badge:

.qrt-badge span {
    margin: 0 0 1rem;
    padding: 0.25rem 0.5rem;
    display: inline-block;
    background: #f5f5f5;
    color: #555;
    font-size: 0.85em;
    border-radius: 4px;
}

This plugin demonstrates several foundational concepts in WordPress development:

• Plugin Header: The block comment at the top registers your plugin with WordPress, making it discoverable and manageable from the admin dashboard.
• Hooks: The plugin uses both actions (admin_init, admin_menu, wp_enqueue_scripts) and a filter (the_content) to integrate with WordPress at the right moments.
• Settings API: By registering a custom option and rendering a settings page, the plugin allows site administrators to configure the average reading speed, making the feature flexible and user-friendly.
• Sanitization and Security: All user input is sanitized, and output is escaped, following best practices to prevent security vulnerabilities.
• Asset Loading: Styles are loaded using WordPress’s enqueue system, ensuring compatibility and performance.
• Internationalization: All user-facing strings are wrapped in translation functions, making the plugin ready for localization.

By bringing these elements together, you have a robust, maintainable, and extensible plugin foundation. Use this as a template for your own ideas, and continue exploring the WordPress Plugin Developer Handbook for deeper knowledge.

Best practices for plugin development

Building a WordPress plugin is more than just making something work—it’s about creating code that is robust, secure, and maintainable for years to come. As your plugin grows or is shared with others, following best practices becomes essential to avoid pitfalls that can lead to bugs, security vulnerabilities, or compatibility issues. The habits you form early in your development journey will shape the quality and reputation of your work.

Let’s explore the foundational principles that set apart professional WordPress plugin development.

• Prefix everything (e.g., qrt_) to avoid name collisions. WordPress is a global namespace, so unique prefixes for functions, classes, and even option names help prevent conflicts with other plugins or themes.
• Escape and sanitize all output and input to prevent XSS and security issues. Always validate and clean data before saving it to the database or displaying it in the browser. Use functions like esc_html(), esc_attr(), and sanitize_text_field() to keep your plugin safe.
• Translate strings using __(), and _n() for localization. Internationalization (i18n) ensures your plugin is accessible to users worldwide. Wrap all user-facing text in translation functions and provide a text domain.
• Use version control (Git) and WP-CLI helpers (wp scaffold plugin, wp i18n make-pot). Version control is your safety net, allowing you to track changes, collaborate, and roll back mistakes. WP-CLI tools can automate repetitive tasks and enforce consistency.
• Ship a readme.txt for the Plugin Directory and changelog. A well-written readme helps users understand your plugin’s features, installation steps, and update history. It’s also required for distribution on WordPress.org.
• Debugging: Enable WP_DEBUG and use tools like Query Monitor for troubleshooting. Proactive debugging surfaces issues early, making them easier to fix and improving your plugin’s reliability.
• Follow the Plugin Developer Handbook and WordPress Coding Standards. These resources are the gold standard for WordPress development, offering guidance on everything from code style to security.

Tip: Adopt these habits early—retrofitting best practices later is much harder. By making them part of your workflow from the start, you’ll save time, reduce stress, and build plugins you can be proud of.

Next steps and resources

You now have a working plugin that demonstrates the three “golden” hooks:

• the_content – injects the badge.
• wp_enqueue_scripts – loads the stylesheet.
• admin_menu – (optionally) adds a settings page.

Where you go next is up to you—try adding custom post types (init), REST API endpoints (rest_api_init), scheduled events, or Gutenberg blocks (register_block_type). The mental model is the same: find the hook, write a callback, let WordPress run it.

Your plugin journey starts here

Every plugin—whether 40 KB or 40 MB—starts with a folder, a header, and a hook. Master that foundation, and the rest of the WordPress ecosystem opens wide. Experiment locally, keep your code readable and secure, and iterate in small steps. With practice, the leap from “I wish WordPress could…” to “WordPress does” becomes second nature.

Ready to build your own plugin? Try the steps above, share your results in the comments, or explore more advanced topics in our developer blog. Happy coding!

 [#item_full_content]

​Save with our roundup of the best Verizon coupons for free iPhone 16 Pros up to $1,100 off new Galaxy phones, and plans up to 50% off this August. 

​Read More

 Gear, Coupons Gear, Coupons

How do you stop a distributed denial-of-service (DDoS) attack? Through a mix of proactive prevention and a solid plan for the worst-case scenario.

DDoS attacks are a growing problem in their frequency, size, and sophistication. According to Statista, the worldwide number of attacks almost doubled from early 2023 to late 2024, peaking at more than half a million in a quarter — that’s almost 5,600 attacks per day.

These attacks don’t just hit government sites or major corporations — even small websites can be targeted. That’s why, as a professional in charge of maintaining a website’s uptime and performance, understanding how to prevent and stop a DDoS attack is critical.

This article covers how DDoS attacks work, how to recognize them, and what to do before, during, and after an attack.

What is a DDoS attack and how does it work?

A DDoS attack against a website or internet service sends overwhelming amounts of traffic to the underlying server or network to make it slow or unavailable. The “distributed” part of DDoS refers to the fact that the attack is carried out by multiple devices at once, usually from different areas of the world.

The devices employed in a DDoS attack are often part of a botnet — a network of machines infected with malware that allow them to be controlled remotely. They can include anything from routers and laptops to home appliances with online capabilities. In 2025, researchers discovered a botnet made of an estimated 30,000 webcams and video recorders.

The spread-out nature of DDoS attacks makes them difficult to trace and fight. The source of the malicious traffic is harder to identify, and distributed attacks can send more requests than single-source assaults. Carrying out such attacks is also increasingly easy with DDoS tools and botnets-for-hire available on the dark web.

The good news is that, due to the effort and cost involved with a DDoS attack, most of them don’t last long. According to Netscout, about 70% of DDoS attacks don’t exceed 15 minutes, and 90% are shorter than an hour.

Types of DDoS attacks

There are three broad types of DDoS attacks that each target different parts of a website’s infrastructure:

• Volumetric attacks: This is the most common type. It aims to consume all available bandwidth by flooding the network with massive amounts of traffic.
• Application layer attacks: A type of attack that overwhelms your website’s server and network with repeated HTTP or database requests.
• Protocol attacks: Also called state-exhaustion attacks, they target network equipment and infrastructure like load balancers and firewalls.

Attackers may also combine several types to make fighting off the attack more difficult.

Why do websites become targets?

Common reasons for being on the receiving end of a DDoS attack are:

• Ideological reasons: Some attacks are politically motivated and target government websites or institutions aligned with causes that the perpetrators don’t agree with.
• Hacktivism: Hacktivist groups have been known to use DDoS attacks to protest war, censorship, or foreign policy decisions.
• Extortion: Criminals may launch attacks to extort money in exchange for stopping the disruption.
• Cyberwarfare: Attacks also happen between countries to disrupt each other’s essential services during a conflict.
• Business competition: Competitors may try to knock rival businesses offline during a key sale or launch.
• Experimentation: Inexperienced hackers might carry out DDoS attacks “for fun” or to test their skills.
• Opportunity: Many attacks are automated and simply happen because a website is vulnerable. It’s random and can even happen to a personal website.

Potential consequences of being attacked

When your website becomes suddenly unavailable to visitors, it can have many negative effects:

• Loss of sales, leads, ad revenue, and other sources of income
• Damaged customer trust, loyalty, and confidence in your product
• Lowered rankings in search results
• Expensive post-attack cleanup and hosting bandwidth fees

Some attackers use DDoS as a smokescreen for other malicious activity, like hacking your site.

A real-world DDoS example

To give you a better idea of what these types of attacks look like, let’s look at some examples.

The largest attack ever reported was a 5.6-Tbps DDoS attack in 2024. At its peak, it was sending 666 million packets per second and lasted 80 seconds. The attack happened as part of a larger campaign of cyber attacks occurring during that period.

How to detect a DDoS attack

The first step in fighting a DDoS attack on your website is spotting it. Here are some telltale signs to watch for:

• Your website or parts of it become extremely slow to load or stop responding altogether, accompanied by error messages and timeouts
• A sudden and sustained spike in traffic, especially from unusual locations and IP addresses
• Server resource usage suddenly maxes out without a corresponding increase in legitimate visitors
• Your hosting provider, monitoring tools, and other parts of your DDoS prevention setup alert you to unusual activity or downtime

Effective DDoS prevention strategies

Stopping a DDoS attack on your website requires a two-pronged approach: setting up a multi-layered defense system that makes these types of assaults difficult and preparing a response plan.

1. Use a hosting provider equipped to deal with DDoS attacks

Your hosting provider is your website’s first line of defense. It’s in charge of the architecture targeted by DDoS attacks. If your host crumbles, your site goes down with it.

The right type of web hosting plays an important role. Unlike traditional, single-server hosting, cloud hosting like WP Cloud can dynamically add computing resources, helping to mitigate DDoS traffic.

In addition, look for hosting features that actively help prevent a DDoS attack. For example, all WordPress.com plans come with built-in DDoS mitigation. They don’t have traffic or visitor limits, so you don’t have to worry about extra costs in the aftermath of a DDoS attack.

2. Invest in website security

Keeping your website secure helps protect against a DDoS attack, as well as being a best practice.

To secure your site, do the following:

• Use strong passwords and credentials for all site users.
• Implement brute-force protection.
• Set sensible user roles and permissions.
• Encrypt website traffic using SSL/HTTPS.
• Perform regular malware scans.
• Keep WordPress updated, as well as updating all plugins and themes (if you’re a WordPress.com customer, all updates are handled automatically).
• Perform regular backups, preferably automated and with one-click restore.

These options are all available with a managed hosting provider like WordPress.com. Best of all, if your site still ends up hacked, cleanup is free.

3. Optimize website performance

Another factor in DDoS mitigation is site performance. A well-optimized site can better withstand unexpected traffic surges. While that won’t stop the attack itself, it can help your site remain partially usable and responsive.

A helpful first step is to test your website with something like WordPress.com’s Website Speed Test Tool and follow the recommendations to improve your site’s performance.

Common ways to make your website more optimized are:

• Compressing images
• Using a fast-loading theme
• Keeping plugins to a minimum
• Implementing caching
• Using a content delivery network (CDN)

Hosting is also a performance factor. On WordPress.com, performance features include servers with high-frequency CPUs and a global edge cache and CDN with 28+ locations, as well as high burst capacity. On Commerce and Business plans, you can activate the Site Accelerator CDN to deliver images and static files more quickly. More information is available in the site performance docs.

4. Monitor network traffic and uptime

You can only identify a DDoS attack when you have the data to spot the signs of one.

An uptime monitoring service sends you alerts via email, SMS, or push notification when your site becomes unresponsive or goes offline. In addition, connecting your site to Google Analytics or a similar solution will help you understand traffic patterns and notice sudden spikes from single countries, IP ranges, or unknown referral sources.

If possible, you may also monitor server performance metrics like CPU load, memory usage, and bandwidth consumption for warning signs.

5. Use a CDN

A CDN is not just a great tool for improving website performance, but also a good countermeasure to DDoS attacks. It’s able to absorb some of the malicious traffic and continue serving site visitors even when another region or the main server is under attack. Cybersecurity experts on Reddit agree that it’s one of the most effective methods.

Look for a provider with an anycast network. This is a setup with one IP address shared across servers in different locations, which allows malicious traffic to be spread out (or diffused) throughout it. This greatly reduces the risk of downtime because no single machine bears the full brunt of the attack.

Cloudflare is a popular CDN provider and it helped stop the record-breaking DDoS attack mentioned earlier in this article. Sites hosted on WordPress.com benefit from integrated Cloudflare features that don’t require extra setup.

6. Set up a web application firewall

A web application firewall (WAF) acts as a gatekeeper between your website and incoming traffic. It can filter requests before they reach your site and thus block common DDoS vectors and diffuse attacks early.

Firewall plugins are one way of adding a WAF to your site. Many security plugins and CDNsinclude a WAF as part of their service.

Finally, your hosting provider can also set up a firewall for you. For example, WordPress.com includes a powerful firewall in every plan, which it manages and updates for you.

7. Apply rate limiting

Rate limiting controls the number of requests a single user or IP address can make to your server in a given time. During a DDoS attack, it acts as a throttle to reduce the impact of malicious traffic without completely blocking legitimate users. This buys time for other defenses to respond and is often part of a firewall.

Rate limiting can apply to login attempts (such as those covered by brute-force protection on WordPress.com), API requests, visits to specific URLs, or other levels of the network.

Use allowlists to exclude known legitimate IP numbers from rate limiting to allow yourself and other website users to continue taking action against an ongoing attack. Use blocklists to keep away repeat offenders or known botnets.

8. Develop a response plan

Even with solid defenses in place, no site is fully immune to DDoS attacks. Creating a clear plan for the worst-case scenario will help you quickly identify, mitigate, and recover from an attack. Do the following:

1. Define team roles and responsibilities, for example, who is responsible for monitoring your alarm systems so you can discover attacks quickly.
2. Document key contacts, communication channels, and login credentials, like your hosting provider’s emergency support.
3. Create a checklist of steps to follow when you suspect a DDoS attack is happening, including how to enable emergency WAF/CDN settings.
4. Plan out your customer communication strategy in case your site becomes unavailable.
5. Practice the response plan with your team along with training for general security practices.

How to deal with a DDoS attack in progress

These steps will help you weather a DDoS attack:

1. Stay calm

Remember, a DDoS attack is more of an inconvenience than it is a real danger to your site. In most cases, your data is safe. Plus, DDoS attacks are usually short-lived and survivable with proper action.

So, take a deep breath, avoid rushed decisions, and start implementing your response plan.

2. Confirm you’re actually dealing with an attack

Not every site slowdown or outage is caused by a DDoS attack. There are other possible reasons, like plugin errors, server misconfiguration, a hosting outage, or sudden traffic increases due to a blog post going viral.

Confirm the cause so you can respond appropriately. Look for warning signs such as:

• Sudden and unusual spikes in visits or requests in traffic logs or analytics
• Repeated requests to the same page or endpoint, like “wp-login.php”
• A flood of requests from a small number of IP ranges or geographic regions
• Messages or alerts from your WAF or CDN provider

3. Contact your hosting provider

Your hosting provider can and should be your strongest ally to stop a DDoS attack. They have the tools, infrastructure, and expertise to help mitigate the impact.

Reach out to your provider’s support team as soon as you suspect a DDoS attack. They can check whether they see the same thing on their end, and may already be taking action behind the scenes.

4. Set your WAF and CDN to emergency mode

Most firewalls and CDNs offer special settings for high-threat situations to keep your site online. For example, on WordPress.com you can enable defensive mode to activate an automated browser challenge for visitors in order to filter out automatic bot traffic.

5. Keep website visitors informed

During a DDoS attack, communication is key to maintaining customer and visitor trust. Use your social media profiles or a status page hosted on another service to share updates and reassure your audience.

Inform users that you’re aware of the issue and are actively working to resolve it. Let customers know which services are affected, especially if you run an e-commerce or membership site. Provide estimated timelines if possible, but avoid making promises you can’t keep.

6. Be patient

DDoS attacks are scary but mostly short-lived. Once your mitigation measures are in place, the best course of action is to simply wait it out.

Focus on monitoring your systems and adjusting filters rather than overreacting or making major changes. Keep an eye on traffic patterns so you know when the attack ends. Then, slowly go back to business as usual but stay vigilant for other threats, like a compromised site or a second wave of attacks.

7. Conduct a post-mortem

After the attack, evaluate its impact and how well your defenses worked. Check which assets were targeted, as well as which parts of your strategy worked and which didn’t. Use the knowledge you gather to improve existing systems and strengthen your site fortifications.

Equip yourself against DDoS attacks on your website

The defense against DDoS attacks starts long before one hits your site. By combining smart infrastructure choices, proactive security practices, and a clear response plan, you can dramatically reduce the risk and impact of an attack.

Looking for hosting with built-in DDoS protection and expert support? Choose WordPress.com and focus on growing your site, not defending it.

 [#item_full_content]

​Save on top services at LegalZoom, like LLC registration, incorporation, estate plans, and more with coupons and deals from WIRED. 

​Read More

 Gear Gear

WordPress.com just made coding from your WordPress admin more powerful and enjoyable. Whether you’re an everyday user or a developer, you’ll have access to modern features like syntax highlighting, autocomplete, and search and replace when you reach for the code editor.

Launched in the last week, we’re bringing enhanced code editors to two aspects of the WordPress.com experience:

• Post and site code editors
• Additional CSS input box

Let’s dive into what this upgraded experience looks like.

Customize block code in the post and site editors

Have you ever opened the Code editor from the block or site editor and been presented with a mass block of nearly unreadable text with no syntax highlighting?

You’ve probably wished for something a tiny bit more sophisticated. Maybe even something that would help you type faster, spot errors easily, or just simply make the code easier to read.

Until now, that didn’t exist unless you installed a custom or third-party plugin to handle it.

Welcome to a new improved experience—now available to everyone:

As you can already see when comparing this screenshot to the previous one, the code is much more readable.

Beautiful CSS in additional CSS code boxes

Writing custom CSS just got a lot better, too. The post and site editors were a welcome improvement, but you’re more likely to actually touch code when writing custom CSS under the Styles panel in the Site Editor.

In the past, you would see something like the following when adding code in the Additional CSS box under the Styles panel:

Now — just like the post and site code editors — you can see your CSS in all its glory, just like it was meant to be:

What features are included?

Some features included in the new code editors are:

• Syntax Highlighting: View your code colorized according to the language, which makes it much easier to understand the structure at a glance and even write your own code.
• Autocomplete: Save keystrokes, prevent errors, and speed up your workflow with a simple autocomplete feature.
• Intelligent Formatting: Enjoy features like line numbers, auto-indentation, and bracket pairing for a smoother experience.
• Language Support: The new editors detect and highlight both HTML and CSS—no more “plain text” boxes for your code!

Oh, and there’s search and replace support too. When viewing inside a code editor, type `Command + F` on Mac or `Ctrl + F` on Windows to pull up search/replace panel at the bottom of editor:

The search/replace feature includes matching by:

• Case (exact match of uppercase and lowercase letters)
• Regular expressions
• Whole word

You can also replace individual occurrences of found matches or all of them in one go.

What’s coming in the future?

With syntax highlighting, autocomplete, and other standard code editing features, WordPress.com bridges the gap between a basic CMS and a powerful code-friendly platform. This is a step forward for developers, power users, and anyone who needs to tinker with code once in a while — without ever leaving the editor.

But this is merely a first iteration of improved code editing across the platform. So I’ll leave the question to you: How would you like to see code editing evolve over time to make your experience more empowering?

Personally, I’d like to see the new features applied to the Code and HTML blocks. Maybe I’ll even have some luck convincing the team to implement one or both.

Regardless, the future is exciting whether you like to tinker with code once in a while or dive into it every day. For now, go try out the new editors and let us know what you think!

 [#item_full_content]

If you’re looking to start a newsletter, you’ve likely encountered two major options: Substack and WordPress. While both can help you reach your audience, they represent fundamentally different approaches to building your online presence. One locks you into a single platform with limited growth potential, while the other provides a foundation you can build on for decades.

In this concise guide, we’ll compare WordPress vs. Substack to help you choose the platform that aligns with your long-term goals as a creator.

Substack: Simple but limited

Substack invented itself as a newsletter-first platform, offering creators a straightforward way to write, publish, and monetize newsletter content.

Substack’s strengths:

• Simple setup: Launch a newsletter quickly with minimal technical knowledge.
• Built-in discovery: Potential exposure through Substack’s recommendation system.
• Integrated monetization: Easy paid subscription setup.

Substack’s limitations:

• Platform dependency: Your entire business exists within Substack’s ecosystem. If they make changes you don’t like—whether to pricing, features, or policies—you’re forced to accept them or start over completely on another platform. 
• Unsustainable revenue sharing: Substack takes 10% of your subscription revenue forever. This becomes extremely expensive as you scale. A creator earning $5,000 pays Substack $500 per month.
• Limited customization: Substack offers minimal branding and design options. Your newsletter looks like everyone else’s, making it difficult to establish a unique brand identity.
• Growth ceiling: While Substack has expanded beyond newsletters to include podcasts and video, it remains limited to basic communication mediums. You can’t easily sell products, courses, or memberships without using separate platforms.
• Platform evolution: Substack has increasingly focused on social features like tweets and shorts. This shift toward chasing cheap engagement rather than fostering meaningful creator-audience relationships contradicts why many chose newsletters in the first place.

WordPress: Built for ownership and growth

WordPress powers over 40% of all websites because it offers something Substack can’t: complete ownership and unlimited potential for growth. As the world’s most popular website software that’s endured for decades, WordPress provides the foundation for creators who want to build something lasting.

WordPress’ strengths:

• Complete ownership: With WordPress, you own your content, data, and audience without being locked into any single company’s platform. Your website, subscriber list, and content remain under your control regardless of what happens to hosting companies or service providers.
• Unlimited customization: WordPress offers thousands of themes and plugins, allowing you to create exactly the newsletter and website experience you envision. Want specific colors, fonts, layouts, or functionality? WordPress makes it possible through extensive customization options.
• Platform Independence: WordPress is portable. You can move your site between hosting providers, change themes, or modify functionality without losing your content or starting over. This flexibility ensures you’re never trapped by a single company’s decisions or policy changes.
• Superior SEO capabilities: WordPress sites consistently rank higher in search engines thanks to clean code structure, SEO plugins like Yoast and RankMath, and complete control over technical optimization. This means new audiences can discover your content organically.
• Unlimited growth potential: Start with a newsletter and seamlessly expand:
  • Full website
  • Sell products
  • Online courses and membership areas
  • Podcasts and multimedia content
  • Community forums

WordPress’ limitations:

• Technical knowledge: Self-hosted WordPress requires a basic understanding of web hosting, domain management, and website maintenance. While many hosting providers offer one-click WordPress installation, you’ll still need to handle updates, backups, and security measures. But there are hosts like WordPress.com that can handle all of that for you.
• Plugin and theme management: With thousands of plugins and themes available, choosing the right combination can be overwhelming. Some plugins may conflict with each other or slow down your site, requiring careful selection and testing.

WordPress.com Newsletter: Best of both worlds

WordPress.com Newsletter offers the same benefits of WordPress while removing the complexities of WordPress behind the scenes. It’s easy to start a newsletter or a full website, grow your audience, and build meaningful connections.

WordPress.com’s strengths

• All the benefits of WordPress listed above
• Creator-first pricing: Start completely free with unlimited subscribers and sends. Upgrade your plan to reduce fees, all the way down to 0%. This can add up to thousands of dollars in savings as you grow your subscriber list.
• The calm platform: For those that are trying to leave “always-on” social media platforms, WordPress.com offers a thoughtful platform focused on meaningful creator-audience relationships without the anxiety of chasing trends or social media metrics.
• Built for growth: Transform your newsletter into a full website, add e-commerce functionality, create membership areas, or expand into any direction your creativity takes you—all without changing platforms.

WordPress.com’s limitations

• Discovery ecosystem: While WordPress.com offers the Reader and other discovery features, it isn’t as strong as Substack’s recommendation system. Building your initial audience may require more active promotion and SEO efforts.

Head-to-Head comparison

When to choose each platform

Choose Substack if:

• You want the fastest possible setup
• You’re comfortable with permanent platform dependency
• You don’t mind paying 10% of your revenue indefinitely
• You have no plans to expand into e-commerce, courses, or forums
• You’re willing to accept limited customization and branding options

Choose WordPress if:

• You want to own your platform and audience completely
• You value long-term cost savings over short-term convenience
• You plan to grow beyond newsletters into a full online business
• You want superior SEO and organic discovery capabilities
• You prefer maximum customization and branding control
• You want the security of platform independence
• You’re comfortable with some technical maintenance

Specifically Choose WordPress.com Newsletter if:

• You want WordPress without technical complexity
• You need professional newsletter features with creator-friendly pricing
• You want to start free and scale affordably
• You value a calm platform, free from social media style tweets and shorts
• You value having your online presence integrated under one platform

Setting up your newsletter with WordPress

Option 1: WordPress.com Newsletter (recommended for most creators)

1. Visit WordPress.com/newsletter and select “Start my newsletter”
2. Go through the onboarding checklist to finish setting up your newsletter

Option 2: WordPress + Jetpack Newsletter

1. Choose a WordPress hosting provider like Pressable or Bluehost
2. Install WordPress (most hosts offer one-click installation)
3. Install and activate a Jetpack, which is made by the people behind WordPress.com, and offers all of the same benefits as WordPress.com Newsletter
4. Configure Jetpack Newsletter settings

Option 3: Add Newsletter to an existing WordPress.com site

1. Add a Subscribe Block or Newsletter Subscription Pattern to your existing site
2. Update Newsletter settings to your liking.

Importing from Substack to WordPress.com

If you’re ready to make the move from Substack, migrating to WordPress.com is straightforward:

1. Export your Substack content and subscribers
2. Visit the content importer by visiting Tools -> Import
3. Import your content to WordPress.com
4. Import your subscribers to WordPress.com
5. Update your Newsletter settings

Your questions answered

How much does WordPress.com Newsletter cost compared to Substack? WordPress.com Newsletter starts free with unlimited subscribers and sends. Paid plans offer lower transaction fees (down to 0%) compared to Substack’s permanent 10% revenue share. See our detailed cost comparison to understand potential savings.

What does “owning your content and subscriber list” actually mean? It means your content and audience data belong to you, not the platform. You can export everything at any time, switch to different hosting, or change platforms entirely. With Substack, your audience relationship is mediated through their platform—if they change policies or shut down, rebuilding becomes much more difficult.

Can I customize my WordPress newsletter’s appearance? Yes, extensively. WordPress.com offers numerous themes, color schemes, custom fonts, logos, and layout options. You can create a unique brand identity rather than looking like every other newsletter on the platform.

How do I know WordPress is reliable for email delivery? WordPress.com sends over 20 million emails daily with excellent deliverability rates. This infrastructure has been refined over 17+ years and includes proper authentication, spam protection, and delivery optimization.

Is it really easy to import from Substack? Yes. WordPress.com’s import process handles both content and subscribers. The technical migration typically completes in hours, though you may want to spend additional time customizing your new site’s appearance and features.

Can I start free and add paid subscriptions later? Absolutely. This is one of WordPress.com’s key advantages—start building your audience for free, then add monetization when you’re ready, with much lower fees than Substack.

Your newsletter deserves a forever home

Choosing a newsletter platform isn’t just about today—it’s about where you want to be in five years. Substack might offer quick setup, but WordPress gives you a foundation that grows with your ambitions.

WordPress represents a fundamentally different philosophy: instead of renting space on someone else’s platform, you’re building a forever home on the open web. A place where you make the rules, keep more of your revenue, and never worry about platform changes affecting your business.

Whether you choose WordPress.com Newsletter for the perfect balance of power and simplicity, or self-hosted WordPress with Jetpack for maximum control, you’re choosing ownership over dependency, flexibility over limitations, and unlimited potential over artificial constraints.

Your brand deserves a home you own.

Start your WordPress.com Newsletter today or learn more about migrating from Substack to begin building your audience on a platform you truly control.

Have you made the switch from Substack to WordPress? Share your experience in the comments below!

 [#item_full_content]

Changing your domain name can feel intimidating and isn’t without risks. If done carelessly, it can lead to broken links, lost traffic, and a drop in search rankings. At the same time, it can also be a chance to rebrand, upgrade to a more memorable website address, and improve your SEO.

The difference simply lies in careful planning and execution. In this tutorial, you’ll learn everything you need to know to change your website’s domain name with as little hassle as possible.

Why change your domain name?

Your site’s domain name is a very important part of branding, which is why you usually want to keep it as is. Then again, there are also many valid reasons to switch.

For example, you might have changed your company or blog name and want your domain to match it. Or maybe your business has changed, and your current domain no longer accurately represents what you do.

Another possibility is that you found a better, shorter, more memorable, or more professional domain.

You might also only want to change the domain extension, such as when relocating your business and going for a country-specific TLD like .de, .fr, or .co.uk. Domain changes also happen for legal reasons, such as trademark conflicts.

Finally, you might aim to improve your SEO with a more relevant domain or distance yourself from an old name that carries a damaged reputation.

No matter the reason, a domain change can be a smart move if you plan it carefully and with a clear purpose in mind.

Challenges to be aware of

Switching to a new domain name is not without risks. Discussing them isn’t meant to scare you off, but to stress the importance of preparing well. Most of the risks can be minimized or avoided entirely, and if your reasons for changing your site’s domain name are good, the effort is usually worth it.

Loss of branding

Making the switch without communicating it can negatively impact your audience’s brand association that you worked so hard to build. Returning visitors might not recognize your site right away and think it has shut down or moved.

In addition, any other marketing material your domain name was part of, such as logos, slogans, social media presences, or printed materials, may need updates.

SEO implications

Your site will likely experience a drop in rankings and website traffic after the domain change. This is a normal part of the process and is usually temporary. Search engines need time to recrawl and re-index your site under the new domain.

You do, however, need to do the necessary work to maintain your rankings. For the most part, that means putting redirects in place to make sure traffic from search engines, backlinks, and other sources is sent to the correct (new) address.

Costs involved

Changing your domain name isn’t just a technical task, but can come with financial costs:

• More expensive fees for the new domain.
• Paying for two domains during the transition period.
• Design costs, such as for logo changes and reprinting branded materials.
• Technical costs like development time or a new SSL certificate.
• Additional marketing costs to promote the new domain.

While not all of these costs apply in every case, it’s important to budget for them in advance.

Website downtime and technical issues

There can be technical hiccups as well, such as:

• Lengthy DNS changes may cause your site to become temporarily inaccessible.
• Redirect mistakes can lead to broken pages or errors.
• SSL certificates may not transfer automatically and may stop working.
• Email services connected to your domain can be disrupted.
• Third-party integrations and APIs may need reconfiguration.

These issues are usually temporary, but even a short period of downtime can affect visitor trust and search engine rankings.

Time investment

Even with a clear plan, transitioning to a new domain involves many small steps, most of which need to be done by hand. It can be time-consuming, but it’s critical for success.

Expect the process to take several hours at minimum, and potentially days depending on the complexity and size of your site. It’s better not to rush than deal with time-consuming problems later.

Changing your domain: A step-by-step guide

Here’s how to switch domains with minimal disruption.

1. Choose and purchase your new domain

The process of choosing a domain is worth its own article, so we won’t go over it in detail here. You can register domains from any registrar. When using WordPress.com, you get domain privacy and super fast DNS included. Just saying.

Use our domain search tool to find your desired name:

Make your choice, then continue to the checkout and complete your purchase. That’s it.

Tip: Do you want your domain and hosting under one roof? Switch to WordPress.com’s world-class secure hosting using our hassle-free site migrations and get a free domain for the first year (on annual plans). You can also move your existing domain and manage everything in one place.

2. Plan your redirects

A redirect is like a virtual signpost showing that a web page has moved. It automatically sends visitors and search engines from an old address to the new one.

If you change your domain name without redirects, old links to your site in search results, other websites, and social media will lead to broken pages and 404 error messages. That’s why they are essential to preserve traffic, SEO value, and usability, and need to be planned in advance.

There are different kinds of redirects. The one most relevant here is the 301 redirect, which signals that a page has permanently moved.

Make a list of your most important pages — blog posts, product pages, landing pages, and any content that gets consistent traffic — and plan their counterparts on the new domain.

For detailed information, check out our online course lesson on redirects.

3. Notify your audience

Once you are ready to execute the domain change, let your audience know about it ahead of time. Send out an announcement via email, blog post, or banner on your site.

Clearly explain that only the address will change, not the content or company behind your website. Use this opportunity to reinforce your branding and highlight improvements that come with the change.

4. Change DNS records

DNS stands for “Domain Name System.” It’s a network of servers containing the information regarding which domain points to which server. It’s essentially the internet’s phone book (if you are old enough to remember those).

To change domains, you need to update your new domain name’s DNS settings so it is connected to your server and site. This process isn’t instantaneous — the changes have to register or “propagate” globally, which takes up to 48 hours, but usually happens much sooner.

Here’s where to direct your new domain depending on your use case:

• If all you are doing is switching the domain name, aim it at your existing website. Your site will simply have two domains for a while, allowing you to switch once ready with no downtime.
• Should you be changing hosts too, point the new domain to your new server instead, and keep the old site live as is for now. This allows you to migrate your content and prepare the new site without affecting your current web presence. You can update the DNS to point the old domain to your new hosting provider once ready.

You can manage your domain’s DNS settings through your domain registrar or a management panel like cPanel, and it roughly looks like this:

1. Get your hosting provider’s nameserver address(es). It will be something like “ns1.example.com” and “ns2.example.com.”
2. Log in to your domain registrar account and find your new domain’s DNS or nameserver settings.
3. Update the A records with your hosting provider’s nameservers.
4. Save the changes.

Make sure to back up the DNS records from your old domain in case you need them later!

In WordPress.com, you manage your site domains under Upgrades → Domains (or Hosting → Domains if you are using WP Admin).

If you purchased your domain together with hosting, it’s automatically connected to your site. You also have the option to switch transferred domains to the WordPress.com nameservers with the click of a button.

You can learn all about it in our detailed instructions for changing nameservers, including alternative methods, and more information about DNS on WordPress.com.

5. Back up your existing website

Always back up your website in full before making major changes like switching your domain name. On a managed hosting provider like WordPress.com, backup is done for you, and you can restore your site with one click.

When self-hosting your website, use a backup plugin like Duplicator or back up your site manually. Make sure to save both your database and website files. For even more security, download your backup and store it in multiple places.

6. Switch the domain in your CMS

The upcoming steps will all directly impact your site’s usability and — possibly — availability. Therefore, if you are not switching your host along with your domain and only have one version of your site, it’s highly recommended that you use a staging site first before making changes to your live website.

When the DNS changes have propagated, it’s time to update your site to use the new domain. In WordPress, you usually do this under Settings → General. Fill in the new domain under WordPress Address (URL) and Site Address (URL), then save at the bottom.

Both settings should include the https:// or http:// part and not have a slash (“/”) at the end.

Depending on your hosting provider, these settings may also be located elsewhere. For example, on WordPress.com, you change your website’s primary domain in the aforementioned Upgrades → Domains.

An important consideration for this step is your SSL certificate. You need to ensure it is active and valid for the new domain. On WordPress.com, SSL/HTTPS is included with every plan.

7. Update links in your database

After changing your domain, all WordPress page and menu links will switch automatically as well. However, you likely still have manually created links pointing to the old domain in posts, pages, and elsewhere.

The easiest way to update those is to replace them in your website’s database. WordPress has several plugin solutions for this, like Update URLs.

Alternatively, you can also use a tool such as the database search and replace script by Interconnect, SQL commands inside phpMyAdmin, or WP-CLI. Double-check your input and run a preview or dry run to see if your tool supports it and avoid making mistakes!

8. Implement redirects

Now the only thing left is to set up redirects from your old to your new domain. You have two main options for that, depending on your scenario:

1. Set up redirects on the old server: When you move hosting providers along with switching your domain name, you can keep your old website around, but redirect it completely. In this case, you do NOT change the DNS record of your old domain to the new host.
2. Redirect on the new server: If you plan on directing your old domain to your new host, redirects have to be in place on the new server. That’s because, once you change the DNS records of your old domain, anyone who uses it will arrive at the new server and need to be redirected to the right location from there.

A plugin like Redirection is great for self-hosted sites where you will keep the old website around, at least for a while. It has a dedicated option to move your entire site.

There are also SEO plugins that help you set up redirects, like All in One SEO.

A comfortable solution for implementing redirects on the new server is your .htaccess file. Place the following code at the top of the file and make sure to replace the example domains with your old and new domains:

RewriteEngine On

RewriteCond %{HTTP_HOST} ^olddomain.com$ [OR]

RewriteCond %{HTTP_HOST} ^www.olddomain.com$

RewriteRule ^(.*)$ https://newdomain.com/$1 [R=301,L]

Tip: On WordPress.com, redirecting your website is super easy. It happens automatically when you change the primary site address.

9. Check site links thoroughly

Once redirects are in place, be sure to test them! Access your most important pages via your old domain and see if you land in the right place. You can also use a bulk redirect checker to test multiple links at once.

While you are at it, look for any broken links on your site and correct or redirect them as well. You can find them with a plugin like Broken Link Checker. The aforementioned Redirection plugin also tracks 404 errors, so you can easily point them to the right location.

Another option is advanced tools like Sitebulb or Screaming Frog.

Once you’re done with that, if you’ve been working with a staging site so far, now is the time to move your changes over to your live or production website.

10. Signal the domain change in Google Search Console

To preserve your SEO rankings and speed up the reindexing process, Google needs to be notified that your website has moved to a new domain. To do that, both your old and new domain names need to be set up and verified in Google Search Console.

Open the old domain property and use the Change of Address tool under Settings.

Select your new domain from the drop-down menu and click Validate & Update.

In addition, prepare and submit a new sitemap for your new domain under Indexing → Sitemaps.

Do the same for other webmaster tools you might have connected to your site.

11. Update Google Analytics

The last step is confirming your change in domain in Google Analytics so you can continue tracking your traffic correctly. Log in to your Google Analytics account and go to the Admin panel, and then to Data streams under Data collection and modification.

Edit the stream details to use your new domain’s URL.

Ensure the existing tracking code is installed on the new domain and working properly. If you plan to track traffic for both domains, make sure to enable cross-domain measurement.

Next steps

The domain switch is done, but a few follow-up steps help ensure everything continues to run smoothly:

• Stay on top of analytics and Search Console: Watch for crawl errors, indexing issues, warnings, and unexpected changes in traffic patterns to catch problems early.
• Update robots.txt: Check your robots.txt file for any hard-coded links to the old domain, such as the sitemap URL.
• Revise social profiles: Update the website URL on all your social media accounts to reflect the new domain.
• Adjust email addresses: Change any email addresses that used your old domain. On WordPress.com, you can use email forwarding for that.
• Migrate backlinks: While redirects should do a good job of preserving the SEO value of your backlinks, it’s a good idea to reach out to websites that have linked to your site and politely ask them to update the links to your new domain.
• Disconnect and cancel the old domain: Monitor traffic and indexing to ensure the new domain has fully replaced the old one in search results before canceling the old domain. Google recommends maintaining 301 redirects for at least 12 months to preserve SEO value. 

Change your domain name with confidence

A domain name isn’t just an address — it’s part of the brand and identity of your site and business. Changing it can feel like a risk, but it can also be an opportunity to grow, move forward, or start fresh.

What matters most is that you take your time. Switching to a new domain is a process with many steps that requires careful planning and attention to detail.

Of course, having a good partner on your side makes it easier. Choose WordPress.com and comfortably manage domains and redirects right from your site backend.

 [#item_full_content]

Imagine publishing once and instantly reaching engaged readers across dozens of platforms—without ads, algorithms, or corporate interference. That’s the power of the Fediverse. You can expand your reach to millions of potential readers while maintaining full control over your content and audience relationships. WordPress.com’s newest ActivityPub features make joining this thriving network of independent creators simpler than ever. 

A smoother start with the new onboarding experience

Trying something new can feel overwhelming, so we’ve added a step-by-step guide that walks you through everything ActivityPub can do. When you turn it on, you’ll get a quick tour of the basics: what ActivityPub is, how it helps you connect your blog with the wider Fediverse, and where to find all your new settings. We’ll even show you the special editor blocks you can use to highlight your Fediverse profile right on your site.

Customize your Fediverse presence

When your blog appears on other Fediverse platforms like Mastodon, these new settings help shape how your content and identity are presented. Each platform might display things a little differently, but customizing these options helps your blog stand out and feel more welcoming to potential followers.

Here’s what you can personalize:

• Avatar: This is the small image that shows up next to your posts and comments across the Fediverse. By default, it’s your WordPress.com Site Icon. Want to change it? Just update your Site Icon in your General Settings—a clear, recognizable image works best.
• Header Image: The header is a big banner that sits at the top of your blog’s profile on Fediverse platforms. You can upload something that reflects your style or what your blog is about, or leave it blank if you prefer.
• Description: This is your blog’s short bio. By default, it uses your WordPress tagline, but you can write something custom to introduce your blog to new followers.
• Extra Fields: Add links to your homepage, social profiles, pronouns, or anything else you want people to see. You can edit, add, or organize these fields however you like.

See and manage your followers

Curious about who’s following your blog from across the Fediverse? Now you can see a list of your followers, complete with profile details and the last time they interacted with your site. It’s a simple way to keep track of your growing audience.

Ready to try it out?

If you haven’t enabled ActivityPub yet, it’s easy to get started!

Just head to Marketing > Connections in your WordPress.com dashboard and activate the Fediverse feature. Once it’s on, you’ll find all the new settings under Settings > ActivityPub.

We can’t wait to see how you use these new features to connect with even more people across the Fediverse!

 [#item_full_content]

How do you fix a hacked website? How can you tell if your website has been compromised? What can you do to prevent it from happening again in the future?

This guide will cover each of these questions in detail. So, if you are currently dealing with a website that’s been infiltrated by a hacker, you’ll know exactly what to do about it by the end of this article.

How websites get hacked

How do website hacks happen in the first place? Here are some of the most common ways ill-minded individuals gain access:

• Poorly secured web hosting: For example, weak server configuration or a lack of separation between sites.
• Compromised login credentials: Typically through brute-force attacks, credentials leaked in another breach, or those obtained via phishing.
• Outdated WordPress core, plugins, or themes: They often contain known security flaws that hackers can easily exploit.
• Extensions from untrustworthy sources: Nulled or unofficial plugins or themes frequently contain hidden malware and backdoors.
• Injection attacks: A poorly secured site may allow hackers to execute scripts on your site to access your database, inject malicious code, or breach it.

Why hackers target websites

You might think your site is safe because it’s small and unknown, but this is a common misconception.

Most website hacks aren’t personal or planned, but simply a matter of opportunity. Automated bots scan the internet for potential targets, and if your site is vulnerable, it may become subject to an attack.

Why do hackers do this? For various reasons:

• Data theft: Hackers harvest emails, passwords, and customer info to resell or use in future attacks.
• Install malware: They use your site to infect your visitors’ devices with harmful software.
• Traffic redirection: Visitors are sent to shady, scammy, or fraudulent websites.
• Hijack server resources: Sometimes hackers secretly use your server’s processing power to mine cryptocurrency, send email spam, or carry out DDoS attacks.
• Phishing: Fake login or payment pages steal credentials from users.
• Ransom demands: Here, attackers lock you out of your site and ask for payment to get back in.
• Hacktivism: Some people disrupt services or deface websites to push a political or ideological message.
• Fun, practice, or testing: Hackers may just target you because they can, to improve their skills, or to test new attack methods in the wild.

What happens when your site gets hacked?

Some attacks are obvious, like finding your homepage vandalized, your site filled with spam content, redirects to other websites, or pages you didn’t create. Others are more subtle:

• Website unavailable: Your site shows a blank page or the “white screen of death.”
• Security warnings: Alerts from browsers, Google Search Console, or sites like Google Transparency Report, Norton Safe Web, or your hosting provider that indicate that your site is unsafe, contains malware, or has been blocked/suspended.
• Traffic changes: Unusual visitor patterns, like an influx from unexpected countries or a sudden drop in website traffic.
• Unknown admin users: Suspicious new user accounts in your dashboard or existing users whose privileges have been escalated.
• Strange files in your webspace: Files or scripts you don’t recognize, or server files containing unusual code.
• Suspicious activity: Login attempts, file edits, or plugin changes you didn’t make show up in your activity log.

In addition to these visible problems, a hacked website can have serious, long-term consequences for your business, site, and bottom line. It can result in a loss of revenue, traffic, and search rankings, as well as harm your brand reputation. Cleanup can be time and cost-intensive; you might run into legal issues, lose important data, and have to pay higher hosting and security fees in the future.

Overall, it’s a scenario best avoided, but what do you do if it’s too late for that?

Fixing a hacked website — Phase 1: Check site access

When dealing with a hacked website, the first step is to find out what level of access you still have to it.

1. See if you can log in

Try logging in to your WordPress admin dashboard. It’s usually located under yoursite.com/wp-admin.

If the login screen doesn’t appear or redirects elsewhere, skip ahead to downloading and cleaning up your website files first. Otherwise, try your normal username and password. Should that not work, try the password recovery.

In case neither of these steps is successful, you can access your database (e.g., via phpMyAdmin) and check the wp_users table to confirm your admin account still exists.

If it does, you can reset your password directly in the database or even create a new admin user to regain access. It’s also possible to reset your password using FTP and WP-CLI.

2. Switch your site to maintenance mode

Once you can access your backend, it’s best to make your site temporarily unavailable. This helps you protect your site visitors and reputation from further harm while you fix the hacked website. The best option for that is to put it into maintenance mode.

You can use a maintenance mode plugin or set up an HTML file for that. Some CDN providers also let you put up a maintenance mode screen, such as Cloudflare.

Phase 2: Secure the site

Next, it’s time to start regaining control of your site.

3. Talk to your hosting provider

Your host should be one of your first ports of call and also your strongest ally in case of a website hack. For example, at WordPress.com, you can trust our security features to the point that, should a site we host become compromised, we remove the hack for you. Just contact WordPress.com support, and we’ll help you right away.

Even if you host your site elsewhere, you should get in touch with your provider. On some types of hosting, such as shared hosting, the hack could have originated from another website on the same server. In that case, your site would likely just become compromised again, no matter what you do.

Speaking to your host will also let you know about any assistance they offer to fix your hacked website and if temporary account restrictions or suspensions are in place. They might also be able to give you an indication of when and how the hack happened via access and error logs.

4. Back up your site in its current state

Save a copy of your site — even if it’s compromised. It lets you preserve recent content, conserve evidence to analyze the source of the hack, and allows you to restore your site should something go wrong during recovery.

Make sure to back up both your site files and database. Use your hosting control panel, SFTP, or a backup plugin. Managed hosting providers like WordPress.com usually offer automatic backups. On our Business and Commerce plans, you can restore from backup with one click and also download site backups.

You can spin up your copied site in a local development environment, for example, using WordPress.com’s Studio, to analyze it later or perform your cleanup there.

5. Restore from a recent clean backup (if possible)

If you had the foresight to set up an automatic backup solution, restoring from a recent clean site copy is often the easiest way to fix your hacked website.

Make sure the backup predates the hack or suspicious activity. If possible, first load it on a staging site to run diagnostics before restoring.

Be aware that restoring doesn’t remove the original vulnerability. You’ll still need to investigate how the hack happened to prevent reinfection.

Phase 3: Lock it down

This phase is all about closing off common entry points into your site.

6. Go through your user accounts

Hackers who gain access to a website frequently create an admin user account for themselves. This gives them a quick way back into the site and is often easy to disguise.

Therefore, review all accounts in your WordPress User menu and/or database.

Look for unfamiliar usernames, especially with admin privileges and delete or downgrade them. Document any changes you make and do the same with other accounts associated with your site, like hosting, FTP, email, CDN, and third-party tool credentials.

7. Change all passwords

Next up, lock down the accounts you’ll keep by changing their passwords. On your site, you can reset passwords for all users and enforce strong passwords with plugins like Emergency Password Reset and Password Policy Manager.

Another step is to implement multi-factor authentication, so users have to confirm their login with a code sent to their email address or mobile phone. Again, do the same for other accounts associated with your site.

If you want to go a step further, reset your database username and password as well. Don’t forget to update wp-config.php to reflect the new values; otherwise, your site won’t work.

Lastly, replace the SALTs in wp-config.php. These are security keys used to encrypt login sessions and cookies, and look like this:

define( 'AUTH_KEY',     'put your unique phrase here' );

define( 'SECURE_AUTH_KEY',  'put your unique phrase here' );

define( 'LOGGED_IN_KEY', 'put your unique phrase here' );

define( 'NONCE_KEY',    'put your unique phrase here' );

define( 'AUTH_SALT',    'put your unique phrase here' );

define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );

define( 'LOGGED_IN_SALT',   'put your unique phrase here' );

define( 'NONCE_SALT',   'put your unique phrase here' );

Visit the official SALTs generator and copy a new set over the existing ones in your file, then save and re-upload it. This will force all users (including hackers) to be logged out immediately. The aforementioned Emergency Password Reset plugin can also do this for you.

8. Update all software

Your website hack might have happened via outdated and vulnerable files. Besides that, hackers like to modify core files to make reinfection easier.

That’s why an important step to fix your website after it’s been hacked is to update all its software to the latest version. This means WordPress core and all plugins and themes.

If you can’t access the admin dashboard or the automatic update isn’t working, download the files from WordPress.org and install them manually via FTP.

Be sure to preserve the wp-content folder and don’t overwrite wp-config.php. In addition, remove any unused, outdated, or unsupported plugins and themes, and consider updating server software like Apache or your PHP version.

By the way, WordPress.com keeps your WordPress version updated automatically, and you can activate the same for plugins and themes.

Phase 4: Remove hidden threats

This phase is about digging deeper to find hidden code snippets and backdoors. These are entry points hackers like to leave behind so they can regain access to your site even after you cleaned it up.

9. Check your website files

Hackers can include malicious code in many parts of your website. One common hiding place is the wp-content folder. It doesn’t get replaced during updates, so files added to it stay safe unless removed manually. Check it for hidden PHP files, especially in the uploads folder, child themes, inactive themes, and plugins. If you can’t access your site at all, try renaming folders, like the plugins directory.

In addition, examine your current theme’s files for unfamiliar code. Download a clean copy of your theme from the WordPress directory or your vendor (make sure to get the same version as your site) and use a tool like Diffchecker to see if there are any differences between files.

You can also do file comparisons via SSH.

Malicious code frequently appears at the top or bottom of files, often encoded or obfuscated using functions like:

• base64_decode()
• eval()
• gzinflate()
• preg_replace()
• str_rot13()

You can use tools like Base64 Decode, UnPHP, or UnPacker to decode it.

Especially pay attention to files such as:

• functions.php
• header.php
• footer.php
• index.php
• wp-config.php
• wp-load.php

In addition, look for oddly named or slightly misspelled files like wp-logon.php or wp-config1.php.

Additionally, open the .htaccess file and look for suspicious code and redirect rules that don’t belong there. Besides that, check for additional .htaccess files in wp-content and its subdirectories. You may also want to check your file permissions.

If this seems to be outside of your skill set, get professional help or use a security plugin or malware scanner like Jetpack, WordFence, MalCare, or Sucuri Security.

10. Clean up the database

The WordPress database is another place you need to examine after a website hack. Cleaning it up manually is a painstaking process, especially if your database is very large. Therefore, the easiest way is usually to scan it with a plugin like those mentioned above.

You can also access your database with the aforementioned phpMyAdmin or a similar tool and look for problems by hand, such as:

• Hidden spam content in the wp_posts table.
• Keywords like eval, base64, gzinflate, preg_replace, or assert.
• Common spam terms like “gambling.”

Be sure to always back up your database before making any manual edits. If unsure, export it and compare the database to a clean version from a backup.

Phase 5: Recover and relaunch

After fixing your hacked website, it’s time to bring it back online.

11. Reupload clean site files

Upload your files and database from your local install or staging site (skip this part if you did the repairs on your live site).

Test your site’s main features: navigation, forms, checkout, login, etc. See if any content, including images, is missing. Visit your website in an incognito window to confirm it displays correctly for visitors.

Disable maintenance mode if it’s still active. Clear your site cache to ensure no cached malware or outdated pages are loading.

To be completely on the safe side, rescan your live site files and database tables for remaining threats. Use a malware scanner both from inside WordPress and outside.

12. Deal with the aftermath

Once the immediate problem is resolved, you need to deal with its fallout:

• Communicate with your customers: If the hack affected your users through downtime, strange behavior, or a potential data breach, be transparent. Let them know what happened, what you’ve done to fix it, and what steps you’re taking to prevent the problem from occurring again.
• Submit requests to remove your website from Google’s blocklist: If Google Search Console flagged your site as dangerous, request a review via Security & Manual Actions → Security issues after the cleanup is complete. This helps restore search visibility and remove browser warnings. Do the same for other blocklists you may have appeared on.
• Restore any lost content from backups: If pages, images, or posts were damaged or deleted, recover them using your most recent clean backup. Double-check everything before re-publishing to ensure you don’t reintroduce malicious code.
• Analyze the hack: Document what happened, how your site was compromised, what actions you took, and what you plan to do going forward to strengthen future security.
• Keep monitoring: Set up ongoing monitoring tools, such as an activity log to track user logins, site changes, and system events. Monitor changes to files, regularly scan your site for malware, and keep an eye out for any of the signs of a website hack we discussed earlier.

Prevent website hacks before you have to fix them

The final step is to make sure you never have to be in this situation again. First, follow security best practices:

• Use strong passwords, change them regularly.
• Implement multi-factor authentication for all relevant accounts.
• Set up user roles with the minimum necessary privileges.

In addition, take steps to harden your website security:

• Use SSL encryption.
• Keep WordPress Core, plugins, and themes updated.
• Put a backup solution in place.
• Set up automatic malware scans, brute force, and DDoS protection.
• Add a firewall to your site.

On WordPress.com, all of the above is included with every plan, together with additional security features. So, if you want a simplified and effective way to prevent being hacked, move your site to WordPress.com.

 [#item_full_content]

Schema markup gives you a way to enhance how your website and its content are displayed in the search engine results pages (SERPS).

Examples of these enhancements include star ratings, event info, product pricing, and FAQs. When implemented correctly, they’re an effective way to make your content stand out in the SERPs and increase click-through rates. 

Adding schema markup to your WordPress site also helps search engines to understand your content better, increasing the chances of it being displayed where your target audience will find it.

By the end of this guide, you’ll better understand schema markup for WordPress and how to add it to your site.

What is schema markup?

Schema markup, sometimes called structured data, is code you add to your website. Its purpose is to help search engines understand your content better, such as its meaning and context. 

Similar to categories and tags in WordPress, schema markup can be used to add labels to your content that explain what each piece of content is about and its format. Some examples of these labels include products, recipes, reviews, and events.

Adding schema markup is also a way to enable rich results or rich snippets for your site and its content. 

You’ve probably seen rich results in the SERPs before. They include extra details about a page in the results, such as business information, star and average ratings, product details, FAQ, recipe information, and more. 

This additional information makes rich results-enabled content stand out and helps search engine users decide which result to click on.

Common Types of Schema Markup

Here are some widely used schema markup types and how they can generate rich results:

• Review and Rating: Can display star rating and number of reviews in the SERPs.
• Articles: Includes headline, author, publication date, and a thumbnail image. 
• Product: Price, availability, and rating can be displayed. 
• FAQ: Collapsible questions and answers are displayed.
• Recipe: Cooking time, ingredients, and ratings can be displayed.
• Local Business: Name, address, phone, and business hours can be included.
• Event: The event’s date, location, and ticket availability can be displayed. 

Not everything that can be displayed in a rich result is displayed. Many factors control how and when they’re displayed, such as site settings, the user’s search term, and the search engine algorithm. 

However, adding schema markup is essential for enabling rich results for your site. 

While there are hundreds of types of schema, you must use the types supported by Google if you want your content to feature rich snippets when displayed in their search results. 

Benefits of adding schema markup to your WordPress site

One of the main benefits of adding schema markup to your WordPress site is that it can increase your content’s click-through rate when it’s displayed in the SERPS. 

For example, one study found that 58% of search engine users clicked on results enhanced with rich results while only 41% of users clicked on regular (non-rich) results.

This makes sense as rich results not only stand out but they also provide search engine users with more information when deciding which result to click on. 

For example, if a user is searching for a recipe, seeing the cooking time and user rating displayed in the SERPs demonstrates that the content is informative and whether or not it meets their requirements. 

The other main benefit is that search engines can use schema markup to better understand your content. This helps the search engines to know when to display your content in their results, sending more relevant traffic to your site. 

A further benefit of using schema markup is that it increases the chances of your content being displayed in more places in the SERPs. This includes the People Also Ask boxes and recipe carousels.

Key benefits of adding schema markup:

To summarise, the main benefits you could potentially unlock by adding schema markup to your WordPress site include: 

• Increased visibility in the SERPs by enabling rich results.
• Improved click-through rates in the SERPs by making your content stand out.
• Increased traffic to your site without needing to improve your ranking. 
• Help search engines understand your content and know where to display it.
• Make your content eligible for display in People Also Ask boxes and elsewhere on the results pages.

As we’re about to cover, adding schema markup to WordPress is relatively straightforward, making it something all site owners should consider. 

How to add schema markup to WordPress

You can add schema markup to your site manually, but this is another area where WordPress plugins can be used to simplify the task. 

Here are some recommended plugins as well as a guide to adding structured data to WordPress using one of the options. 

Schema markup WordPress plugins

There are lots of plugins that can add schema markup and structured data to WordPress. Some of these plugins include other useful functionality, such as search engine optimization features, while others are focused solely on implementing schema markup. 

Not all schema markup plugins for WordPress cover all the available schema types, so you must choose a plugin that supports the ones you need. For example, if you’re creating a food blog with WordPress, you could select a recipe-specific plugin that adds the relevant schema markup, such as WP Recipe Maker.

Just ensure that any plugin you’re considering supports the schema markup you want to use.

Rank Math SEO

Rank Math SEO is a popular and user-friendly option for adding schema markup to WordPress.

The free version of the plugin lets you add 13 schema types, making it suitable for most projects. The paid version supports six more types. 

Thanks to its broad range of SEO features, Rank Math SEO can also be used as your WordPress SEO plugin. 

The paid version has more schema-related features, including adding multiple schema types to a single page. This would let you add the Product Schema and Review Schema to an eCommerce product page to display pricing and rating information in the rich results.  

The paid version also includes a schema generator to help you choose the correct schema for each piece of content and a tool for importing schema markup from other websites so you can see how others are using structured data. However, the free version of Rank Math SEO can add a good range of schema markup to WordPress. 

Rank Math SEO is an excellent option if you’re looking for a powerful SEO and schema plugin that’s easy to use.

Yoast SEO

Like Rank Manth SEO, Yoast SEO is an SEO plugin for WordPress that can add schema markup to your site. It’s also one of the most popular plugins on WordPress.com. 

Like the other options covered here, you can set a default schema markup type for your site so you don’t have to select one each time you publish a new piece of content. This can be overridden at the post and page level if needed. 

Yoast SEO integrates with other schema markup plugins, including WP Recipe Maker, giving you more options for adding structured data to your site while maintaining access to the rest of the plugin’s features. 

Choose Yoast SEO if you want to install the most widely used SEO plugin for WordPress and add schema markup with the same plugin.

Schema & Structured Data for WP & AMP

Schema & Structured Data for WP & AMP was built specifically for adding schema markup to WordPress rather than also being an SEO plugin. The free version supports an impressive 46 schema types.

The developers claim that users can request additional schema types, and they will add them to the plugin. This makes Schema & Structured Data for WP & AMP ideal for anyone creating content types not covered by other plugins. 

Schema & Structured Data for WP & AMP isn’t quite as user-friendly as the other plugins covered here. However, I’ve included it as it supports many schema types, making it a good option if it covers the schema types you want to use that other plugins don’t. It’s also a suitable option if you’re already using an SEO plugin you’re happy with and are looking for a schema markup plugin to use alongside it.

Using Rank Math SEO to add schema markup to WordPress 

Here’s a walkthrough of using the Rank Math SEO plugin to demonstrate how you can add schema markup to WordPress.

You’ll need the Business plan or above if WordPress.com hosts your site and you want to install this plugin. 

Rank Math SEO is a good option as it has a user-friendly setup wizard to help you optimize your site for search engines and add structured data to WordPress. 

To get started, go to Plugins → Add New in WP Admin.

Next, search for “Rank Math SEO” and click the “Install Now” and then Activate buttons. 

The optional setup wizard will launch after activating the plugin. The wizard walks you through setting up the SEO features of the plugin and gives you the option of importing the settings from an SEO plugin you might already be using on your site.

To configure the schema markup capabilities of the plugin, go to Rank Math SEO → Titles & Meta from the WP Admin sidebar menu.

Then, click on Posts under Post Types on the Rank Math SEO panel. 

Now you can set the default schema markup type for all posts. Choose Article from the Schema Type dropdown menu if you’re primarily creating blog posts.

You can override the default settings from the WordPress editor when you’re creating a piece of content that will use a different schema markup type.

To do so, click on Schema Generator from the Rank Math panel in the WordPress editor.

One instance where this would be necessary is if you’re publishing a recipe where the default schema type for the site was set to Article. 

You can then add the additional information for the schema type you’ve selected. 

For example, if you selected the recipe type, you can add the preparation time, cooking time, and other details that will be displayed in the rich results in the SERPs.

Click the “Save for this Post” button when you’ve finished.

You can then repeat the above to add structured data to any new and existing content on your site. 

The Titles & Meta section of the Rank Math SEO documentation has the full details on adding structured data to WordPress with this plugin. 

Testing your schema markup

Once you’ve added the schema markup via your choice for plugin, rich results should be displayed for your content in search engines. 

However, it’s recommended that you test your site to ensure that everything is working as expected. While the best schema markup plugins for WordPress do an effective job of adding structured data to your site, checking and testing can highlight any issues, such as missing required fields.

There are a few tools you can use to test your site’s schema markup, including:

• Schema.org Validator: Enter the URL of a page to find out if the structured data has been added correctly. Any errors will be highlighted to help you resolve them. 
• Google Rich Results Test: Validate your schema markup to check which rich results can be generated by its structured data. 

Correctly adding schema markup to your site is no guarantee that search engines like Google will display rich results for your content. 

However, by using a reliable plugin or correctly adding the structured data manually, you will have done all you can to activate rich results for your site. 

Ready to add schema markup to WordPress?

Adding schema markup to WordPress makes it possible for your site to start benefiting from rich results, such as improved click-through rates from the SERPs and more traffic.

The easiest and most convenient way to add structured data to WordPress is to use a schema markup plugin. 

Before you choose a plugin, ensure it supports the type of schema markup you’d like to use on your site. 

Plugins like Rank Math SEO and Yoast SEO are easy to use and include many useful features. However, they don’t cover all the schema markup types, so be sure to choose the right plugin for your goals. 

If WordPress.com hosts your site or you’d like it to, you can install plugins on the Business and Commerce plans and benefit from fast load times, enhanced security, and many other valuable features. 

 [#item_full_content]