Archive

Stopping or Preventing Email Spam

The following is a list of ways Ameravant Web Hosting helps clients from the ongoing battle against Email Spam.

The items below only apply if you are an Ameravant client with the C-Panel web hosting Control Panel.

1) MAKE YOUR EMAIL ADDRESS INVISIBLE:
If you have your Email address posted on your web site, Internet spammers can crawl your site and copy your Email address into their system.
HOW: To prevent this Ameravant can encrypt your Email address on your web site so visitors can view and click the link but spammers cannot see the link.

2) BOX TRAPPER:
There is a feature called Box Trapper that comes with Ameravant Web Hosting. When Box Trapper is activated, anyone sending an Email to your Email address would get a reply Email asking them to click a link and verify they are a real person. Once they click that link they get put on your White List and you receive their Email, and all future Emails from them. Because spammers are automated systems & don’t reply to Emails, they are never added to your White List. The following link offers more information on this feature, http://www.cpanel.net/support/docs/11/cpanel/mail_boxtrapper.html
HOW: Here is a link showing you how to set up Box Trapper, http://www.cpanel.net/media/tutorials/boxtrapper.htm
3) TURN ON SPAMASSASSIN:
SpamAssassin is widely used by Email Service Providers, like Ameravant. SpamAssassin will allow you to filter your Email and remove spam before you check your email.
HOW: From the home page of your Control Panel, click the “SpamAssassin” icon. Then click the “Enable” button next to SpamAssassin. Once SpamAssassin is turned on, you can tighten the default settings. The average Score setting is 5. You can reduce this to 4 or 3. This number represents how many tests an Email fails before it is considered spam. If you are concerned that reducing the Score will delete legitimate Email, you can enable “Spam Box” from this same page. This will direct all spam into a separate folder in your Webmail system. You can occasionally visits that folder to see if any legitimate Email is there.

4) BLACKLIST DOMAINS OR EMAIL ADDRESSES:
Blacklisting domains or individual Email accounts will prevent spam Email from getting into any Email account at your domain. Here is a tip. If you are getting spam Email that indicates it is From your Email account and To your Email account, you can blacklist your own Email address to prevent the spammers from sending this type of Email spam to you.
HOW: You can set blacklist domains or Email addresses from your Control Panel. Click the Spam

5) SET YOUR DOMAIN SPAM FILTER FOR Words or Phrases:
Words or Phrases: Any filters(word or phrases) you create in this area will effect all Email accounts for your domain. If you see Words in your spam Email that clearly identify them as spam, you can put these words in your Spam Filter. For example if I put the word “penis” in my spam filter, all future Emails with the word penis will be automatically deleted, redirected to another Email account or moved to a spam folder. You get to choose the action for each word you put in your Spam Filter.
HOW: In your Control Panel, click the “Account Level Filtering” icon. Then click the “Create a new Filter” button

6) SET YOUR PERSONAL EMAIL SPAM FILTER FOR Words or Phrases:
Any filters(word or phrases) you create in this area will affect only your individual Email account. If you see Words in your spam Email that clearly identify them as spam, you can put these words in your Spam Filter. For example if I put the word “penis” in my spam filter, all future Emails with the word penis will be automatically deleted, redirected to another Email account or moved to a spam folder. You get to choose the action for each word you put in your Spam Filter.
HOW: In your Control Panel, click the “User Level Filtering” icon. Then click the “Manage Filters” text next to the Email account you want to apply filters.

7) ENABLE DOMAIN KEYS
DomainKeys is an e-mail authentication system that allows for incoming mail to be checked against the server it was sent from to verify that the mail has not been modified. This ensures that messages are actually coming from the listed sender and allows abusive messages to be tracked with more ease.
HOW: From the home page of your Control Panel, click the “Email Authentication” icon. Then click the “Enable” button next to DomainKeys.

8) ENABLE SPF AUTHENTICATION:
SPF will specify which Email Servers are authorized to send email from your domain(s). This means that only mail sent through your Email server will appear as valid mail from your domain(s) when the SPF records are checked. This prevents what is known as “Spoofing”, where spam Email appears to be coming from your domain.
HOW: From the home page of your Control Panel, click the “Email Authentication” icon. Then click the “Enable” button next to SPF.

9) SET YOUR LOCAL SPAM FILTER:
If you are using an antivirus/antispam program on your local computer, most of them have spam filters that work with your local Email application. Check with your vendor to see how to filter out spam locally.

10) SPAM PROTECTION FROM EMAIL IMAGES:
The most difficult type of spam to prevent is the Email that has an image in the body of the Email. When that image becomes visible it is reporting back to the spammer that your Email address is valid. After validation you can be sure more spam is on the way.
HOW: To prevent this type of image validation, many Email program have a feature where you are not able to view images in your Email unless you identify that Email/Email Address as a Friend. Outlook 2007 offers this feature. Check with your Email application provider to see if they offer this feature and how to activate it.

11) CANNOT STOP ALL SPAM:
Unless you use the Box Trapper feature described above, it is impossible to prevent all spam from coming into your Email account. Sadly, it’s part of our new online culture.

How to clear Google mod_pagespeed Cache

At Shine Servers Hosting all our servers have Google’s mod_pagespeed installed. We have seen good website load time decreases, with server load only increasing noticeably when creating the cache from scratch.

The only irritating thing for developers is that sometimes mod_pagespeed does not recognise that you have updated an image or other files and keeps serving up the old version. This is espically true when making small changes.

Luckily deleting the cache is quite simple. You need root access for this. First SSH to your server. Then type or paste in the following commands;

sudo mv /var/mod_pagespeed/cache /var/mod_pagespeed/cache.del
sudo rm -rf  /var/mod_pagespeed/cache.del
sudo mkdir /var/mod_pagespeed/cache
sudo chown nobody:nobody /var/mod_pagespeed/*

The first line moves your cache directory the second deletes the now moved directory. This code assumes that you are using the default cache directory, if you have changed the directory remember to change the code! The third line recreates the cache directory and the fourth sets the correct permissions on the folder.

This will clear all cache on disk there is also cache stored in memory and the only way to remove this is to restart Apache. You should be able to restart Apache from your servers GUI control panel, such as Cpanel.

I will be posting more blog entries about google mod_pagespeed including how to customise it and fix problems it may cause on your website.

How to improve your AdWords Quality Score

If you don’t understand how the Google AdWords Quality Score works, then your AdWords campaigns will inevitably fail.

Read why the quality score has a significant impact on your cost per AdWords conversion and learn how to outsmart your competitors in the race for the most profitable ad positions.

Why is the Quality Score so important?

Essentially Google wants its search engine to show its users the most relevant search results.

That applies to both the organic search results and the sponsored AdWords listings.

The Quality Score formula rewards advertisers that pick only those trigger keywords that are closely linked to the webpages and products, that the advertiser promotes through its sponsored ads on Google.

If you run an online store that sells baby clothing, then Google will certainly allow you to pick trigger keywords such as “family car” and “baby stroller” but given the relatively weak link between the visitors’ search terms and your products, Google will put you at a clear disadvantage when you bid for those trigger words in competition with manufacturers and dealers of family friendly cars and the retail outlets that have specialised in baby strollers.

Whenever a Google visitor hits the “Search” button, Google first calculates your Quality Score and then your Ad Rank. A high Quality Score coupled with a high maximum CPC bid will lead to a high Ad Rank. The highest Ad Rank will give you the top spot above the organic listings.

How is the AdWords Quality Score calculated?

Google has not disclosed exactly how the AdWords Quality Score is calculated, but I will give you my best guess based on numerous clues given by Google AdWords team and actual data from hundreds of AdWords accounts.

The Quality Score is calculated at several levels – it’s calculated at:

  • Account level
  • Campaign level
  • Ad Group level
  • Ad level
  • Keyword level
  • Domain level

The most important factor for your Quality Score is the CTR (click-through-rate) at keyword level.

In essence Google uses its own users to rate the relevance of your AdWords listings. If you have a high CTR it means that people clicked on your ad, that again indicates to Google that your ad was the most relevant to display to its visitor for that specific search term.

The CTR is factored in relative to your average ad position. A click-through-rate of 5% for an AdWords listing with an average ad position of say 4,5-5,0 (to the left of the organic search results) indicates higher relevancy than a CTR of 6% for an ad placed in prime position above the organic listings.

Your CTR at ad, ad group, campaign, account and domain level is also part of the Quality Score equation.

When you set up a new ad group and add new keywords they will usually start out with Quality Scores that assemble those of your existing campaigns. As the new AdWords ads accumulate sufficient click data of their own, they will be less dependent on the historical performance of your other campaigns and instead primarily be assessed based on their own merits.

You can only see your Quality Score at keyword level.

It will display as a figure between 1 and 10 when you tick off the below column in your AdWords interface.

How to view Quality Score in AdWords interface

1 is horribly bad and hardly achievable, whereas good keyword selection and attractive ad copy will typically yield quality scores of 7 or above.

A small note: Your quality score rarely stands at 8 or 9. It tends to jump directly from 7 to 10 and vice versa. An extra incentive from the Google guys and girls at Mountain View to have you go the extra mile and aim for excellence :)

Google will round off your quality score before showing it, i.e. when the Q.S. is displayed as 7 it can really be anything from 6,51 to 7,50. This is not overly important, but as you get increasingly advanced it might be nice to know that a rounding off takes place.

Ad Rank is not shown anywhere (you have to derive it from the actual listings on the search engine results pages).

How is the Google AdWords Ad Rank calculated?

Whereas the calculation of the Quality Score is highly complex, the theory behind the Ad Rank is a lot easier to grasp. The Ad Rank is really just a simple auction system.

Your Quality Score multiplied by your Max CPC bid for a given trigger keyword decides where your ad is shown.

An example using the keyword “baby stroller”:

Your Quality Score for the keyword “baby stroller” is 7, your competitors have yet to this guide on how to improve the AdWords Quality Score and therefore only scores a mere 4.

You bid a maximum of 0,50 Euro for the “baby stroller” keyword, whereas your competitor has set his maximum CPC to 0,60 Euro.

You: 0,50 euro multiplied by 7 gives you an Ad Rank of 3,5
Competitor: 0,60 multiplied by 4 gives him an Ad Rank of 2,4

You win the auction and your ad is displayed above his ad – and orders for baby strollers will hopefully come your way.

3 key points to remember

  • High CTR usually gives you a high Quality Score (and lower cost per click and/or many clicks)
  • Watch out for quality scores below 7 for keywords that are both popular and relevant to your business. Improve your Quality Score to keep your costs down and traffic up.
  • It might take days or weeks for your quality scores to stabilize. After performing changes to your AdWords campaigns, you need to wait at least a few weeks before concluding failure or celebrating victory.

How to Improve Your Quality Score?

Remember what I wrote earlier? Google’s ultimate goal is to provide their users with the most relevant search results.

To improve your Quality Score, therefore, you need to make your AdWords copy and landing pages more relevant to Google users.

Here are some examples of what you can do to boost your ad relevancy:

  • Divide your keywords into several smaller ad groups with fewer keywords in each. This allows you to write more focused ad titles, text and display URLs where the keyword is included.
  • Customize individual landing pages for each of your main keywords. The keyword should be included in an unforced, natural way in the page title, heading and main body of text. The Google AdWords algoritms do indeed look at on-page elements as well.
  • Make sure that your landing pages are optimised to load as quickly as possible, while also maintaining an attractive appearance.
  • Keep an eye on any keywords that are frequently searched but have a low CTR. Keywords with a low click-through-rate will pull down the Quality Score for the ad, the ad group, the ad campaign and the overall account. Shut down these keywords or ‘quarantine’ them in a separate ad group, requiring special consideration later on.
  • Add negative keywords to prevent your ads from showing when the user is unlikely to click on them. These negative keywords are very important, but often neglected by AdWords advertisers.

Need Help to Improve Quality Score?

Hopefully the above introduction to Quality Score will have given you a good idea of how to work with, not against, Google AdWords.

If you have any questions, drop a comment below and I will do my best to answer your question.

Find the Right Responsive WordPress Theme

If you’re planning a new website and you’ve fallen for WordPress, you need to be careful when picking the WordPress theme for your website.

In this blog post you can learn from my mistakes and get my recommendations for 15 great WordPress templates.

What is WordPress?

If you work with websites and online marketing you may already have heard about the CMS solution WordPress.

WordPress is a user-friendly Content Management System based on open source code – a free website software program that can be used by everyone, including those without an extensive IT background.

I have about 30 websites running, the vast majority of which use WordPress as their foundation.

Some of these sites have a serious purpose, like this one. Others I use for various search engine experiments. Then there are the websites I run solely to raise awareness about products and services, my clients’ and my own.

Common to all of them is that web design and functionality is largely determined by the particular WordPress theme I’ve chosen for that website.

Rather than hiring a web designer to code your site from scratch you can, for $50 or so, buy a premium WordPress theme. This is a template placed on top of the free WordPress software with its basic functionality and gives your website a look and feel which matches your products and the image you want to communicate to your customers.

The low cost of many WordPress themes, though, leads many website owners to skip the necessary preparatory work.

Here are some considerations to make before you look for a good WordPress theme.

Selecting a WordPress theme

What do you really need?

There are tens of thousands of free WordPress themes and thousands more premium themes. It’s easy to be tempted by the abundance of visually stunning WordPress templates that cost next to nothing.

But do yourself a favour.

Always begin your search for a WordPress theme by making a list of requirements you ‘must-have’ and ones that would be ‘nice to have’.

This is what my list looked like when I was choosing the theme for this website:

Must-haves

  • The theme must have a serious look. After all, we not blogging about puppies or patchwork quilts. This is tough business :)
  • The theme must have a large “featured” image as this is crucial for showing the sample dashboards.
  • The theme must be responsive (you can read why below).
  • The code quality must be high (find out why below).
  • The theme needs to be well-documented and supported (I’ll explain why below).
  • Headlines and main text must be legible and the font, type size and colour must all be easy to adapt. It may be that you and I can read small text in flashy colours, but many of our customers might not want to.

Nice-to-haves

  • The theme should be easy to upgrade when new versions are released – so I don’t risk the whole thing crashing down around our ears and all the great dashboards and guides go down the drain.
  • It shouldn’t cost a fortune – in practice, it’s almost impossible to find a WordPress theme that costs more than $100, so all themes pretty much lived up to this requirement.

The theme must fulfil all my must-haves.

If the WordPress theme can, at the same time, fulfil some or all of my nice-to-haves, then that would be ideal.

You’re the best judge of exactly which requirements you’ll want on your list.

However, the following 3 points from my own list can, I think, be included on any list of requirements for a new WordPress theme.

  • The theme must be responsive.
  • The code quality must be high.
  • You need thorough documentation and support.

A responsive WordPress theme is an absolute must

If you’re building your website seriously and also plan on being around tomorrow, next week and next year then you should choose a WP theme that displays equally well on a handheld device and a large computer screen.

By far the majority of WordPress themes are optimised for viewing on a computer screen – but not all themes can also present your site satisfactorily on a tablet/iPad or smartphone/iPhone.

As more and more people access the internet using mobile devices the challenge to create WordPress designs that display well on a small screen has proven tough even for veteran web designers/programmers.

If the theme you’re thinking about buying isn’t responsive – then skip it and move on to the next on your list.

Responsive web design is a 100% mandatory requirement whenever I’m choosing a new WordPress theme.

I think it should be for you too. Unless, of course, you think that mobile phones are just a passing fad that will soon go the way of VHS and Laserdiscs.

By choosing a WordPress theme which can dynamically scale your website content to fit the screen you’re already more than halfway to fulfilling the next demand on my list – high code quality. Simply because a programmer who doesn’t know his business would find it very hard to write the code for a dynamic WordPress theme.

The code quality must be high

As the future owner of a sparkling new WordPress theme it’s a good idea to open up the bonnet and have a look at the engine and see how it runs.

Technical ‘illiterates’ might find it hard, though, to decipher the intricacies behind the sparkling exterior and determine if the theme will be easy to maintain and adapt in the future.

In that case it might be a good idea to get a programmer or WordPress expert to have a look at the code.

Normally you can only access the code after you’ve bought the theme, but if a read through reveals that the WP theme has been coded in a crazy way you can at least ditch it before you’ve also wasted time trying to fit it to your requirements.

Good documentation and support

Any web designer or programmer who has read the most basic guide to HTML or PHP can stitch a WordPress theme together.

A complex WordPress theme can give a lot of headaches if you don’t quite understand how it’s put together and why it behaves like it does.

That’s why you need to ensure that your WordPress theme comes with comprehensive documentation, both in the code itself (by way of small comments written by the programmer explaining what each component does) and in the form of a user guide or tutorial you can refer to when discovering how to adapt the basic design and exploit its various functions.

You also need to make sure that the WordPress developer has a dependable support system where you can get help when you run into difficulties, as you probably will when you start exploring your new WordPress theme.

This requirement means, in practice, that you should be very wary of buying WordPress themes from one man companies, where development and support duties are carried out by the same person.

By choosing a slightly larger firm with several employees you are not quite as vulnerable if an accident should happen and your contact gets run over by a steamroller.

In that case, there are hopefully others to lend a hand.

Precisely this dependence on others brings me to my next point and it’s a warning.

Warning – watch out for “free WordPress themes”

Don’t place your firm’s economic future in the hands of people who have no financial incentive to help you.

Even if you’ve ‘gambled’ a little and chosen a one man firm to supply your WordPress theme, this one man firm still has, at the very least, an economic motivation to help you as much as possible – to keep you happy and hope you recommend the product to others.

But if you’ve chosen a free WordPress theme then you’ve chosen to live life dangerously.

The developer of your free WordPress theme has in all likelihood other and more important projects in their schedule.

So if the whole thing collapses with a crash around your ears, you’ll be left to your own devices (and the help of a programmer, if you have one).

A premium WordPress theme is by no means a guarantee against difficulties, but the probability of problems arising is lower when your supplier has a financial motivation to keep you a happy customer.

Honest Assessments of WordPress themes

To help you avoid falling into the worst traps, I offer here my evaluation of a series of WordPress themes that I have had experience with:

Really good experience with WooThemes.com

The website for my danish online agency www.onlineeffekt.dk is based on the WhiteLighttheme from WooThemes.com.

The WhiteLight theme is responsive (i.e. it also looks good on a small screen), the source code is easy to figure out (for both my programmer and myself) and it’s written in such a way that web pages display relatively quickly (an important quality for users).

At the same time WooThemes have an efficient support system giving quick, competent responses to queries – which are bound to crop up.

WooThemes regularly run discount campaigns where you can save quite a bit of money.

So if you decide to buy from WooThemes then remember to google “WooThemes discount code” or other variations such as “WooThemes special offer” etc.

Currently there are just a few responsive themes available from WooThemes, but several more are on the way.

If you need to translate a WooThemes template to your local language that’s also quite easily done.

Adaptive Themes also gets my recommendation

The design of this website is based upon the Nexus premium template from AdaptiveThemes.

The Nexus theme is both responsive and contains a wealth of shortcodes which makes it a lot easier to create a visually attractive experience for your visitors.

I have yet to run into problems with this theme and with the note that I haven’t yet tried out their support, I dare to recommend AdaptiveThemes as your next WordPress theme pusher.

Positive experience with TrueThemes.com

Half a year ago I bought my first theme from TrueThemes (via ThemeForest.com).

Not only does the theme – Sterling – perfectly fit my requirements but I also have a positive impression of the quality of the source code.

The design adapts dynamically to any screen size and the theme includes a raft of handy features, including shortcuts for inserting forms, images and Google maps.

The support I’ve gotten from TrueThemes so far has been excellent, at any hour of the day or night, 7 days a week.

Positive experience with ElegantThemes.com

I have in the past been a big fan of ElegantThemes, who have a lot of good, affordable themes in their catalogue.

For $39 dollars you can buy access to all their WordPress themes.

Nowadays their design style doesn’t quite match what I’m looking for, so it’s been some time since I last used one of their themes.

Their prices are so low that they rarely (perhaps never?) offer discounts or special offers.

I should also add that ElegantThemes is (or was?) a one person company, so perhaps you don’t want to put too much responsibility in their hands.

Positive experience with NattyWP.com

I have a series of websites built around themes from NattyWP.com.

Their designs may not be groundbreaking, but if you’re in the market for a traditional WordPress design for a business site, then you’ll probably be happy without all the extra fuss and frills.

Their support works fine and the source code is relatively easy to negotiate.

Bad experience with Templatic.com

On the surface, the solutions offered by Templatic look really good.

A lot of their templates are crammed with smart-looking, nifty functions.

But under the surface it lags – a lot.

Their tailor made administrative tools are complicated and unlikely to score highly in a usability test. And their source code looks, to these amateur eyes, to be less than stable in its construction.

I’ve used their templates on two different sites. Both times I ran into problems that were entirely due to poor handiwork on the part of the programmers.

Their support crew have been helpful, though, and quick to resolve issues – but only by way of an individual quick fix rather than a comprehensive solution that would benefit all of their other customers as well.

15 recommended WordPress themes

I have literally spent 100 of hours surfing the net and checking out several thousand themes. To save you a bit of time, I will give you 16 of my browser bookmarks to themes that I either already own or am looking for an excuse to buy.

Zig-Zag responsive WordPress theme by Brankic1979

Eleven 40 by Studiopress

Publisher Magazine WordPress theme from Theme-Junkie.com

Swagger responsive WP theme by ThemeBlvd

Qreator by Cmsmasters

Website by Kubasto

Big City by MNKY

Identity af by Mojo Themes

Canvas by WooThemes

Big Bang by Brankic1979

Backstreet by Ridwanreedwan

Nexus by AdaptiveThemes – This website runs on the Nexus theme…

Bangkok Press by GoodLayers

Gonzo by OllieMcCarthy

Good Space by GoodLayers

Magnovus by PureThemes

Nemesis by Peerapong

Share your wisdom and experience with others!

Test of WordPress Caching Plugins – W3 Total Cache vs WP Super Cache vs Quick Cache

There’s been a lot of talk about which is the best caching plugin for WordPress. There’s no doubt in my mind which is best, and that’s W3 Total Cache. I’ve reached this conclusion based on logic, theory and a knowledge of how it should be done. W3TC performs best in theory, but is it the best when tested and what are the pros and cons of the different types of caching tools available? That’s what I’d like to take a closer look at here. I’m going to look at both performance and load times. For that I’m going to use two tools in particular, Pingdom Tools and AB Test (Apache Benchmark test). However, I’ve also used other tools to assess load times on the website both during periods of heavy use and during single visits.

I’d like to begin by describing the different plugins, before I reveal the test results for the three.

The test

The test was carried out on a site which most closely resembles a ‘real-world’ website, with the caveat that the site doesn’t get crawled or found by Google. This is the newest English language version of WordPress for which I’ve bought the currently popular Nevada theme. I’ve set the theme up with standard content supplied by the developers through XML import. Permalinks are activated.

Pingdom Tools and Apache Benchmark are used to look at load times and performance on the site, respectively. In addition to these two tests I’ve also used Gomez Networks, Load Impact and Google Chrome to achieve a valid end result which best approximates reality – FastCGI functioned as the engine for PHP solution. For the Apache Benchmark test I ran the following which means that 1000 tests were run with 10 simultaneous users:

ab -n 1000 -c 10 http://www.domain.com/

Each testing tool was run 10 times, both with and without a caching plugin, and it’s the average result which will be shown at the end. In total, 250 tests were run with intervals of ten minutes and a single AB test on a static html file (where I had copied the html code from the site being tested) to see how much the server could actually handle under those conditions.
It’s important to point out that the tests only look at HTML caching/Page Caching because this is the element which the plugins in question have in common. Some of them also have CDN, Gzip, and Browser Caching but these won’t be considered as they’re not shared by all plugins.

Tests to be divided up as follows:

  • Test without plugins of any type (50 tests)
  • Test using caching plugins and their standard settings (50 tests)
  • Test using caching plugins in their optimized versions (50 tests)

W3TC (W3 Total Cache)

http://wordpress.org/extend/plugins/w3-total-cache

W3 Total Cache is a plugin that has pretty much everything in terms of speed optimization. Among other attributes, it has HTML caching, which we’re testing here, and minification, Object Cache, Database Cache, Gzip, browser caching, CDN, Varnish, minification of js and css files, minification of html code, auto caching and a lot more.
W3 Total Cache creates its html caching files by taking PHP output and putting it into two html files on the server, one compressed and one uncompressed. When this URL is requested a small rewrite in htaccess checks to see if the browser can support compressed files, and if the cached file exists, which, if it does, is then displayed to the user. If it doesn’t, it will continue on to WordPress and show that page’s content. If caching is permitted, W3TC will then create a cached version of the requested page and display it to the next user who requests it.
If you want to set up the whole plugin with all its features, it will typically take 1 to two hours, depending on website type, content, activity, theme etc. But when you’ve set up the plugin and all its features your website will run pretty well. But it’s no substitute for normal optimization of, for example, pictures or the usual requirement that your theme and plugins have been well coded.

WP Super Cache

http://wordpress.org/extend/plugins/wp-super-cache/

WP Super Cache is a page caching plugin which offers some different options including page caching and CDN. It’s easy to set up and doesn’t require much tech knowhow from the administrator. It uses three different caching methods with the default setting being the next best of the three options (via PHP). Unlike W3TC it doesn’t create a compressed version of the cached file by default, but of course this is something you can ask it to do.
Setting up the entire plugin takes about twenty minutes. It’s a small plugin that’s quick to install, and pretty much anyone can do it.

Quick Cache

http://wordpress.org/extend/plugins/quick-cache/

Quick Cache is an even smaller plugin which only handles page caching. There aren’t many settings to speak of but on the other hand it’s incredibly easy to use. The only thing you need to do is to activate the plugin and switch ‘page caching’ on.
Other settings deal primarily with when page caching is permitted and when cached files should be deleted. There is also an option for browser caching but the developers recommend that you don’t activate this.

Shared Features of the tested plugins:

Common to all is, of course, caching of the html on which the homepage is built. That’s about the only thing which all the plugins have in common. So only testing can show the delay-reducing effect on the server before the html code is relayed to the user. Which brings us to testing of load times and performance.

The first test

The first test is carried out on a static html file copied from the code which the home page of the website throws out. This is to see how much the server can handle and how quickly. The result shows that the server should be able to handle around 4,738.14 requests per second and that 1,000 requests from 10 simultaneous users takes on average 0.208 ms. That’s quite fast and puts almost no strain on the server.

Four variables have been measured:

  • Waiting time on the server before file is passed on to the user
  • Number of requests the server can handle per second
  • Waiting time as measured by other testers (for example, Pingdom’s yellow bar)
  • Full load time for the website

The last of these, full load time for the website, isn’t really something we should look at in this test. That’s because there are so many factors (for example, js, css, visuals) which determine how quickly the website loads that it doesn’t give a fair reflection of each plugin’s ability. The only common denominator shared by all plugins tested is page caching / HTML caching and therefore this is the only element we can use to compare performance for these plugins and decide which is best.

files-on-website

Plug and Play Settings

This test was carried out using nothing more than the default settings of each plugin, in other words just switching them on. It didn’t take more than five minutes to install and set up each plugin. In short, one attribute was chosen and the plugin was activated.

Wait time

Wait, time to first byte, execution time. You can call it many things but your main concern is to keep it to a minimum. Firstly, to ensure a faster response time for the end user and, secondly, to lighten the server load, thereby allowing the server/webpage to handle more visitors simultaneously. An added bonus is the reduced risk of server overload and crash due to too many requests. I’m sure you’ve seen it when a product with broad appeal is shown on tv – you visit the website only to find lots of people have thought the same as you and the site is either intolerably slow or fails to load.

wait

On the accompanying green diagram, with measurements provided by external tools (Pingdom tools, for example), you can see that it took the server around 426ms to generate the html to be relayed to the user. With caching plugins this improves considerably and the best in this regard was W3 Total Cache with just 27.9 ms on average.
The reason that it’s faster than WP Super Cache or Quick Cache, for example, is quite simple. W3TC has created a static HTML file which, by means of a simple rewrite in the htaccess file, is shown to the user, if, that is, a static version exists. In contrast, WP Super Cache and Quick Cache both need to begin by going through WordPress in order to fetch the cached file (html and php) which they have previously generated.
Quick Cache is slightly faster than Super Cache. Though I haven’t investigated all the reasons for this, one of them is the fact that Super Cache processes a lot more data than Quick Cache, having as it does large files which check if the page should be fetched as a cached version and if the cached version of the page should be saved.

Number of requests and upload time on the server

The above principle holds true when looking at the number of requests the server can handle – the more the better. With a base measurement of 11.7 pages a second for the website without any caching plugins, a test of W3 Total Cache makes it possible for the server to handle no fewer than 3,636.4 requests per second. Quick Cache, with 691.1, was again better than WP Super Cache, with 334.5. Twice as good, in fact, and for the same reasons I’ve mentioned above.
The time which the server uses to create/generate/fetch the html which the user’s browser then processes must be as low as possible. The end result is that the server can handle lots more traffic simultaneously. With a corresponding decrease in the risk of crashing or requests timed out. W3TC does this in 0.238 ms – that is, not even one millisecond. Which means the website will load faster for the individual user and at the same time be able to handle a sudden spike in the number of visitors.

time-per-request

requests-per-second

The complete load time for the website

In a way the results from this part of the test are not especially usable because, as mentioned before, there are too many contributing factors at play to be able to draw any concrete conclusions from the data. Sometimes pictures, js and css files can be slow to load and other times fast. Even in the 120 tests I carried out I got results that ranged from up to 2300ms down to 1000ms (one second). The main culprit after plug and play optimization was almost always javascript files, which with a little optimization should bring the full load time down and give more stable measurements.
So even though full load time is best for W3TC we can’t declare it the winner on this basis alone. We need to look elsewhere to see or test the effect of html caching. And we can only do that after we’ve optimized js, css and pictures – otherwise they’re simply too unstable.

loadtime

Conclusion of plug and play tests (5 minute installation and setup)

W3 total cache is the clear winner in the plug and play test, mainly because it uses, as standard, the best method of caching and displaying page versions to users. It does this by completely bypassing PHP and WordPress and sending a static html to the user. Apache is super fast at handling static html files, so that’s definitely the way to go if you’re thinking about page caching. The only way to make it faster would be to completely drop the rewrite and instead generate files with their names and location already fixed, as we saw in the first test of the static html file.
The reason W3TC doesn’t quite get top marks in performance terms is precisely because it is a rewrite which the server must negotiate in order to reach the correct cached file. This results in the number of requests being 1000 fewer and processing time being around 0.080ms slower.
The two other plugins, in contrast, start up the PHP engine and WordPress and carry out a huge amount of data processing and finally end by displaying the cached html to the user. That’s the major drawback with these two plugins – that by default they run through PHP and WordPress.
Luckily though, WP Super Cache has another option, one which resembles the way W3TC does things. That’s what I’d like to test now.

Optimized settings for HTML/Page Caching

In the last test I looked at the default settings of each plugin. I used at most five minutes installing and setting up each one, simply switching on html/page caching.
But in this test I’d like to see what happens when I use twenty minutes (max.) setting up WP Super Cache in particular. The aim is that it performs best in terms of html/Page Caching – still the attribute which all plugins have in common.
I’m not going to look at Quick Cache as the previous tests have exhausted its possibilities. W3TC has already been optimally set up, by default, when it comes to page caching, so we’ve already covered it in prior tests.
I should mention in passing that W3TC also has the ability to minify html code but because the other plugins don’t support this it doesn’t fall within the compass of these tests.

WP Super Cache optimized

Under the heading ‘advanced’ you should take the following steps to best exploit the potential offered by Super Cache:
Choose “use mod_rewrite to serve cache files”
Tick “compress pages…”
And save.
If the htaccess file hasn’t been changed then you need to follow the instructions which follow after you have saved the file. This will require you to manually insert the rewrite code in the htaccess files.
Test results after setting up Super Cache optimally:

Test Results Combined

As you can see on the orange and blue graph, the improvement in Super Cache is quite significant. Performance has gone from 334.5 requests per second right up to 2268.5 per second, almost an eight-fold improvement. Wait time has been reduced from a little over 3 milliseconds to under 0.5. Overall waiting time has dropped from 52.6 to 32.3. The full load time, which again we shouldn’t emphasize too much, has gone from 1832 to 1581. All in all quite a big improvement for WP Super cache.

Conclusion (The WP Caching Plugin Test Winner)

I conclude that W3 is the winner, with Super Cache in second place and Quick Cache coming last. The perceptive reader will have spotted that Super Cache didn’t quite become as fast as W3TC even when using the same technique. There’s a reason for that.

In the same way that W3TC wasn’t quite as good as in the first test because of rewrites in the htaccess files, the same thing happens to WP Super Cache. The difference, however, is that WP Super Cache creates around 60 lines of rewrite while W3TC only creates about 20.

To explain briefly, the more lines you have in htaccess, the worse the performance and speed. Not least when it involves mod_rewrite, which rewrites use and which is a slow and unwieldy module in Apache.

It’s not just about load time

Yes, there are more things than load time to be considered when choosing a caching plugin. Of course it’s great when your website loads quickly for users but it’s also very important that performance is good. The faster the performance, the quicker the load time.

Reader request

At the request of regular readers I carried out a further test, one in which I used 1 hour to optimize all the functions available in W3TC. Or, more accurately, the only things I chose to optimize were minification of html, css and javascript, Browser caching and CDN. Even though after optimization I could still have further optimized theme, pictures and content etc., W3TC still managed to come down to an average load time of 537ms, with a variation of 100ms during the test, indicating that website stability was also improved. It needs to be tested some more to find out exactly how quick it’s become.

I’m sure many of you are thinking – “Yeah, well, you don’t really need to optimize anymore.” To that my answer is both yes and no. It all depends on your website, what you want to use it for and not least how many visitors you get. Of course, the more visitors you get the more essential it becomes that each of them can access your site as quickly as possible.

10 Tips for making your cPanel and WHM servers more secure

1) Use secure passwords!
Insecure passwords are the most common security vulnerability for most servers. If an account password is insecure and is compromised, client sites can be defaced, infected, or used to spread viruses. Having secure passwords is paramount to having a secure server.

You can edit /etc/login.defs to configure many password options on your system. It is well documented.

Generally, a password utilizing at least 8 characters including alphanumeric and grammatical symbols is sufficient. Never use passwords based upon dictionary words or significant dates. If you are uncertain about the security of a password, then you can test it using JTR cracker. If a password can be broken in a few hours, then it is probably too insecure and should not be used. You can also install tools like pam_passwdqc to check the strength of passwords.

2) Secure SSH 
Enable public key authentication for SSH and disable password authentication read more >>

Move SSH access to a different port. People are looking for port 22 as a possible way to access your servers. Moving SSH to a different port will add a simple way to deter those without specific knowledge of your server from easily discovering your SSH port.

You can modify the port that SSH runs on within /etc/ssh/sshd_config. Change the line that says #Port 22 to a different port such as: Port 1653Make sure to keep your current SSH session open when testing the new port so you can change back to port 22 if the new port doesn’t work.

You should always use SSHv2 only as SSHv1 is not secure. Make sure to change the line in /etc/ssh/sshd_config that says #Protocol 2,1 to Protocol 2.

You may also wish to set Shell Resource Limits for you users to prevent applications and scripts from using all up your resources and taking down your server. You can configure shell resource limits in/etc/security/limits.conf on most Linux systems.

3) Secure Apache
The most readily available way to access a web server, is of course, the web server application. It is important to take steps to secure your Apache installation.

One of the best tools for preventing malicious Apache use is mod_security. This can be installed inAddon Modules in the cPanel section of WebHost Manager. You can find information about mod_security at http://www.modsecurity.org/.

When compiling Apache, you should include suexec to ensure that CGI applications and scripts run as the user that owns / executes them. This will help identify where malicious scripts are and who is running them. It will also enforce permission and environment controls.

We also recommend compiling Apache + PHP with PHPsuexec. PHPsuexec forces all PHP scripts to run as the user who owns the script. This means that you will be able to identify the owner of all PHP scripts running on your server. If one is malicious, you will be able to find it’s owner quickly and resolve the issue. To compile Apache + PHP with PHPsuexec, select the PHPSuexec option in the Apache Upgrade interface in WHM or when running /scripts/easyapache from the command line.

You should enable PHP’s open_basedir protection. This protection will prevent users from open files outside of their home directory with PHP. This can be enabled in Tweak Security within WebHost Manager.

You may also wish to include safe_mode for PHP 5.x and below. Safe_mode ensures that the owner of a PHP script matches the owner of any files to be operated on. You can enable safe_mode by changing the safe_mode = line in php.ini to safe_mode = On.

4) Secure your /tmp partition 
We recommend that you use a separate partition for /tmp that is mounted with nosetuid. Nosetuid will force a process to run with the privileges of it’s executor. You may also wish to mount /tmp withnoexec after installing cPanel. Check the mount man page for more information.

Also, Running /scripts/securetmp will mount your /tmp partition to a temporary file for extra security.

5) Upgrade your mail to maildir format
Maildir format adds extra security and speed to your mail system. Newer installs use maildir by default. If you’re running an older copy of cPanel, you’ll probably want to upgrade using /scripts/convert2maildir. Make sure to back up your current mail before converting to maildir, this can be done within /scripts/convert2maildir. If you see maildir is enabled when running /scripts/convert2maildir, you are already using maildir, and will not need to convert.

6) Lock down your system’s compilers
Most users do not require the use of C and C++ compilers. You can use the Compilers Tweak withinTweak Security in WebHost Manager to turn off use of the compilers for all unprivileged users, or to disable them for specific users only. Many pre-packaged exploits require working compilers. Disabling compilers will help protect against many exploits.

7) Turn off unused services and daemons
Any service or daemon that allows a connection to be established to your server is away for hackers to gain access. To reduce security risks, you should disable all services and daemons that are not being used.

For Daemons on Linux:
Check /etc/xinetd.conf for services you are not using. For example, cupsd (printing daemon) and nfs/statd (network file system daemons) are not used on many systems.

For Services:
Go to the Service Manager in the Service Configuration section of WHM and disable any services that you are not using.

Monitor your system
It is important to be up to date on what is going on with your system. Make sure that you know when accounts are being created, what software is being installed, when software needs updates, etc.

Check your system frequently to ensure it is functioning in the way you expect. Make sure to check things like:

netstat -anp : Look for programs attached to ports that you did not install / authorize

find / ( -perm -a+w ) ! -type l >> world_writable.txt Look at world_writable.txt to see all world writable files and directories. This will reveal locations where an attacker can store files on your system. NOTE: Fixing permissions on some PHP/CGI scripts that are not properly coded will break them.

find / -nouser -o -nogroup >> no_owner.txt : Look at no_owner for all files that do not have a user or group associated with them. All files should be owned by a specific user or group to restrict access to them.

ls /var/log/: There are many different logs on your system which can be valuable resources. Check your system logs, apache logs, mail logs, and other logs frequently to make sure your system is functioning as expected.

There are many readily available utilities to monitor your system and to detect rootkits, backdoors, etc. Here are some commonly available utilities:

  • Tripwire – Monitors checksums of files and reports changes.
    http://tripwire.com or http://sourceforge.net/projects/tripwire
  • Chrookit – Scans for common rootkits, backdoors, etc.http://www.chkrootkit.org
  • Rkhunter – Scans for common rootkits, backdoors, etc.http://www.rootkit.nl/projects/rootkit_hunter.html
  • Logwatch – Monitors and reports on daily system activity.http://logwatch.org

9) Enable a Firewall
Installing a firewall to limit access to your server is useful. Removing all unused software on your system is more useful. Before you have the chance to remove all unused services and daemons, or the chance to figure out which services / daemons are unused, you can enable a firewall to prevent unwanted access.

The following will show the ports cPanel and WHM need open to function properly and what the port is used for:

http://docs.cpanel.net/twiki/bin/view/AllDocumentation/AllFAQ/WHMsFAQ#I_use_the_APF_firewall_rules_on

Please note that these ports are for all services that can be used by cPanel and WHM, you may or may not be using all of these services or other services and should adjust your rules accordingly.

Remember to set a cron job to disable your firewall every 5 minutes when testing your rules, or you may be locked out of your server.

10) Stay up to date
It is important to make sure that you are running the latest stable versions of the software on your system to ensure that it has been patched of any security issues that past versions may be susceptible to. Make sure to keep on top of updates for:

  • Kernel
  • cPanel and WHM*
  • User Applications (bulletin boards, CMS, blog engines, etc)**
  • System Software*

*These can be set to automatically update in WebHost Manager under Update Config in the Server Configuration section.

**You can upgrade all cPAddon installations through Manage cPAddons in the cPanel section of WebHost Manager.

Installing ClamAV with MailScanner

These instructions will configure ClamAV to use the clamd daemon:

  • Make sure clamavconnector is NOT installed in WHM > Manage Plugins as this will break MailScanner
  • If you would like to verify ClamAV’s digital signatures on the virus definition files as they are updated through freshclam, you need to install GMP first:
    /scripts/ensurerpm gmp gmp-devel bzip2-devel
  • Next you will need to create a user for clamav to use:
    useradd clamav
    Some OS’s require you to add the group as well:
    groupadd clamav
    Don’t worry if the user and/or group already exist.
  • Create and chown the /usr/local/share/clamav directory:
    mkdir /usr/local/share/clamav
    chown clamav:clamav /usr/local/share/clamav
  • Download the latest stable ClamAV distribution from http://www.clamav.net
    Note: If you are running Fedora Core 4 or earlier, you cannot install any version of ClamAV later than 0.91.2 because of a broken gcc.
  • Expand the distribution and cd into the resultant directory and build ClamAV using:
    tar -xzf clamav-*
    cd clamav*
    ./configure –disable-zlib-vcheck
    make
    make install
  • pico -w /usr/local/etc/freshclam.conf
    Comment out the line (put a # as the first character on the line) near the top that says simply:
    Example
  • pico -w /usr/local/etc/clamd.conf
    Comment out the line (put a # as the first character on the line) near the top that says simply:
    Example
  • pico -w /usr/local/etc/clamd.conf
    Change the following line:
    #LocalSocket /tmp/clamd.socket
    to this:
    LocalSocket /tmp/clamd
  • Run ldconfig to create the necessary links and cache to most recent shared libraries
    ldconfig
  • Run freshclam to download the latest definitions:
    freshclam
  • Install the example init script that we provide:
    curl configserver.com/free/clamd -o /etc/init.d/clamd
    chown root:root /etc/init.d/clamd
    chmod +x /etc/init.d/clamd
    chkconfig clamd on
    service clamd restart
  • pico -w /etc/chkserv.d/clamav
    Add the following line:
    service[clamav]=x,x,x,service clamd restart,clamd,root
  • Create an empty log file for clamav updates:
    touch /var/log/clam-update.log
    chown clamav:clamav /var/log/clam-update.log
  • Add clamav to chkservd so that it will be monitored:
    pico -w /etc/chkserv.d/chkservd.conf
    clamav:1
  • At this point you can setup clamd in the MailScanner configuration:
    pico -w /usr/mailscanner/etc/MailScanner.conf

    Set the following options:
    Virus Scanners = clamd
    Clamd Socket = /tmp/clamd

  • Then restart MailScanner with:
    service MailScanner restart 
  • You can now set what domains you want scanned for viruses in:
    /usr/mailscanner/etc/rules/virus.scanning.rules

Change hostname in Centos

Hostname Change

There are 4 steps in a hostname change, luckily all the steps are easy.

Sysconfig/Network

Open the /etc/sysconfig/network file with your favorite text editor. Modify the HOSTNAME= value to match your FQDN host name.

# sudo nano /etc/sysconfig/network
HOSTNAME=myserver.domain.com

Hosts File

Change the host that is associated to your main IPaddress for your server, this is for internal networking (found at /etc/hosts):

hosts.png

Run Hostname

The ‘hostname’ command will let you change the hostname on the server that the commandline remembers, but it will not actively update all programs that are running under the old hostname.

hostname.png

Restart Networking

At this point all the necessary changes that needed to be made have been made, you will want to restart networking on your server to make sure that changes will be persistent on reboot:

# /etc/init.d/network restart