Stop User Enumeration in WordPress

[User Enumeration ] This tutorial explains how to block user-enumeration scans in WordPress. As explained in greater depth here, user enumeration happens when some malicious script scans a WordPress site for user data by requesting numerical user IDs. For example, requests for ?author=1 through some number, say, ?author=1000, may reveal the usernames for all associated users. With a simple enumeration script, an attacker can scan your site and obtain a list of login names in a matter of seconds.

How it works

When scanning a site for user IDs, disclosure of user data happens in two ways. First, for permalink-enabled sites, requests for ?author=n (where n equals any integer) are redirected to the permalink version of the URL for that user, which by default includes the author’s login username. So for example, on a permalink-enabled site, the following URI requests:

http://ift.tt/1ojZOu7
http://ift.tt/1ojZM5p
http://ift.tt/1hdd89Q
.
.
.

..automatically are redirected by WordPress to their “pretty permalink” counterparts:

http://ift.tt/2965Z3U
http://ift.tt/2965yqk
http://ift.tt/29660om
.
.
.

..of course, the actual usernames will vary depending on your site, but you get the idea.

The second reason that user enumeration works to reveal user data is that theme templates typically display the author name on author-archive pages, in post meta information, and possibly in other locations, depending on the theme.

For more details on user enumeration, check out my article on blocking user ID phishing requests over at htaccessbook.com.

Should you be worried?

If you are sure that all of your users are using strong passwords that are updated regularly, then there is nothing to worry about. This tutorial is aimed at sites with multiple authors who may not be “password savvy”. If an author is being lazy with their passwords, then user-enumeration could definitely put your site at risk. Equipped with a known username, a perpetrator quickly may gain access using a simple brute-force attack.

So to be safe, check out the following techniques to protect your site against user-enumeration and brute-force attacks. They take only a minute to implement, and will serve to harden your WordPress-powered site with additional layers of security.

Step 1: Disable the scans

The first thing we want to do is block the malicious enumeration scanning. This can be done in one of two ways:

  • Add a code snippet to your theme’s functions.php file
  • Add a code snippet to your site’s root .htaccess file

Let’s check out each of these methods..

Block user-enumeration via functions.php

To block user-enumeration via functions.php, add the following code to your theme’s functions file:

// block WP enum scans
// http://m0n.co/enum
if (!is_admin()) {
	// default URL format
	if (preg_match('/author=([0-9]*)/i', $_SERVER['QUERY_STRING'])) die();
	add_filter('redirect_canonical', 'shapeSpace_check_enum', 10, 2);
}
function shapeSpace_check_enum($redirect, $request) {
	// permalink URL format
	if (preg_match('/\?author=([0-9]*)(\/*)/i', $request)) die();
	else return $redirect;
}

No editing is required for this to work, just copy/paste and done. Here’s how it works:

  1. Check if the request is made by a user with admin-level capabilities
  2. Block the request if it’s for a query-string author archive

That’s the basic gist of it. Hit me up in the comments section for more specifics on what this code is doing, how it works, etc.

Block User Enumeration via .htaccess

If you would rather block requests at the server level, you can add the following slice of .htaccess to your site’s root .htaccess file:

# Block User ID Phishing Requests
<IfModule mod_rewrite.c>
	RewriteCond %{QUERY_STRING} ^author=([0-9]*)
	RewriteRule .* http://example.com/? [L,R=302]
</IfModule>

The only edit that’s required is the domain/URI, http://example.com/, which you should change to match your own. For more information about this technique, check out my tutorial on blocking user-id phishing.

Step 2:

At this point, we’ve added a code snippet (in either functions or .htaccess) that will block those nasty user-enumeration scans. The second part of the equation is to make sure that your theme does not disclose the login username of any authors or users. Unfortunately, there is no quick, one-step solution for this step, as it requires careful examination of your theme. Here are some things to check:

  • Author name displayed for each post
  • Author name displayed for author-archive views
  • Author name displayed anywhere else on the front-end

If your theme displays author names anywhere (as most themes do), there are few ways to prevent username disclosure:

  • Change all user Display Names to anything other than the login name
  • Make sure any author/user template tags are not displaying the login name
  • Remove any template tags that display author/user login names
  • Disable author archives entirely (if not needed)

Of course, this is a general guide that may not be applicable to every theme on the face of the planet (there’s only like a billion of them). But it should be enough to give you the idea and help you implement the best possible solution for your site.

Why and How to Install the Yoast SEO for WordPress Plugin

While WordPress itself is already one of the best tools you could be using to improve your site’s SEO, optimization is a large, ongoing task that should be fully integrated into your marketing and PR strategy. Without thoughtful consideration, your site could easily become invisible to the people who need your content the most. Luckily, Yoast makes a great plugin to help you stay on top of SEO.

The aptly named Yoast SEO for WordPress has quickly become the go-to SEO solution for most WordPress developers. Our favorite features include:

  • The snippet editor which gives you the ability to edit your meta description. This means you can control exactly how your post will appear in Google. It’s a great opportunity to work in some of your keywords and make sure you’re going to quickly hook any potential visitors.
  • Automatic content analysis which checks the “Readability” of your post. This will help you make sure your sentences aren’t too long, and that you’re using enough transition words and sub-headings.
  • The ability to select a ‘focus keyword’ for each post or page. Once you select one, the plugin will review your content and give you suggestions for how you can improve your content to rank higher for that keyword. It’s a valuable part of the writing process that will help you remember to prioritize SEO every time you click “Publish”.

If you think your site could benefit from a little extra optimization help, here’s how to install the Yoast SEO for WordPress Plugin:

  1. Log in to your WordPress dashboard.
    (click to enlarge)

    (click to enlarge)

     

  2. Select “Plugins > Add New” from the left side-bar menu.
  3. Type “Yoast” in the search box under “Add Plugins”, then click enter.
    (click to enlarge)

    (click to enlarge)

     

  4. In the search results, find the “Yoast SEO” plugin by “Team Yoast”, then click “Install Now”.
    install-yoast-2

    (click to enlarge)

     

  5. Click “Activate Plugin”.
    install-yoast-3

    (click to enlarge)

     

  6. That’s it! Check to make sure it appears in your list of active plugins, as well as in your left side-bar menu and header menu.

    (click to enlarge)

    (click to enlarge)

WordPress 4.6 Beta 1 is Available For Testing

The WordPress development team has released WordPress 4.6 beta 1. This release includes a new process for installing, updating, and deleting plugins and themes, native fonts in the WordPress backend, and improvements to the post editor. It also contains a number of changes that developers should be aware of.

WordPress 4.6 Beta 1 is still in development and should not be used in a production environment. Instead, use the WordPress Beta Tester plugin to install the beta on a test site. If you come across any issues or think you’ve found a bug, please report it to the Alpha/Beta area of the support forums.

WordPress 4.6 is scheduled for release on August 16th.

WordPress Admin Switcher: A New Google Chrome Extension for Switching Between Admin and Frontend

photo credit: Ilya Pavlov
photo credit: Ilya Pavlov

If your job involves working with WordPress, you probably switch between front and backend countless times every day while getting things done. Kellen Mace, a developer at WebDevStudios, has just released a handy Google Chrome Extension that will save you a few clicks while switching back and forth.

WordPress Admin Switcher offers a keyboard shortcut that will zip you from frontend to admin without having to reach for your mouse/trackpad: cmd + shift + A (Mac) or ctrl + shift + A (Windows/Linux).

The keyboard shortcut works on any WordPress-powered site to do the following:

  • Sends a logged-out user to the admin login
  • Sends a logged-in user on the frontend to the post edit screen for the for the post/page/custom post type currently being viewed
  • Sends a logged-in user from the admin to the corresponding frontend for the post/page/custom post type being edited (or else the main site URL)

The extension also supports switching to/from the admin on a subdirectory multisite install with URLs like http://ift.tt/299oMs6. It works on WordPress.com VIP sites and any WordPress-powered website. Clicking the extension icon also performs the same behavior as the keyboard shortcut. This chart on the extension’s GitHub page shows how many clicks users can save with the extension:

wordpress-admin-switcher-chrome-extension

“I was envisioning this extension being most useful for experienced people who frequently work with WordPress sites and have a desire to speed up their workflow when logging into them and switching to/from the admin,” Mace said. However, the extension can also be useful for novice users who perpetually forget the URL for accessing their site’s admin.

In the future, Mace plans to add more features, including the ability to navigate to a specific post/page on any WordPress site, hit the shortcut to log in and then be taken back to the edit screen for the post you were viewing before logging in.

“That functionality depends on knowing the post ID, however, which not all WordPress sites expose on the front end,” he said. “So essentially the extension would try to infer the post ID from the page source. If found, it would send the user to its edit screen after login. If not found, it would just fall back to sending them to the main /wp-admin/ dashboard page.”

The keyboard shortcut doesn’t currently switch you to/from the admin if the focus is on Chrome’s omnibar, so Mace wants to update the extension to be able to listen for the keyboard shortcut and act on it even when in the omnibar. He also said he hopes to allow users the option to assign their own keyboard shortcuts if the default doesn’t seem natural for them.

If you work in WordPress and Chrome all day, this extension could boost your efficiency and productivity. I tested it and the current features work as expected. Install the extension directly from the Chrome web store or check out the project on GitHub.

Multisite Support Available In Orion

multisite

Multisite has been around since WordPress 3.0, allowing admins to set up a network of related WordPress websites or blogs, and run them all under one WordPress installation. It’s a nifty feature to have for certain website integrations. It’s a bit like Marmite, you either love it or hate it.

When using ManageWP for your multisite network, we have made sure that you can’t go wrong with it. You have been asking us to start supporting multisites, so now we have come up with a solution that we hope you will like.

How To Get Started With Multisite In Orion

Before getting into all of the gritty details of managing multisite networks in Orion, there are a few basic things to cover that need to happen. In our Classic dashboard you didn’t have be the network site administrator and we didn’t insist on having the parent website on our dashboard, you could just add subsites as you pleased. This has now changed, because we have improved our multisite support and made additional features available. In order to have multisite support in Orion, you have to have your parent website on our dashboard and you need to be the network administrator. This also means that you don’t need to have users/passwords for the addition of subsites on our dashboard. It saves you hassle and time when adding subsites and it becomes as easy as checking a box.

How To Add Multisite To Orion

The first time you add a website to Orion, it has to be your parent website, and like in the Classic, you will get a list of all of the websites in that network. You can now check the box by the website you wish to add to our dashboard.

adding parent website

You don’t need to add all of your subsites to Orion, but we encourage you to. By adding your parent website, your network is activated in Orion and we, like with all of our websites, care about security and take precautions. Our Worker Plugin is our way of keeping your network safe and connected to us, so it’s great if we can do that for all of your subsites. It’s important to remember that all websites, including subsites, count as individual websites on our dashboard, but in Orion you can add an unlimited number of free websites. It costs you nothing to add all of your subsites to our dashboard, you just get the added benefits for all of them.

We always want to know how you think we should improve any given feature, so we wanted to ask you. When you create a new subsite in your network, do you want it added to Orion automatically or would you prefer to get a notification asking you should we add it to our dashboard?

Manage Plugins/Themes in Multisite

When it comes to managing your plugins and themes in multisite, we have made slight changes to make it easier for you. Plugins and themes can be active or network active. That means that they can be activated throughout your network, on all of your websites, or active on individual subsites. We have made it possible for you to pick and choose.

Activating Plugins

When activating a Plugin on a subsite (or a subsite is one of the websites selected for the activation of the plugin), you are given the choice to either network activate or activate for that website only.

activating plugin

Deactivating Plugins

When it comes to deactivating plugins you must consider that any plugin at any given time can be active somewhere else in the multisite network. In other words plugins can be network active, so that creates a few additional things to think about before deactivating plugins.

If your plugin is network active on a subsite, you can either skip deactivating it for the whole network (to which the subsite belongs) or you can choose to deactivate it across the multisite network by choosing network deactivate.

deactivate plugins

Activate/Deactivate Themes

Managing themes on multisites is similar to plugin management, the only difference is that a theme can not be network active, instead it can be network enabled. This doesn’t mean you need to network enable it, because Orion does the job for you. In other words, there is nothing new, and it’s the same for subsites and websites outside of the multisite network, simply go to the website in question and activate/deactivate a theme.

Plugin and Theme Deletion

We already talked about the distinction between plugins/themes being network active or active. This also affects the process of deleting them. If a theme/plugin is active on the network, first of all you must deactivate the theme or plugin on all subsites (across the network), if you wish to delete it. When you decide to delete said plugin/theme you are choosing to delete it across the network, WordPress does not offer the option of deleting a plugin/theme from an individual subsite. If the plugin/theme you have selected is on your multisite network, and also on other individual websites (outside of your multisite network), you can still choose to delete it outside of the multisite network.

If your theme/plugin is already disabled, and you decide to delete it, Orion will inform you that you are looking to do a network wide operation. Again, it will ask you do you wish to delete it from your multisite network, and from all other individual websites outside the network, or just on the individual websites outside the network.

delete plugin

Subsites Not In Orion

It would be great if you add all of your subsites to our dashboard, that way you can make the most out of it, but we can absolutely understand that you might not want to. If you don’t add them all, remember that you have added your parent website and shared your network with us. This means we can track your multisite network and all of the subsites in it, which is great because we are very careful not to perform any actions that might affect websites not on our dashboard.

Think of Orion as Big Mamma that thinks about all of the kids, even those that are playing outside. Orion will let you know if you are looking to perform an action that might affect your subsites not in our dashboard.

What Can Be Done With Multisite In Orion

If you have managed to keep up with all of the multisite features and do’s and don’t, well done, you are at least two steps ahead of me!

It’s time to share some perks with you about how you can use multisite support in Orion. You have all in the past shown a lot of love for Orion Client Reports. What’s neat about them in multisites, is that you can have more than one client on your multisite network, and each one will get a separate client report with all of the updates that you have performed.

Like I said, Big Mamma loves all of her kids equally.

We also added a multisite network filter, so that when you select it you are able to see on the Orion dashboard all of the website in that network.

multisite filter

What Can’t Be Done With Multisite In Orion

Multisite networks share their folder structure and database, and like with the ManageWP Classic backup it is not possible to offer Backup, Clone or Restore to multisites. Unfortunately, we can’t offer these features to multisites for now, but it is something to think about for the future.

How To Switch From Classic To Orion Multisite Support

There are a two things you need to check before using multisites in Orion.

  1. You must have the latest version of our Worker Plugin (4.2.1). Make sure it’s updated before adding your multisite network.
  2. If you want to use multisite in Orion, the worker plugin must be network activated on your multisite network. If this isn’t the case, you must deactivate the Worker plugin from all multisites, and if they are on your classic dashboard remove them. Then you must add them, making sure that you have network activated the Worker plugin on your parent website.

If a website hasn’t synced, because of one of the above issues, you will get an error message like so.

tooltip

You can find more information regarding the issue you are having on the notification. Have a look at our notification bell.

notification

You made it to the end, tell us what you think and get started with multisites!

The post Multisite Support Available In Orion appeared first on ManageWP.

Getting Ready for the Switch From Classic to Orion

ManageWP release date

July 12 is approaching, and I wanted to write an article about what you and other ManageWP subscribers can expect to happen, and how to get the most out of this transition.

I’ll break the article down into three parts:

  • The current status
  • July 12, the Orion launch
  • August 1 and beyond

The Current Status

Right now our feature set has been locked in. Multisite support will be added by the end of this week, email & event notifications in the next week. I published a detailed article about the July 12 launch, and another one that talks about the pricing update and our bundles.

The TL;DR version of the pricing update goes like this: we tried very hard to keep the ManageWP prices in the same ballpark, even though the operating cost is higher than in the Classic version. You’ve got two pricing models at your disposal that you can mix and match however you see fit:

  • Per website pricing is more flexible and perfect for people managing up to 25 websites
  • Bundles are for people managing 25+ websites, they come in blocks of 100 websites and have a fixed price

July 12

We picked Tuesday for the launch because you’re always super busy on Monday, and we want to make the transition as smooth as possible.

Your legacy plan will remain active

You based your business on the Classic payment model, and any abrupt changes would jeopardize your business. We know and respect that, that’s why you can remain on the legacy plan indefinitely. Once you decide that switching to the Orion pricing model might be a good idea, you can start using it for a couple of sites without having to cancel your legacy plan, and gradually switch to the new model at your pace.

Here’s what each of the three plans will get in Orion.

Standard

  • Monthly Scheduled Backup, with manual backups (this is the custom version of the Scheduled Backup tool that reflect the functionality of the Standard plan in the Classic version)

Professional

  • Daily Scheduled Backup, with manual backups and cloning
  • Advanced Client Report

Business

  • Daily Scheduled Backup, with manual backups and cloning
  • Advanced Client Report
  • SEO Ranking
  • Uptime Monitor
  • White Label

The mirror and the Classic dashboard will still be here

For now, the mirror and the Classic dashboard will be available, in case you still want to use something on the old dashboard, or maybe upgrade your legacy plan.

You can now add websites to Orion, for free

The option to add a website in Orion will go live. Websites added in Orion dashboard will be on the Orion pricing model, and will not be mirrored back into Classic (because the number of websites in Classic is limited by your plan). If you want that website on a legacy plan, you’ll have to add it in the Classic dashboard. 

Orion pricing model will go live, but you won’t be charged

So far everything has been free of charge in Orion. On July 12 the pricing model will go live. Using Orion until August 1 is completely free, but if you want to turn on a premium tool, you will be asked to enter your payment card. This is because we’ve had a lot of abuse in the past, with people endlessly cycling through Trial accounts so they could clone and back up websites for free. We wanted to stop the bad practice without punishing everyone, so we did 3 things: we built a strong and usable free tier, a pay-as-you-go pricing, and we’re collecting the payment data at the moment when you start using premium tools.

New ManageWP website

The new website will focus only on the Orion features. We’re also upgrading our blog to make it easier for you to find relevant articles and guides. We’ve also recorded a bunch of videos that show you how to get the most out of each ManageWP tool.

Orion dashboard is now the default one

New users, and those currently on the Free plan, will only be able to access the Orion dashboard. If you still use the Classic dashboard, don’t worry: you’ll be given the option to switch back to Classic when you log in.

Lifetime discounts will be honored

Hey, a promise is a promise! Just bear in mind that a lot of you will also get a loyalty discount (10% for each full year as a ManageWP subscriber, up to 30%), but the loyalty discount does not stack with the lifetime discount.

Domains become websites

In Classic, the plan limit was calculated on a domain basis. So, if you had example.com and store.example.com, it was considered as a single domain. This posed a huge problem with the Orion pricing model, so we switched back to the per website model. Each WordPress installation is treated as a website. Each subsite in a multisite network is treated as a separate website. Since you can add an unlimited number of websites into Orion for free, in 99% of the cases this shouldn’t be a problem. However, if you have e.g. Professional (10) plan and 30 websites on your Classic dashboard, all 30 of them will be on the legacy plan in Orion, but you won’t be able to add more websites to the legacy plan until you remove the excess websites.

August 1 and Beyond

The Orion pricing model starts working

If you’ve turned on premium tools or bundles in July, the system will start tracking usage from August 1. Since this is a postpaid model, you will be billed on September 1.

Your legacy and Orion pricing are separate

Classic subscriptions are on BlueSnap, Orion is on Stripe. Each has its own cycle, rules and the active card. If you want to move everything to a single invoice, I recommend cancelling your legacy plan and moving everything to Orion.

Cancelling your legacy plan

When you cancel your legacy plan, you still get to use it until the next renewal. If you’d like your money back, or if you’d like to transfer the pro-rated credit to Orion, just open a support ticket and we’ll make it happen.

Disabling the mirror

You’re done with Classic, and don’t need the mirror? Since having a mirror means that any websites on a legacy plan need to be added through Classic, soon after August 1 we’ll work on a way for each user to turn off the mirror and shut down his Classic dashboard. At that point you’ll still be able to retain your legacy plan, but you’ll add and manage everything exclusively from Orion.

In Summary

In case you skimmed through the article, here’s the most important info:

  • You’ll keep your legacy plan for as long as you’d like
  • The legacy plan will be locked in, but we’ll be happy to make the change for you
  • From July 12 to August 1 you can play around with Orion tools for free
  • You can add as many websites to Orion as you’d like
  • Mirror and the Classic dashboard will be around for a while

Let me know if you have any additional questions, so I could update the article and help make the transition smoother.

Thank you for helping us make Orion what it is today, and what it will be in the future!

The post Getting Ready for the Switch From Classic to Orion appeared first on ManageWP.

How to Add Adults-Only Age Verification to Your WordPress Site

Do you know who is visiting your website? And, more importantly, does the demographic of your visitors even matter? For some businesses and bloggers, that answer is a resounding: YES.

If you’re reading this, you probably have (or need to implement) an age requirement restriction for visitors to your site. There are a variety of reasons for needing to restrict access to your content, but there are only a handful of ways you can go about enforcing this.

In this article, I’ll explore reasons why you may want to consider restricting access and some steps and tools for stricter regulation of your content—for your audience’s sake as well as your own.

Age Verification Restrictions: Does Your Site Need Them?

The world is a much different place than it was a couple decades ago. With the rise of digital technology and always-on access, anyone with an internet-enabled device can gain access to your site. While this has done wonders for businesses looking to expand their reach, it simultaneously poses a problem: how are you supposed to keep out those who aren’t old enough to view your content or purchase from your storefront?

If you’re seeking a way to restrict access to your website based on visitor age, it’s most likely because your content is not suitable for underage individuals. Here are some of the more common reasons:

  • Your website contains adult humor and subject matter unsuitable for children.
  • You sell or promote anything alcohol or cigarette-related which it shouldn’t be viewed by anyone too young to purchase.
  • Your website offers sex- or dating-related content or services.
  • Your website contains violence or other content deemed inappropriate for younger audiences (think of rated “R” movies or songs with explicit lyrics, for example).
  • You offer a contest, membership, or another form of sign-up that requires the winner or member to be of a certain age.
  • Your services require a valid credit card or driver’s license.

Regardless of your reason—moral, ethical, legal, monetary, or other—the fact of the matter is that you, as a website owner, need to be responsible for upholding this restriction. Ideally, parents, schools, libraries, and anyone else providing internet access to children would be the ones teaching them about what is suitable content and what is not, and putting firm and well-monitored restrictions in place. But that’s not a realistic expectation.

Parental and educational guidance will only go so far, and that’s why age verification and restriction is such an important consideration to make when establishing your website. There are a number of laws and task forces in place to make sure underage individuals are protected from unsafe or unsuitable content (like COPPA, CIPA, and the FBI’s Cyber Crime division, to name a few), so it’s important to make sure your website and business are covered.

There are too many avenues through which underage users can access inappropriate content online, so do your due diligence as a responsible business owner/blogger/service provider and add the appropriate restrictions to your WordPress website.

Age Verification Restrictions: What Steps Can You Take?

Many of the suggestions mentioned below are, of course, going to be plugins. WordPress is a platform known for securing both users and visitors alike, so it shouldn’t come as a surprise that someone has thought of developing plugins to help websites build extra protection/restrictions against the wrong type of visitor (namely, those who are too young to view the content).

Whether you already have an age verification system or tool on your site or not, these tools are worth a look. If you want an extra layer of restriction, are looking for a nicer way to display a warning notice, are curious about newer and more effective plugins, or are afraid you’re missing something, this list of suggestions will cover your questions.

Jack Daniel's asks visitors to verify their age before entering their site.
Jack Daniel’s asks visitors to verify their age before entering their site.

Step 1: Add a Privacy Policy

Every website should have a privacy policy in place. Why? Because you need to let visitors know that you have them covered and that you’re not collecting their information for unsavory purposes. Need another reason? Well, the privacy policy is especially necessary when it comes to child protection laws and ensuring that your site abides by them.

Privacy policies should include information related to:

  • The type of information you collect from visitors.
  • How you go about collecting it: via cookies, analytics, sign-up forms, etc.
  • Any specific third-parties involved in setting up cookies and targeting visitors once they’ve left your website.

Our suggestion to you is to not take any chances and make sure you’ve got a privacy policy in place. If you’re not sure how to create one, find either a template or a plugin that will help you prepare one.

Suggested Tool: The Auto Terms of Service and Privacy Policy plugin has you covered. Once installed in WordPress, go to Settings > Auto TOS & PP so you can customize and grab the shortcodes for embedding on your website. (The best place to put this will be in the footer as well as on any age verification request page or popup.)

Step 2: Create an Age Disclaimer Page

Now let’s talk about setting up restriction gates.

Depending on how much your website needs restricting (for some of you it may just be a page or some blog content), an age disclaimer home page might be a good starting place. While the disclaimer itself won’t be enough to deter underage visitors from clicking through to see the rest of the site, it will still notify visitors of the mature content they’re about to see (or the other blocks they can expect to encounter).

There are a few options for a disclaimer page. You can create a new home page, brand it to the rest of your website, and:

  • Add a note that mentions the age restriction, like “Are you 18 or older?” Once they click “Yes” they’ll then be taken to the rest of the site.
  • Add a form that requires the visitor to enter their birthdate for confirmation. If the age is over your requirement, they can then enter the site.
  • Add a login or sign-up requirement so that you can manage which visitors can actually gain access to your website.

Again, none of these options are necessarily going to keep out visitors who don’t meet your age requirement, but it will at least serve as a first warning. Remember to have other systems in place to properly vet visitors’ eligibility.

Suggested Tool: No other tools needed aside from your own web design/development skills to set up the page.

Step 3: Set up a Verification System

Once you’ve got all the general statements regarding the nature of your content out of the way, it’s time to set up a verification system.

Verification systems will work similarly to the Jack Daniel’s website. Verification system plugins don’t require users to build a separate home page disclaimer warning, so you’ll be able to skip step 3 if you choose to go this route. In addition, all access to the website is blocked. Visitors must confirm their date of birth and then agree to your website’s privacy policy, terms of use, and use of cookies. Once they’ve done that, they are then given access to the site.

Again, it’s important to remember that an age verification system can only work so long as your visitors are honest about their age. As long as you’ve informed them of the risks and protected yourself with privacy statements, you’ve taken the right steps in protecting your website and business from unlawful activity (on the side of the visitor).

There are a number of plugins available that will help users to easily set up an age verification system. Code Canyon (through Envato’s marketplace) also has a number of premium solutions to consider. These tools will help you create a gated entryway that will provide a general statement regarding your site’s content, an age verifier, and an acceptance of the rules of use and access.

Suggested Tools: The Age Verify plugin is by far the most popular and well-ranked. Code Canyon has a few premium plugins available as well: Adults Only Age Verification System, Age Verificator, and Premium Age Verification/Restriction. The Premium Age Verification/Restriction plugin appears to offer the most flexibility and customization out of the three.

If you want more control over the age verification gate, how it looks, how it works, whether or not your site can be seen underneath the overlay, etc., make sure to take those customization options into consideration before making any purchases. Also, make sure to check out previous customer reviews and notes on the plugins to verify that they’ll be compatible with your current plugins.

SECURITY

WP Defender. Ultimate WordPress security

Defender will get your site combat ready by hardening your WordPress installation. Regular automated scans keep your site tightly sealed. Blacklist monitoring means you’re the first to know if something happens.

LEARN MORE

Step 4: Create a Warning

As you can see, each of these steps serves to build up the amount of checkpoints you have on your website. They also can work separately from one another. So if full-page gates aren’t your thing, you may prefer to use more intuitive popup warnings and verification tools.

Unlike with verification systems, popups give you a few more options to work with and provide more flexibility:

  • Select specific pages or blog posts upon which you want to set the gates.
  • Create redirects if the visitors don’t pass your age requirements.
  • Customize the message, popup colors, and more.

Whether you’re just looking for an additional warning on pages containing more mature content or you prefer this option to the entry page gateways, popup functionality is another path worth considering.

Suggested Tools: The Content Warning plugin provides you with a simple warning popup. Popup Maker, on the other hand, has an age verification popup modal, which takes everything that verification systems have to offer and adds it to a popup format.

Step 5: Restrict Access to Content

Full website restriction isn’t always necessary.

Perhaps your website is acceptable for universal access, but you’ve covered a controversial topic on a recent blog post. Or perhaps your storefront has an Adults Only section. This would be the time when you’d want more control over who can see different parts of your website. Age verification tools aren’t necessarily going to give you that flexibility.

Suggested Tools: Unsurprisingly, these tools are all plugins. Each of these serves a very specific purpose, so the one you use will be determined based on the type of content that requires restricted access:

  • Ultimate Category Excluder: If your website is an otherwise safe place for all ages to visit, but the occasional blog post contains graphic or unsuitable material, then this plugin will help you hide that type of content from site feeds and searches (when categorized accordingly).
  • WP Hide Post: This plugin is similar to the Category Excluder plugin, although the main focus with this one is to choose which individual blog posts you want hidden from specific locations on the website.
  • Restrict Content: This plugin sets up restriction rules based on membership levels. So if your website already allows for sign ups or subscriptions, the Restrict Content plugin is a natural choice since it’ll be an extension of that functionality, all while giving you better control over who can see what.

Wrapping Up

As a website owner, developer, or someone else responsible for the management of a website, the last thing you want to worry about is putting your business at risk—or exposing underage individuals to inappropriate content—simply because you allowed the wrong people to view your content. All it should take are six easy steps (if that) to make sure your content is seen by the right visitors.

Related posts:

  1. How to Show Different Menus to Different WordPress Users This handy solution lets you control who sees what menu…
  2. 10 Ways to Set Up Hidden Premium Content In WordPress Hide selected content on your site until the visitor takes…
  3. What Highly Successful WordPress Business Owners Were Doing at Age 25 Need a little business inspiration? Check out what these WordPress…
  4. How to Limit Access to Your WordPress Dashboard Limiting access to the WordPress dashboard is a topic we’re…

Gravity Flow Review: Easy Automation of Your Business Workflows

Long before the invention of email, businesses of all sizes used paper for every workflow process they had. For instance, applications, annual reviews, and purchase orders were all created on paper and signed by the appropriate person. Then they were stored in a large cabinet overtaking the corner of someone’s office.
Over time this became

The post Gravity Flow Review: Easy Automation of Your Business Workflows appeared first on WPLift.

5 WordPress Themes For Photographers

It’s incredibly important for photographers to display their work in a beautiful way on their website, and WordPress makes this easier than ever. Of course, any WordPress theme can display images and other media, but not all are optimized to make sure your photos look the best they can.

These five themes are perfect for photographers looking for an easy way to shine a light on their work.

Infinite Photography

photography themes

Infinite Photography’s power is in its ease of use. Simply choose your cover photo for the top section where your title is. Then lay out the photos you want in a large grid by clicking on each box. The theme takes away the clutter and lets your work take center stage.

You can also customize everything from the location of the sidebar to the color, logo and more.

PhotoBook

photography themes

As you may have guessed by the name, PhotoBook acts as a display book for your photos. It is fully responsive, mobile-friendly, and translation ready. You can display your favorite 10 images right on the front page which can all be clicked on and looked at closer.

The theme comes with built-in social widgets that will allow people to not only view your work but also share it on their social media accounts.

Photo Perfect

photography themes

Photo Perfect is completely customizable and responsive. It’s no wonder it has more than 6,000 active installs. The theme allows for a gallery as well as a blog, which is a great option for travel or food photographers. Adding and deleting photos is easy so you can switch them out weekly, monthly, or as you see fit.

Viewers can look at your favorite photos, or search by category.

Photolab

Photography themes

One of the simplest themes on the list, Photolab, ensures that all of the focus is on your photos. Whether you want to display writing, photography, quotations, or more, this theme highlights what is important. The whole thing is surrounded by a tasteful border.

The theme is fully responsive and will look just as great on a computer, tablet, or phone.

Photographer

Photography themes

Photographer allows your content to be viewed in a Full-Screen slider for an easy way to quickly navigate the site. For those who want to take more time perusing your photos, use the portfolio feature. Here you can keep all your photos and organize them by category or date. The theme also allows you to integrate text within the photos to tell a visual story, which is a great option for graphic designers or illustrators.

You can’t go wrong with any of these beautiful themes, as they all allow you to display your work beautifully.

What are your favorite themes for displaying photos? Answer in the comments below!

Emily Schiola

Emily Schiola is a Staff Writer at Torque. She loves good beer, bad movies, and cats.

The post 5 WordPress Themes For Photographers appeared first on Torque.