errorYou’re not on an error page.

Just wanted to say this up front since the headline says “page not found.”

Anyway, the concept of error page selling is something I’ve stumbled upon a couple of weeks ago when looking at a product called Wishlist Error Page Booster (WEPB).

I didn’t actually buy it because I don’t have a membership site, but the idea itself is brilliant.

In short, it’s all about turning your error pages into sales pages.

In a minute, I will show you how to make this possible on any WordPress site for free, but first, let me give you a WEPB example:

If you have a membership site then naturally, some of your content is not available to the public. This means that whenever someone who’s not a member tries to visit it, they will only see an error message (an error page).

However, most of the situations where visitors actually see those pages happen when a non-member tries to view some premium content, or a low-plan member tries to view your upper-plan content (in case you have more than one membership level).

WEPB lets you capitalize on that by taking the error pages and using them to display a custom sales message along with a buy button, which effectively turns your error pages into sales pages.

This kind of selling can be very effective because the visitor is already interested in the content (since they’re viewing the page), so they should be much more likely to buy from you.


There are two downsides to this plugin (oh, WEPB is a plugin, did I mention that? … anyway):

  • WEPB is $47,
  • and it needs another plugin to work – WishList Member, which is either $97 (single site license), or $297 (multi-site license).

As you can see … you need $150 just to get started. And if you don’t have a membership site launch in plan then buying WishList Member is kind of pointless (by the way, it’s one of the best membership site solutions available, but that’s a whole other story).

Free WordPress Error Sales Pages

Of course, there’s always a way to create a similar sales page, only for free.

Every WordPress theme has a custom file meant to display error pages. It’s usually called 404.php and can be found in your main theme folder.

If you’re savvy enough, you can edit the file by hand, create some widget areas, and then place a sales message inside one of the areas.

If you’re not, you can use some free plugins:

The first plugin worth mentioning is called 404-error-monitor. This one doesn’t create any custom error pages, but it logs 404 errors that visitors encounter on your site.

This means that whenever someone gets a 404 error, it goes in the log. By taking a look into such a log, you can find some frequently occurring errors and then maybe create custom pages to take their place (pages with manually placed sales messages).

Another approach is to use a plugin called Custom 404 Error Page. This one will probably be a little more handy because it doesn’t require any research work. You just create a custom page, click save, and you’re good to go.

Basically, this plugin gives you the possibility to control your error page through the WP Dashboard (almost like any other standard page). You can tweak the content, the background, the images, etc.

This functionality allows you to turn your error page into a sales page with ease (like I’m describing here), or …

You can use your error page to helping find missing children

Yeah, how did I go from “selling” to “helping find missing children,” right?

Anyway, the thing I’d like to mention here is a website called It’s a place that lets you help find missing children by including an additional box on your 404 error page. The box displays a picture of a missing child along with some additional contact info.

There’s a plugin that makes the whole thing hassle-free: 404 Page.

So you know … it’s up to you. Either (1) do nothing with your 404 page, (2) turn it into a sales page, (3) turn it into a page for helping others, or (4) turn it into a sales page along with a box (because why not do both?).

Lastly, I still consider Wishlist Error Page Booster and WishList Member great plugins (for membership sites), and that’s why I’m linking to them here.

Page Not Found; But Wait There’s More! – The Art Of Error Page Selling |

web-hostingI wanted to write this post for a long time. But never got to do it until today because I had the impression it would require much effort and time … and be kind of boring.

But when I finally started writing I was surprised to learn a thing or two about web hosting myself. So I guess we can all benefit.

This guide is about every aspect of web hosting that might be important to an online business owner (at least every aspect I know of). You can follow the advice step by step or just pick the elements that seem to be the most significant for your current situation.

Starting with:

Free hosts vs. standard hosts

Where “standard” means ones you have to pay for.

The concept of free hosting was kind of big in the mid 90s’. There were free sites sprouting up everywhere. But what everyone realized soon after was that free hosts are not very quality ones.

The main problems were the frequent downtimes and ads being displayed everywhere (ads you had no control over, and couldn’t profit from).

Thankfully, this is in the past and now we have some quality free hosting platforms to choose from. I’m going to recommend only one, though. So if you want more, you’re going to have to do some researching on your own.

The platform is is the cloud hosted version of WordPress – the platform I’m using to run this blog.

The main benefit of using .com is that you don’t have to worry about any technical issues or take care of some mundane tasks like setting everything up and managing the backend of the site. allows you to hook up your own domain (more on that in a minute), so your visitors won’t even know where you’re hosting the site. And if you don’t want to buy a domain, you can get a free subdomain at

If you choose this path you can actually stop reading here. There are no other steps you need to take…


There are some downsides to using services like this. Unless you’re a big publisher who’s really powerful.

The main downside is that you never actually own your blog.

I know that the guys at say that you do, but it’s not true.

That’s because if they decide that your blog is no longer “cool,” they will delete it just like that.

To give you a counterexample. If you’re hosting your blog yourself then even the government will find it difficult to shut you down.

So, moving on to, in my opinion, a better solution – standard web hosts.


If you’re going to sign up to a standard web host, the first thing you’ll have to do is get yourself a shiny new domain.

The best place to do it depends on your geographical location. If you live in the U.S. I think the best choice is GoDaddy. If you’re in Europe or Australia, do some research of your own or ask your friends about who they are using.

Essentially, the place where you get your domain doesn’t matter. So find the cheapest registrar in your area.

In the end, a domain is about $10 yearly.

If you want to learn more about how to choose the right domain, I send you over to one of my guest posts at ProBlogger: Which Domain Is Right for You?.

Choosing a web host

Once you have a domain you can start looking for a hosting provider.

These days, most of the popular providers are quality ones. Although sometimes you can have some bad luck and run into some trouble. Like I did with WPWebHost (the malware thing).

However, the first rule of finding a hosting provider is to get a server that’s near your target market’s location.

For instance, most of my audience is US-based, which means that I can safely use HostGator. However, for my other sites, ones that are targeting audiences in Poland, I’m using a Polish-based provider. This is a crucial rule.

Therefore, if your audience is based in the U.S. you won’t have any problems at all selecting a webhost. Same thing for Australia, UK, and Europe. If you want to target audiences in Russia or Asia then sorry but there’s not much I can recommend as I have no experience there.

Here’s my list of hosting providers you should check out first (we’ll talk about the different types of plans in a minute.)


  • HostGator. My web host of choice. Great service, low prices. It’s actually where I’m hosting newInternetOrder right now.
  • Blue Host.
  • Site5.
  • IX Web Hosting.
  • FatCow.
  • Rackspace.
  • Verio.
  • ServInt.
  • Codero.
  • SoftLayer.
  • FireHost.



  • IX Web Hosting.
  • FatCow.
  • City Cloud.
  • Speednames.
  • Surftown.
  • GratisDNS.
  • Binero.


  • Hetzner.
  • Web Africa.
  • Afrihost.
  • 5ITE.
  • Synergy Hosting.

Selecting a plan

Before you can choose a specific hosting provider, you should first compare the prices across the market for a specific type of plan. Just because some company says that you can start at $2 a month, doesn’t mean that you’re going to end up paying this little.

There are several basic types of hosting plans (feel free to go to Wikipedia to get the full story):

  • Shared web hosting. It’s the cheapest plan and usually the most suitable for new sites. The idea is that your site gets placed on the same server as many other sites – hence sharing the hosting space.
  • VPS – Virtual Private Server. This is still shared hosting, but your server is configured separately as a virtual machine. Which means that you get some control over the setup and get some of the benefits of having a fully dedicated server.
  • Dedicated servers. You get your own machine and have full control over it. Well, you don’t actually own the machine, per se, but that’s not important here.
  • Cloud hosting. This is one of the more scalable models. Setting all the boring details aside, cloud hosting is about placing your site on multiple servers in a data center and then delivering the contents depending on the volume. This means that your site is less likely to go down due to whatever difficulties.

If you’re starting a standard online business site, which means that you don’t have a massive launch campaign supporting you (mentions in media, heavy advertising, and so on), you can confidently go with a standard shared hosting plan.

In most cases, this is only going to cost you $5 or so per month. So go ahead, pick your provider (make sure to check online reviews and overall reputation of the provider you’re about to pick), click the buy button and complete the purchase.

The setup process

This is the final piece of the puzzle. Once you’ve signed up for a plan, the only thing you have to do now is point your domain to your hosting account.

Of course, later on you also have to install WordPress and eventually launch your site, but that’s a whole other story.

Three steps you have to take here:

  1. Get the nameservers from your hosting provider. GoDaddy says that nameservers are the internet’s equivalent to phone books. What this means is that a nameserver is the internet’s way of finding out where your domain is hosted. The thing you have to do here is simply contact the support at your web host and ask about the addresses of the nameservers. This is a pretty basic piece of information so you should have no problems getting it.
  2. Go to your domain registrar and set the nameservers for your domain. This is where you have to tell your registrar to point your domain to your web host’s nameservers. If your domain is at GoDaddy, just go to Account Manager > Domains > Launch and Select “Set Nameservers.” Then select “I have specific nameservers for my domains” and click “OK.”
  3. Set the domain in your hosting account. Now it’s time to notify your web host about your domain. Depending on your web host, this can be done in many ways. Probably the best approach is to chat with the support team and get them to do this for you.

At this point your domain and hosting account are ready to host your new website, so there’s nothing more for me to explain.

I hope the information here will help you to get through the process of selecting and setting up your hosting account. With some experience, this whole thing can be done in less than an hour, so there’s surely nothing to be afraid of.

Web Hosting for Online Business – Complete Guide |

drinkAh yes, the new year is almost here and this means time for some new year’s resolutions. Besides some obvious stuff like losing weight and spending more time with your kids I want to interest you with some online business related resolutions. And I promise these are not things you’ll just abandon by the end of January.

1. Don’t create any crap products

This is something I talked about just recently. Crap products are things like 15 page e-books that are sold to your audience as “the best thing ever” when in fact they are just meant to make you some quick buck.

An odd thing for a new year’s resolutions list because it’s something I ask you not to do. And it’s probably even more strange as every marketer online tells you to indeed go out and create such simple products.

If you want to get my complete point of view on this, feel free to visit my other post titled so-called quality product creation. In short, simple products like that don’t help anyone, and they are often very poorly produced (yes, the workmanship matters too, not only the raw content).

2. Make your newsletter content driven

First of all, if you don’t have a newsletter yet, launch one this week (you can use the free plan at MailChimp). And if you do, make sure that it’s content driven, as opposed to promotion driven.

In a nutshell, send not more than one promotional message for every nine pure content messages.

I’m sure you realize this, but your readers really don’t care about promotions. They’re being hit left and right with promotions so they most certainly don’t need you to do the same. And if they’re still subscribed, it only means that you haven’t crossed the line yet. But if you do, they will leave.

3. Build a network of 10 people

The word network is not my favorite one so let me elaborate. What I actually mean is building relationships with 10 people, either inside your niche or in some related niches.

The point of such relationships is to gain valuable connections, which you can then use for joint ventures or some other projects.

They key to successful communication is to start on a personal level and don’t ask for any favors upfront. I’m sure you already have some people on your mind you’d like to connect with. Therefore I encourage you to start as soon as today.

4. Write at least 10 guest posts per month

Guest posting is one of the best promotion methods for any website, not only blogs or online magazines. The power of guest blogging lies in user engagement and link building on quality domains.

Quite simply, if you write an interesting enough guest post, some of the readers will click the link in your bio and visit your site. The more targeted the blogs where you guest post are, the better results you’ll have.

5. Take action on one of your IM products

I’m sure you bought some of those in the past… However, chances are you didn’t take action all the way through. Now is a good time to finally do it.

(That is, of course, if you still consider the product being a quality one.)

6. Try getting a freelance contract

Because why the hell not…? Freelancing is one of the best direct methods to make money. You have the expertise and you have the knowledge … quite frankly, you don’t need anything more.

To make this happen, you can either look within your niche and try to come up with some offerings of your own, or browse some of the popular online job boards and look for interesting opportunities there.

Getting some freelancing experience will give you a way better insight into people’s needs, as compared to offering random products based on your own judgment.

7. Buy new assets

Things like new domains, new licenses, and anything else that can help you make money directly.

To give you a more accurate definition, let’s have a look at Wikipedia:

[...] assets are economic resources. Anything tangible or intangible that is capable of being owned or controlled to produce value and that is held to have positive economic value is considered an asset.

Now, be careful not to buy a liability. Focus only on things that have a strong potential to make you money directly.

8. Build a social media presence

Finally, the most favorite thing for anyone online – social media. What I actually advise here is pretty basic. Pick just one social media network where you want to build your presence in the next 12 months. Not all at the same time.

Also, it’s best to pick the one that’s already producing some good results for you. Remember, it’s always easier to improve what’s already working than to build something from the ground up.

The exact way how you’re going to do that is up to you. There are more than enough social media blogs on the internet to help you.

9. Start a series on your blog

A series is a simple sequence of posts talking about one complex topic. Instead of explaining all the whys and hows here, let me send you over to some other resources.

First, some examples:

And finally, a post explaining how to build a series and publish it on a WordPress site: How to Publish a Series of Posts in WordPress.

I guess that summarizes my list of new year’s resolutions for online business owners. Are you planning to take action on any of the things mentioned here? Or maybe you have something else in plan?

Hungry for Some New Year’s Resolutions for Your Online Business? |

malwareThis isn’t actually funny at all.

I don’t know if you noticed this, but my site got infected with some malware about a week ago.

The malware was not a result of my reckless behavior or anything. Just some malicious Apache module sitting on the server at my web host (cheers, WPWebHost, we’re probably not going to do business any more).

First of all, here’s how it all started.

One day I received a friendly email from Google:

Dear site owner or webmaster of,

We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on


We strongly encourage you to investigate this immediately to protect your visitors. Although some sites intentionally distribute malicious software, in many cases the webmaster is unaware because:

1) the site was compromised
2) the site doesn’t monitor for malicious user-contributed content
3) the site displays content from an ad network that has a malicious advertiser

If your site was compromised, it’s important to not only remove the malicious (and usually hidden) content from your pages, but to also identify and fix the vulnerability. We suggest contacting your hosting provider if you are unsure of how to proceed.


Google Search Quality Team

Now, the tone is very friendly, yet what it actually means is this:

Your site is infected. We’re banning it from the search engine results. Get it fixed now!

And this is something my SEOmoz monitor confirmed a while after. Here are the rankings for my main keywords:


Nice, huh?

And of course, whenever there’s malware on any site, every major browser starts to display a warning message when someone tries to visit it. Which means that what followed shortly afterwards was a decline in traffic.


Well, it was about time to do something.

So I started digging and found that the malware was only visible on which was funny because the template file responsible for this URL is archive.php – and this is a file that also runs my date archives and category archives. Besides, there are also tens of other tags on the site, yet only this one was infected.

This was clearly not a problem with any of the template files. The problem was sitting somewhere deeper.

Since I’m an engineer and have a Master’s Degree in computer science I have to say that this malware was a nice piece of coding.

It didn’t come up during every scanning attempt (it only presented itself once every X times), it banned the most often used IPs (so whenever someone tried to visit the page more than X times the malware was no longer active), and as I said before it didn’t put any suspicious code inside any of the WordPress files.

While doing my research I stumbled upon this great post: Malicious Apache Module Injects Iframes.

It describes the exact problem I was experiencing. Here’s a screenshot from one of my Sucuri scans:


There’s an iframe located outside of the visible area. The URLs and the method is the exact same one as described in the article.

Hosting problems

Now the best part.

The support team at WPWebHost is crap.

Here’s the usual scenario when you contact them:

Me: hey, there’s a problem with my site.

Them: no, there’s not.

Me: yeah, there is, {explanation}.

Them: no, we did one single test, there’s not.

Me: there is; here’s {evidence #1}, {evidence #2}, and {evidence #3}.

Them: okay, there is, I’m transferring your ticket to our upper level support.

Them (upper level): hey, we did one single test, there’s no problem.

What. The. Hell?!

Anyway, after going back and forth a number of times they were finally able to fix it. Without even explaining what happened. And without saying anything about what I can do to prevent similar situations in the future.

But that’s not the end of the story.

Here’s my downtime graph:


The red spots indicate the downtime.

Oh, and there’s also one more problem about my emails not reaching their destinations…

Long story short… Sorry guys, but it’s time for me to move on. And make sure that this post ranks well for phrases like “is WPWebHost any good” or something similar.

The current situation

Well, everything’s fixed. I’m in the middle of transferring my account to HostGator, and hoping that my rankings will return soon.

There’s no longer any malware on my site and I hope it stays this way.


As it turns out, Google works quite quickly to recognize every change. What this means is that my site is back in the ranking, which is great. Check this updated graph by SEOmoz:


Once Upon a Time … There’s Some Malware on Your Site |

Today my buddy Sander pointed out that he suddenly had pages showing as noindex,nofollow when he ran a spider across a site. A bit more researching learned us that WordPress automatically adds a noindex, nofollow robots meta tag to each URL that has ?replytocom in it. At first I (wrongly) thought this was new to WordPress 3.5, but it turns out to be the default behavior for quite a while already. All the more reason to tell you about it:

What are these ?replytocom links?

Most blogs these days have threaded commenting enabled, which means that you can reply to every comment by clicking on that comments reply link. This is very neat to keep the conversations together and a feature I deeply love. This feature normally works with javascript, but because of accessibility, there is also a fallback option. If you don’t have javascript enabled, or, if you’re a bot, you’re not capable of handling it, you’ll see links that look as follows:

This would force reload the page and give you the option to reply to the comment with ID 1. I absolutely hate that fallback link. On a site like this one, with often over a hundred comments on a post, it means there are 100 links pointing to that same article, causing a lot of crawling that’s totally unneeded. For this reason I added the option in my SEO plugin to remove it, which you’ll find under SEO → Permalinks:

remove replytocom variables option in WordPress SEO

So what does this noindex,nofollow do?

Unfortunately, the robots meta tag WordPress adds essentially makes every URL with
?replytocom in it a dead end street. Because of the nofollow bit of the robots meta tag it adds, if say, Mashable would link to a URL with replytocom in it, my site wouldn’t actually benefit from that link. Doing nothing is much better: the rel="canonical" link element on the page, that points to the clean version, would tell search engines to use that clean version.

This is the reason why, when I found out, I immediately released version 1.3.3 of my WordPress SEO plugin that removes that noindex,nofollow line. I’ve also opened a trac ticket, we’ll see what happens with that. For now, my advice is: upgrade to 1.3.3 and check that remove replytocom variables box, unless you really need the non-javascript version to work.

WordPress threaded comments and SEO is a post by on Yoast - Tweaking Websites. A good WordPress blog needs good hosting, you don't want your blog to be slow, or, even worse, down, do you? Check out my thoughts on WordPress hosting!

Sucuri Safe PluginOne of the benefits of making money on paid plugins is that you can more easily spend money for other people to look at and even better, review your plugins. Today is the first result of what might become a somewhat longer tradition: WordPress SEO is now a Sucuri Safe Plugin.

What this means? It means I’ve asked Sucuri to do a full security review of my WordPress SEO plugin. They found a couple of small issues, which I’ve all addressed in the 1.3 release I put out earlier today.

So while 1.3 might not be a major release in terms of functionality, it is the result of quite a bit of work. If you check this commit, you’ll see a ton of little changes have gone into the plugin. Most of them are really minor, but all combined, they make for a better and, more importantly, safer plugin.

I plan to do more updates to my biggest plugins to fix things like this. It’s great to be able to do that because of a, now thriving, paid plugin business. So thank you, to those of you who bought a premium plugin, you are helping us give you a better product!

WordPress SEO, more secure than ever before. is a post by on Yoast - Tweaking Websites. A good WordPress blog needs good hosting, you don't want your blog to be slow, or, even worse, down, do you? Check out my thoughts on WordPress hosting!

Not that long ago I had the opportunity to publish a series of guest posts on ProBlogger. This series was about handling some of the basic stuff in WordPress – stuff you always have to do, yet there’s not that much how-to advice about it on the web.


If you’re an online business owner then (and it’s not the first time I’m saying this) building your website with WordPress is probably the wisest thing to do.

The platform is free, very functional, and easy to tweak to fit your requirements hand-in-glove.

When you make the decision to go with WordPress, most likely your next task will be to pick the perfect theme. The theme will help you define your new brand, showcase your products/offerings, and get people engaged.

This is what the first post in the series is about:

How to Select the Perfect WordPress Theme for Your Blog

Once you have the theme picked, you have to get it installed on your site. For people who have been working with WordPress this is basic, but beginners find it quite challenging as it requires some specific actions and specialized software (like FTP apps).

This is what the second post in the series is about:

Install Your First WordPress Theme

At this point, your new site is pretty much installed. The only thing you have to do is create content, promote it, and build your brand.

However, if you want to be certain that your new online business is safe (from a technical point of view) then there are some additional tasks worth looking into.

Nothing fancy, nothing difficult. You don’t even need to touch any source code. Everything can be done either through well thought through core settings or some new plugins.

Anyway, it’s exactly what the last post in the series is about:

Secure Your WordPress Blog Without Touching Any Code

At first, WordPress may seem like quite a difficult tool to master (and if you think otherwise then try to recall the first time you had to do something with it). However, once you get through the initial tasks, submitting content and engaging with your audience is more than easy.

Tell me, have you taken care of securing your WordPress site yet?

WordPress for Online Business: Picking a Theme, Installing It, and Securing Your Site |

adblockJust like any other website owner (myself included) you probably hate ad block browser plugins…

Advertising has always been one of the most straightforward ways of monetizing a website, but these days it’s starting to get awfully difficult to display some ads and not have them blocked by one of those plugins.

And it’s not that I hate them entirely. To be honest, I use them when browsing the internet, so I don’t have to see all the popups and whatnots. However, when it comes to my own sites, it’s a completely different thing…

You may say that such a two-sided opinion is kind of hypocritical of me, but hey … I’m sure I’m not alone on this one.

So, just by accident I’ve come across a way to display ads and not get them blocked.

First things first. This won’t work with AdSense.

But it does work on most other networks and all individual ads (where the advertiser gives you a piece of embed code to include in your site).

The trick is simple: You have to host the ads yourself (on your own server).

Here’s how to do it.

Let’s start with the standard embed code you usually get from your advertiser. Here’s an example:

<a href=”” target=”_blank”><img border=”0″ src=”” width=”125″ height=”125″ alt=”"></a>

The example above is from wpwebhost and their hosting affiliate program. However, other embed codes are very similar to this. There’s always a link and an image.

Now, do the following:

  1. Take your affiliate link (the one after the “href=”) and put it through Pretty Link or other similar plugin. It will allow you to redirect the affiliate link through your own domain, making it seem like it’s an internal link.
  2. Follow the image link and download the image.
  3. Rename the image to something that seems like it’s not an ad.
  4. Upload the image to your site through the WordPress Media Library.
  5. Customize the embed code to include your new link and image.
  6. Place it on your site.

I’m 100% certain that ad block plugins won’t consider that an ad. And even if the user decides to add a custom filter they won’t be able to block it effectively anyway because they’d have to block every image file on your site.

Fin. Now your ads are ad block resistant.

Suck it, ad block plugins!

How to Keep Ad Block Plugins from Banning Your Ads [5 Minute Task] |

JetpackThe Jetpack plugin for WordPress has quite a few nice bits and pieces. There’s one issue: the developers at Automattic seem to think they’re alone in the world. In their last release, they enabled OpenGraph tags by default with no setting to disable it. Even when you already have WordPress SEO enabled and OpenGraph enabled in that. This is making people freak  out everywhere as double OpenGraph tags lead to problems with Google+ and with Facebook.

Disable OpenGraph in Jetpack

The best solution, honestly, is to install another plugin by Mark Jaquith, called Manual Control for Jetpack. This disables Jetpack automatic activation of new modules. Now you at least have to manually do something for stuff to break on your site when the Jetpack team decides to push new stuff.

This particular OpenGraph feature is in the Publicize module, so you’d think you could disable that, but that doesn’t seem to work. Instead, adding this line in your functions.php should fix this particular problem:

add_filter( 'jetpack_enable_opengraph', '__return_false', 99 );

I understand that disabling OpenGraph in WordPress SEO could work too. I would recommend against that though, especially if you use our Video SEO plugin as that relies on our ability to control OpenGraph tags.

Calling for Automattic to be more responsible

I also want to call on Automattic‘s Jetpack team. You guys should know better than to do stuff like this. You’ve literally cost me about half a days worth of support work now with this single release. It’d be cool if you, just like the rest of Automattic, would work with the community instead of against it.

I know you’re capable of it, because this line in the plugin:

if ( in_array( 'facebook/facebook.php', $active_plugins ) )
add_filter( 'jetpack_enable_opengraph', '__return_false', 99 );

This shows me that you did think about what would happen if Facebook’s plugin was active. That’s logical because people at Automattic worked on that plugin too. Now next time, please look at some of the repositories most popular plugins too and adjust accordingly. At the very least start a conversation with plugin authors about what’s coming up when you create stuff that clashes.

Update: might be good to note, when Facebook’s plugin is active and OpenGraph is enabled in my SEO plugin, my plugin filters the output of the Facebook plugin to prevent two sets of OpenGraph tags. Niall Kennedy of Facebook has actually also submitted a patch to my SEO plugin to improve how it does OpenGraph. That’s how this community should work.

Jetpack and WordPress SEO is a post by on Yoast - Tweaking Websites. A good WordPress blog needs good hosting, you don't want your blog to be slow, or, even worse, down, do you? Check out my thoughts on WordPress hosting!

WordPress SSL SetupAs we’re now running a plugin shop here on, selling our Video SEO plugin, Tag optimizer and soon more, we also have a checkout page. I wanted that checkout page to run on https, for obvious reasons: people fill out their email and, depending on their payment method, their credit card details there. That deserves more security. It turned out not to be as simple as I wanted it to be, but I fixed it. This posts documents my mistakes and issues with my WordPress SSL setup in the hope of preventing you from making them.

You might think: couldn’t I just always load that image over SSL? Yes you could, but that’d be slower, which is why I chose not to do it.

Getting an SSL certificate on your server

This is by far the geekiest bit of this entire process, and not something I want to explain completely. In fact, I didn’t even do this myself. Just like all other customers, you can get a free Comodo SSL certificate, all you have to do is file a support request for your VPS. It’s one of the reasons why I think delivers the best WordPress hosting out there. BTW, they’re running a special at, giving away Amazon gift cards for new VPSes, so if you’ve been thinking about switching, now’s a better time than any to switch to

I had already set up the free certificate a while back, as I wanted to run my WordPress admin over https, but I decided to go for a Extended Validation certificate today. This is a certificate that doesn’t just show an SSL icon in the browsers location bar but actually gives a green background for it and adds the company’s name, like so:

extended validation SSL certificate

Of course this isn’t needed for every site, but I think it’s worth testing if you sell products. It provides just that bit of extra trust that can be so needed for online transactions.

Next: forcing SSL on that one page

There are plugins that can do this for you, most notably WordPress HTTPS, but as I wanted a bit more control and understanding of what was happening, I decided to code it manually. The code consists of two bits, this bit forces the checkout page to be on https all the time and at the same time redirects all pages that do not need to be SSL to an http URL:

function yst_ssl_template_redirect() {
	if ( is_page( 123 ) && ! is_ssl() ) {
		if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
			wp_redirect(preg_replace('|^http://|', 'https://', $_SERVER['REQUEST_URI']), 301 );
		} else {
			wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'], 301 );
	} else if ( !is_page( 123 ) && is_ssl() && !is_admin() ) {
		if ( 0 === strpos($_SERVER['REQUEST_URI'], 'http') ) {
			wp_redirect(preg_replace('|^https://|', 'http://', $_SERVER['REQUEST_URI']), 301 );
		} else {
			wp_redirect('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'], 301 );
add_action( 'template_redirect', 'yst_ssl_template_redirect', 1 );

If you’re sure the URL will always be “clean”, as in, without parameters, this can be even simpler, but in this case I needed it to work with the URL parameters that Easy Digital Downloads uses. The number 123 is the ID of the checkout page, you should of course replace with your own page ID if you use this code.

Now we also want get_permalink to return the right URL, so let’s filter its output:

function yst_checkout_page_ssl( $permalink, $post, $leavename ) {
	if ( 123 == $post->ID )
		return preg_replace( '|^http://|', 'https://', $permalink );
	return $permalink;
add_filter( 'pre_post_link', 'yst_checkout_page_ssl', 10, 3 );

This way if something links to the checkout page, the redirect isn’t even needed as the link is already an https link.

MaxCDN, W3 Total Cache & SSL: a golden trio

My favourite WordPress CDN provider MaxCDN, works great with W3 Total Cache. It does so even with SSL, if you know how to set it up. It’s very bloody simple too once you know it: for each CNAME, you enter not just the CNAME, but you follow it by a comma, and then enter the SSL version. For me, this looks like this (click for larger version):

WordPress SSL Setup: W3TC MacCDN SSL settings

This settings makes W3 Total Cache use the first hostname for http requests, and the second one for https. With a rather image heavy site like this one that’s a golden thing.

Broken SSL: fixing links in theme files

broken SSLIf you load a page over SSL, all the other files that are loaded on that page should also be loaded over SSL for it to not be “broken”. This means that every single image, javascript file, stylesheet etc. needs to be loaded over SSL. WordPress will fix a lot of this for you, but you’ll probably encounter some issues, as did I, causing a broken SSL icon in the location bar, as shown above here.

In my case, within my theme’s stylesheet, I was loading a google web font file. That shouldn’t be an issue, of course, but I was loading that font file over http, instead of using what’s called a protocol relative link. Every time you’re embedding images, javascript or CSS files, you should be using a protocol relative link. Instead of linking to:,600

I’m now linking to:


As you can see, I left out the http:, this will make the browser use the current protocol to fetch that file. This means that when a user is on plain http, it’ll use that, which is faster, but if the user is on https, it’ll use the safe https link.

Bonus: WordPress SSL setup for the admin panel

Now that you’ve set all this up, you might as well use that SSL certificate for your admin too. That part is actually pretty easy. Just drop this in the wp-config.php:

define('FORCE_SSL_ADMIN', true);

That’ll force the entire admin over SSL, which is what you want in most cases. If that is too slow for you though, you could also decide to just force the login page over SSL:

define('FORCE_SSL_LOGIN', true);

This will force the login and registration pages to be SSL. I think you should go for the first option though, and run your entire admin over SSL.

Conclusion: WordPress SSL setup is easy, do it!

With all these tips, there’s really no reason anymore why you couldn’t run any page where a user submits private data on SSL. So, just do it!

WordPress SSL setup tips & tricks is a post by on Yoast - Tweaking Websites. A good WordPress blog needs good hosting, you don't want your blog to be slow, or, even worse, down, do you? Check out my thoughts on WordPress hosting!