WordPress 5.4.2 Security and Maintenance Release

WordPress 5.4.2 is now available!

This security and maintenance release features 23 fixes and enhancements. Plus, it adds a number of security fixes—see the list below.

These bugs affect WordPress versions 5.4.1 and earlier; version 5.4.2 fixes them, so you’ll want to upgrade.

If you haven’t yet updated to 5.4, there are also updated versions of 5.3 and earlier that fix the bugs for you.

Security Updates

WordPress versions 5.4 and earlier are affected by the following bugs, which are fixed in version 5.4.2. If you haven’t yet updated to 5.4, there are also updated versions of 5.3 and earlier that fix the security issues.

  • Props to Sam Thomas (jazzy2fives) for finding an XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor.
  • Props to Luigi – (gubello.me) for discovering an XSS issue where authenticated users with upload permissions are able to add JavaScript to media files.
  • Props to Ben Bidner of the WordPress Security Team for finding an open redirect issue in wp_validate_redirect().
  • Props to Nrimo Ing Pandum for finding an authenticated XSS issue via theme uploads.
  • Props to Simon Scannell of RIPS Technologies for finding an issue where set-screen-option can be misused by plugins leading to privilege escalation.
  • Props to Carolina Nymark for discovering an issue where comments from password-protected posts and pages could be displayed under certain conditions.

Thank you to all of the reporters for privately disclosing the vulnerabilities. This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked.

One maintenance update was also deployed to versions 5.1, 5.2 and 5.3. See the related developer note for more information.

You can browse the full list of changes on Trac.

For more info, browse the full list of changes on Trac or check out the Version 5.4.2 documentation page.

WordPress 5.4.2 is a short-cycle maintenance release. The next major release will be version 5.5.

You can download WordPress 5.4.2 from the button at the top of this page, or visit your Dashboard → Updates and click Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

Thanks and props!

In addition to the security researchers mentioned above, thank you to everyone who helped make WordPress 5.4.2 happen:

Andrea Fercia, argentite, M Asif Rahman, Jb Audras, Ayesh Karunaratne, bdcstr, Delowar Hossain, Rob Migchels, donmhico, Ehtisham Siddiqui, Emilie LEBRUN, finomeno, garethgillman, Giorgio25b, Gabriel Maldonado, Hector F, Ian Belanger, Aaron Jorbin, Mathieu Viet, Javier Casares, Joe McGill, jonkolbert, Jono Alderson, Joy, Tammie Lister, Kjell Reigstad, KT, markusthiel, Mayank Majeji, Mel Choyce-Dwan, mislavjuric, Mukesh Panchal, Nikhil Bhansi, oakesjosh, Dominik Schilling, Arslan Ahmed, Peter Wilson, Carolina Nymark, Stephen Bernhardt, Sam Fullalove, Alain Schlesser, Sergey Biryukov, skarabeq, Daniel Richards, Toni Viemerö, suzylah, Timothy Jacobs, TeBenachi, Jake Spurlock and yuhin.

WordPress 5.4.1

WordPress 5.4.1 is now available!

This security and maintenance release features 17 bug fixes in addition to 7 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 5.4.1 is a short-cycle security and maintenance release. The next major release will be version 5.5.

You can download WordPress 5.4.1 by downloading from WordPress.org, or visit your Dashboard → Updates and click Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

Security Updates

Seven security issues affect WordPress versions 5.4 and earlier. If you haven’t yet updated to 5.4, all WordPress versions since 3.7 have also been updated to fix the following security issues:

  • Props to Muaz Bin Abdus Sattar and Jannes who both independently reported an issue where password reset tokens were not properly invalidated
  • Props to ka1n4t for finding an issue where certain private posts can be viewed unauthenticated
  • Props to Evan Ricafort for discovering an XSS issue in the Customizer
  • Props to Ben Bidner from the WordPress Security Team who discovered an XSS issue in the search block
  • Props to Nick Daugherty from WordPress VIP / WordPress Security Team who discovered an XSS issue in wp-object-cache
  • Props to Ronnie Goodrich (Kahoots) and Jason Medeiros who independently reported an XSS issue in file uploads.
  • Props to Weston Ruter for fixing a stored XSS vulnerability in the WordPress customizer.
  • Additionally, an authenticated XSS issue in the block editor was discovered by Nguyen the Duc in WordPress 5.4 RC1 and RC2. It was fixed in 5.4 RC5. We wanted to be sure to give credit and thank them for all of their work in making WordPress more secure.

Thank you to all of the reporters for privately disclosing the vulnerabilities. This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked.

For more information, browse the full list of changes on Trac, or check out the version 5.4.1 HelpHub documentation page.

In addition to the security researchers mentioned above, thank you to everyone who helped make WordPress 5.4.1 happen:

Alex Concha, Andrea Fercia, Andrew Duthie, Andrew Ozz, Andy Fragen, Andy Peatling, arnaudbroes, Chris Van Patten, Daniel Richards, DhrRob, Dono12, dudo, Ehtisham Siddiqui, Ella van Durpe, Garrett Hyder, Ian Belanger, Ipstenu (Mika Epstein), Jake Spurlock, Jb Audras, John Blackbourn, John James Jacoby, Jonathan Desrosiers, Jorge Costa, K. Adam White, Kelly Choyce-Dwan, MarkRH, mattyrob, Miguel Fonseca, Mohammad Jangda, Mukesh Panchal, Nick Daugherty, noahtallen, Paul Biron, Peter Westwood, Peter Wilson, pikamander2, r-a-y, Riad Benguella, Robert Anderson, Samuel Wood (Otto), Sergey Biryukov, Søren Brønsted, Stanimir Stoyanov, tellthemachines, Timothy Jacobs, Toro_Unit (Hiroshi Urabe), treecutter, and yohannp.

WordPress 5.3.1 Security and Maintenance Release

WordPress 5.3.1 is now available!

This security and maintenance release features 46 fixes and enhancements. Plus, it adds a number of security fixes—see the list below.

WordPress 5.3.1 is a short-cycle maintenance release. The next major release will be version 5.4.

You can download WordPress 5.3.1 by clicking the button at the top of this page, or visit your Dashboard → Updates and click Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

Security updates

Four security issues affect WordPress versions 5.3 and earlier; version 5.3.1 fixes them, so you’ll want to upgrade. If you haven’t yet updated to 5.3, there are also updated versions of 5.0 and earlier that fix the security issues.

  • Props to Daniel Bachhuber for finding an issue where an unprivileged user could make a post sticky via the REST API.
  • Props to Simon Scannell of RIPS Technologies for finding and disclosing an issue where cross-site scripting (XSS) could be stored in well-crafted links.
  • Props to the WordPress.org Security Team for hardening wp_kses_bad_protocol() to ensure that it is aware of the named colon attribute.
  • Props to Nguyen The Duc for discovering a stored XSS vulnerability using block editor content.

Maintenance updates

Here are a few of the highlights:

  • Administration: improvements to admin form controls height and alignment standardization (see related dev note), dashboard widget links accessibility and alternate color scheme readability issues (see related dev note).
  • Block editor: fix Edge scrolling issues and intermittent JavaScript issues.
  • Bundled themes: add customizer option to show/hide author bio, replace JS based smooth scroll with CSS (see related dev note) and fix Instagram embed CSS.
  • Date/time: improve non-GMT dates calculation, fix date format output in specific languages and make get_permalink() more resilient against PHP timezone changes.
  • Embeds: remove CollegeHumor oEmbed provider as the service doesn’t exist anymore.
  • External libraries: update sodium_compat.
  • Site health: allow the remind interval for the admin email verification to be filtered.
  • Uploads: avoid thumbnails overwriting other uploads when filename matches, and exclude PNG images from scaling after upload.
  • Users: ensure administration email verification uses the user’s locale instead of the site locale.

For more information, browse the full list of changes on Trac or check out the version 5.3.1 HelpHub documentation page.

Thanks!

In addition to the security researchers mentioned above, thank you to everyone who contributed to WordPress 5.3.1:

123host, acosmin, Adam Silverstein, Albert Juhé Lluveras, Alex Concha, Alex Mills, Anantajit JG, Anders Norén, andraganescu, Andrea Fercia, Andrew Duthie, Andrew Ozz, Andrey “Rarst” Savchenko, aravindajith, archon810, Ate Up With Motor, Ayesh Karunaratne, Birgir Erlendsson (birgire), Boga86, Boone Gorges, Carolina Nymark, Chetan Prajapati, Csaba (LittleBigThings), Dademaru, Daniel Bachhuber, Daniele Scasciafratte, Daniel Richards, David Baumwald, David Herrera, Dion hulse, ehtis, Ella van Durpe, epiqueras, Fabian, Felix Arntz, flaviozavan, Garrett Hyder, Glenn, Grzegorz (Greg) Ziółkowski, Grzegorz.Janoszka, Hareesh Pillai, Ian Belanger, ispreview, Jake Spurlock, James Huff, James Koster, Jarret, Jasper van der Meer, Jb Audras, jeichorn, Jer Clarke, Jeremy Felt, Jip Moors, Joe Hoyle, John James Jacoby, Jonathan Desrosiers, Jonny Harris, Joost de Valk, Jorge Costa, Joy, Juliette Reinders Folmer, justdaiv, Kelly Dwan, Kharis Sulistiyono, Kite, kyliesabra, lisota, lukaswaudentio, Maciej Mackowiak, marcelo2605, Marius L. J., Mat Lipe, mayanksonawat, Mel Choyce-Dwan, Michael Arestad, miette49, Miguel Fonseca, mihdan, Mike Auteri, Mikko Saari, Milan Petrovic, Mukesh Panchal, NextScripts, Nick Daugherty, Niels Lange, noyle, Ov3rfly, Paragon Initiative Enterprises, Paul Biron, Peter Wilson, Rachel Peter, Riad Benguella, Ricard Torres, Roland Murg, Ryan McCue, Ryan Welcher, SamuelFernandez, sathyapulse, Scott Taylor, scvleon, Sergey Biryukov, sergiomdgomes, SGr33n, simonjanin, smerriman, steevithak, Stephen Bernhardt, Stephen Edgar, Steve Dufresne, Subrata Mal, Sultan Nasir Uddin, Sybre Waaijer, Tammie Lister, Tanvirul Haque, Tellyworth, timon33, Timothy Jacobs, Timothée Brosille, tmatsuur, Tung Du, Veminom, vortfu, waleedt93, williampatton, wpgurudev, and Zack Tollman.

WordPress 5.2.4 Update

Late-breaking news on the 5.2.4 short-cycle security release that landed October 14. When we released the news post, I inadvertently missed giving props to Simon Scannell of RIPS Technologies for finding and disclosing an issue where path traversal can lead to remote code execution.

Simon has done a great deal of work on the WordPress project, and failing to mention his contributions is a huge oversight on our end.

Thank you to all of the reporters for privately disclosing vulnerabilities, which gave us time to fix them before WordPress sites could be attacked.

WordPress 5.2.4 Security Release

WordPress 5.2.4 is now available! This security release fixes 6 security issues.

WordPress versions 5.2.3 and earlier are affected by these bugs, which are fixed in version 5.2.4. Updated versions of WordPress 5.1 and earlier are also available for any users who have not yet updated to 5.2.

Security Updates

  • Props to Evan Ricafort for finding an issue where stored XSS (cross-site scripting) could be added via the Customizer.
  • Props to J.D. Grimes who found and disclosed a method of viewing unauthenticated posts.
  • Props to Weston Ruter for finding a way to create a stored XSS to inject Javascript into style tags.
  • Props to David Newman for highlighting a method to poison the cache of JSON GET requests via the Vary: Origin header.
  • Props to Eugene Kolodenker who found a server-side request forgery in the way that URLs are validated.
  • Props to Ben Bidner of the WordPress Security Team who discovered issues related to referrer validation in the admin.

Thank you to all of the reporters for privately disclosing the vulnerabilities, which gave us time to fix them before WordPress sites could be attacked.

For more info, browse the full list of changes on Trac or check out the Version 5.2.4 documentation page.

WordPress 5.2.4 is a short-cycle security release. The next major release will be version 5.3.

You can download WordPress 5.2.4 or visit Dashboard → Updates and click Update Now. Sites that support automatic background updates have already started to update automatically.

In addition to the security researchers mentioned above, thank you to everyone who contributed to WordPress 5.2.4:

Aaron D. Campbell, darthhexx, David Binovec, Jonathan Desrosiers, Ian Dunn, Jeff Paul, Nick Daugherty, Konstantin Obenland, Peter Wilson, Sergey Biryukov, Stanimir Stoyanov, Garth Mortensen, vortfu, Weston Ruter, Jake Spurlock, and Alex Concha.

How to use WordPress: Answering 12 common WordPress questions

WordPress is huge. According to the latest stats, WordPress powers almost 35% of the web — and growing quickly. With so many sites using the CMS and so many new sites bursting onto the scene, there’re a lot of new users taking their first steps in the wonderful world of WordPress. People from all walks of life and many of them are bound to ask the same questions about using WordPress. That’s one of the reasons why we launched a free WordPress for Beginners course. In addition, you can quickly get answers to common WordPress questions in this big guide.

New to WordPress? Don’t worry! Our FREE WordPress for beginners training is here to help. Find out how to set up your own site, learn the ins and outs of creating and maintaining it, and more. Soon you’ll be able to do it all by yourself!

Table of contents

1. How to start a WordPress site?

So you’ve decided to start your own blog. Hooray! Before you start blogging away, you’ll have to take some steps, like setting up your own WordPress site. But there’s more to starting your own blog! Here, we’ll give you some more pointers on how to hit the ground running.

A purpose, niche, but don’t forget to have fun!

While years ago you’d follow blogs because of the person behind them, nowadays it’s all about answering people’s questions, a purpose for your blog and link building. Or that’s what it might look like. Don’t forget that blogging should be fun, as it is fun! There’s no such thing as too many blogs, as there’s no one like you. It’s cliche, but it’s the truth. 

Before you start your blog, you need to decide whether you just want to write for fun or to help others and get high rankings. In the first case, you can start a personal lifestyle blog with everything you love. In the second case, you might need to find yourself a niche as this will increase your chance of ranking tremendously.

When you know who you’re writing for and what to write about, you can start working on your first blog posts! Want to make sure this post will be awesome? Then read this step-by-step guide on how to craft the perfect blog post.

Read more: How to start a blog »

2. How to choose a host for your WordPress site?

What to look for in a WordPress host? There are hundreds, if not thousands, of WordPress hosts. How to pick one that’s perfect for you? Check out this curated list of WordPress hosts that we’ve gathered, and consider the following aspects when making a decision.

Speed and stability

Are you going for a small travel blog? Or are you planning to cater to the clothing needs of half a country? Based on what you’re planning to do with your website, you should pick a host that has reliable uptime and keeps running during busy hours. Make sure they can provide a seamless way for you to grow. Because as you gather more daily visitors, you will need to upgrade your hosting at some point.

Accessibility and services

It is good to know if your host provides a support crew that is willing and able to help you with both your financial and technical questions. The following services might also be useful:

  • Alternative ways to access your data in case your WordPress website breaks.
  • A user‑friendly control panel that suits your needs.
  • The service to register and/or maintain domain names.

Security

Even if you don’t know much about the internet and security, you want your websites’ visitors to be safe. Go for a hosting provider that, at the very least, offers the following:

  • (Installation of) Paid or free SSL certificates.
  • Up‑to‑date server software.
  • Continuous malware/virus scans.

Optionally, check for:

  • The option for a 1-click staging environment: this makes building and maintaining a  site much easier.
  • Data retention and regulation protocols: based on your country’s laws, make sure you know where the data is stored and how it is handled.
  • Backup services: if something breaks, you will want to be able to restore it quickly.

A decent firewall (sometimes provided as an additional service, like CloudFlare).

3. How to get to the WordPress dashboard

The WordPress dashboard is the first thing you see when you log into WordPress. From there, you see an overview of various dashboard widgets with relevant information. For instance, our Yoast SEO dashboard widget gives you a quick overview of the SEO health of your site. 

But if you’ve never logged into your WordPress dashboard before, finding it can be a little tricky. When you installed WordPress, you were guided into the WordPress dashboard automagically after the installation process. However, if you haven’t saved the URL of your WordPress dashboard, logging back in is not that easy. 

Luckily, there’s a solution that works for all WordPress sites. When you add /login/ or /admin/ to the URL of your site, you will be sent to the login screen. Upon logging in, you’ll be sent to your WordPress dashboard. So what does that look like? If your domain, for example, is everydayimtravelling.com, the login URL would become everydayimtravelling.com/admin/ and this will prompt you with the login screen. For future convenience, bookmark that page as soon as you’re logged in so you’ll even have a quicker way to log in.

4. How to install and activate a WordPress theme 

A theme governs the layout of your WordPress site. That includes, among other things, the appearance of your posts and pages, and the location of the menus and sidebars. Not surprisingly, finding the right theme is quite important for your website as it makes your site stand out from the masses. But, with so many choices out there, that may be harder than it seems. So, make sure to spend some time and effort and choose the best WordPress theme for your site.

Once you have chosen a theme, installing and activating it is easy. There are two ways to install a new theme in WordPress.

A. Installing a theme from the WordPress directory:

You can install a theme from the WordPress repository. In addition, it is also possible to buy premium themes from a variety of sellers. To install and activate a theme, follow these steps or check out the free WordPress for beginners course.

  1. Open the Themes overview screen
    In the admin menu in your WordPress Backend, click on Appearance, then Themes. The Themes overview screen will open. 
  2. Click the Add New button or the Add New Theme area
    At the top of the screen, you’ll find the Add new button. Alternatively, in the themes overview area, there is an Add New Theme square. Click on either one, to open the screen with available themes.
  3. Preview the theme
    Before you install a theme, it is a good idea to see how it looks on your site. You can do this by hitting the Preview button. Note, this is not an exact match of your site, but it does give you a really good idea if the theme fits your goals.
  4. Install the theme
    Hover over the theme you want to use and click Install. The Install button will transform into an Activate button.
  5. Activate the theme
    Click the Activate button. The theme will be activated, and it will change the appearance of your website. 
  6. Go check what your site looks like on the front end!

B. Upload a theme

You can also add a theme that you’ve downloaded from outside the WordPress directory, this could be from one of the many online theme shops out there. The theme will have to be in a .zip format! To install and activate it, follow these steps or check out the free WordPress for beginners training

  1. In the Themes overview screen, click Add New
    Once you have accessed the Themes overview screen through the admin menu, you’ll see the Add New button at the top of the screen as well as the Add New Theme square in the area below. Click either one to open the screen with available themes. 
  2. Click the upload theme button
    At the top of the screen with available themes is the Upload Theme button. Click the button. You’ll see the new option to upload a .zip file.
  3. Click the Choose file button
    Once you click the button, a dialogue box will appear, that will allow you to choose files from your computer. Find and select the .zip file that you previously downloaded.
  4. Install the theme
    Click the Install Now button. Your theme will be installed and added to your themes overview.
  5. Activate the theme
    In the themes overview screen, hover over the theme, and click Activate. The theme will activate, and it will change the appearance of your website.
  6. Go check what your site looks like on the front end

Curious for more? Check out this lesson on themes of the free WordPress for beginners course.

5. How to install a WordPress plugin

Plugins can change or improve the functionality of your site in various ways. As a WordPress user, you’ll surely need to install a plugin at some point. How do you do that? Easy. You can do it in two ways. Either install a plugin from the WordPress plugin directory or upload a plugin you have downloaded from a third-party. Please note that only free and approved plugins are featured in the WordPress plugin directory.

A. Install a plugin from the WordPress directory

Let’s start by installing a plugin from the WordPress directory. Just follow these simple steps:

  1. Access the WordPress plugin directory
    In the WordPress backend, go to the admin menu. Hover over the Plugins menu item, and select Add New from the fly-out menu. The WordPress plugin directory will appear.
  2. Find the plugin you want
    Use the filter tabs in the toolbar, or search for plugins by typing in a keyword, author, or tag in the search box.
  3. Check the quality of the plugin
    Each plugin is featured in a box with basic information. A good quality plugin will have good reviews, a high number of active installations, frequent updates, and it will be compatible with your version of WordPress.
  4. Install the plugin
    Click the Install Now button in the plugin box. Once the installation is complete, the Activate button will replace the Install button. In addition, the plugin will appear on the Installed Plugins screen.
  5. Activate the plugin
    Clicking Activate is crucial for the plugin to work. You can activate the plugin in the plugin box by clicking the Activate button when the installation is complete. Alternatively, you can click the Activate link in the Plugins overview screen.

B. Upload a plugin

The WordPress plugin directory has a lot of plugins, but it does not have all of them. You can also find some cool plugins on third-party sites like, for example, Yoast SEO Premium. But no worries, you can still easily add these plugins to WordPress. To upload a plugin to WordPress, follow these steps:

  1. Download the plugin from the third-party site
    Note that you will need to download the plugin in a .zip format. Otherwise, the upload may fail. If the plugin is not available for download in that format, contact the plugin provider.
  2. Access the WordPress plugin directory
    In your backend, go to the admin menu. Hover over the Plugins menu item, and select. Add New from the fly-out menu. The WordPress plugin directory will appear.
  3. Upload the plugin
    In the WordPress plugin directory, click the Upload Plugin button at the top of the screen. A new option will appear to add a file. Click the Choose file button, which will trigger a dialogue box to open. Find and select the file from your computer and click Open.
  4. Install the plugin
    Click the Install Now button, and the plugin will be installed.
  5. Activate the plugin
    Remember, you always need to activate a plugin after installing it. Go to your plugins overview, locate the plugin, and click the Activate link.

6. How to change the site title in WordPress

Setting your site title is an important step when creating your website. Your site title is the name that will show up at the top of the browser window, in bookmarks, and when people share your site on social media or via messaging apps.

To set your site title, select Appearance > Customize from your admin dashboard menu. 

This will open the Customizer, which offers a lot of options to customize your site — as you may have guessed from the name. The option we need is right at the top, under Site identity > Site title. 

Enter the name you have chosen for your website, and if possible, try to keep it short. You’ll want to have plenty of space left in the search results to also display the title of your post or page. You can learn about why titles are important here.

And, while you’re there, make sure that you change your site’s favicon, which is called a site icon in WordPress. Find out how to do this in our step-by-step guide on changing your favicon.

7. How to add a page to WordPress

Pages form the backbone of your site structure. Naturally, it is quite important to know how to add a page in WordPress. Luckily, it’s quite easy. Just follow our instructions, and you’ll be adding pages to your WordPress site in no time.

To add a page, do this or check out the free WordPress for beginners training:

  1. Access the Page editing screen
    To access the page editing screen, hover over the Pages menu item in the Admin menu and choose the Add New tab from the flyout menu.
  2. Add a title
    In the editing screen, you will see a block with the text Add title. Add the title of your page there. Click enter to create a new block.
  3. Add content
    Add the content of your page by choosing the appropriate block. If you want to add text, choose the Paragraph block. To add a subheading, choose the Heading block. Choose an appropriate new block for each new type of content you want to add. For example, add an Image block for an image, or a Video block to add a video to your page.
  4. Preview the page
    When you’re done adding content to the page in the editor, we’d advise previewing what the page will look like on your site. To do that, click the Preview button in the top right corner of the screen.
  5. Publish the page
    When you’re satisfied with the preview, all you need to do is click on the Publish button. Your page will be published.

Curious for more? Check out this lesson on creating pages in WordPress of the free WordPress for beginners course.

8. How to delete a page in WordPress

You might think deleting a page from your site is as easy as just hitting that delete button. But with deleting a page, you’ll also delete one or more URLs. This usually results in a ‘404 not found’ error… Which isn’t great, neither for visitors, nor Google. 

So, think before you delete a page. You have two valid options after deleting a page: redirecting it to another page or showing search engine spiders a 410 header, which indicates the page is deleted intentionally. Redirecting a deleted page is the best choice when you have other content on your site that is similar to the deleted content. The goal still is to provide the user with the information he or she was looking for. If there’s no other page that answers the user’s question, you need to decide if you want to improve the existing page or show a 410 header instead. You can set such a header in code, but it’s much easier to do with one of the many redirect plugins for WordPress.

Redirect a page
There are different kinds of redirects, but a 301 redirect is what you should use when you redirect the deleted page to another one. This redirect, called a permanent redirect, makes sure the link value of the old page will be assigned to the new URL. You can redirect posts or pages easily with the Yoast SEO redirect manager, as it will ask you what to do with a URL when you delete a page. Just enter the replacing URL and you’re done!

Show a 410 Content deleted header
Is there no other page on your site that will give the reader the information he or she is looking for? Then it’s better to delete or improve that page. In case of deleting, you’ll need to send a ‘410 content deleted’ header. By using this HTTP status code, you’ll let Google know that you removed the URL on purpose and that Google can remove the URL from its index faster. In the  Yoast SEO redirect manager, you can also choose the option to show a ‘410 content deleted’ page after you’ve deleted a page.

9. How to change the font size in WordPress

What if the WordPress theme you’ve chosen is perfect — except for one little thing? The font size is just a little bit off. Do you need to find yourself a completely new theme because of this? Of course not! Changing the font size in your WordPress theme is relatively easy, but it does involve a little bit of CSS coding. We’ll help you! These are the steps you need to take to change the font size in WordPress:

  1. First, you’ll have to identify what the current font size is. You can do this by opening the Inspector of your browser. When you right-click on the text you’d like to see in a different font size, you’ll be greeted with a menu that will have a direct link to your browser inspector tool. They look different from browser to browser, but they all work in a similar fashion. In Chrome, the menu item is called Inspect and in Firefox Inspect Element. Go ahead and click on that.
  2. Next up is finding the relevant CSS code that dictates the current font size. You’ll be looking for a section inside the Inspector you’ve just activated on the right-hand side of the screen called Styles. 
  3. Below that, you’ll see lines of code that match the element you’ve clicked on. You’ll see a line that has something like font-size: 14px or font-size: 1rem. 
  4. You can manually change the value of that line of code to, for instance, font-size: 16px. You’ll immediately see that change reflected in the open screen of your website. This is how you can check which value works best for you. 
  5. Once you’ve made up your mind on what you’d like to change it to, it’s time to write that down. You’ll also have to save the CSS element in which you changed the value. Most of the time this will be either a p or an h2 or h2 if you’ve selected a title.
  6. You’ll need to entire CSS code snippet for our next step, but it will look like something like this: p {font-size: 16px;}
  7. The next step is to navigate to your WordPress dashboard and find the Customize menu option inside the Appearance menu. 
  8. Click that and you’ll see a preview of your site on the right-hand side of your screen and a menu on the left-hand side. Inside this menu, you’ll find the Additional CSS menu. 
  9. Click on that menu option and you’ll see an input field. Here, you can paste the CSS snippet you saved earlier. As soon as you’ve pasted it, you’ll see the effects reflected on the right-hand side of your screen. 
  10. If it has the desired effect, go ahead and save your settings by clicking the Publish button inside the Customizer section. Afterwards, you click on the plus ( + ) sign in the top left-hand side of the Customizer to close the customizer screen. That’s it — you’ve now successfully changed the font size of your WordPress site.

Many themes have a so-called footer. The footer at the bottom of your pages is a good location to add some links to the less prominent content on your site, such as your address and contact information, terms of service and privacy policy. Not every theme has one, and the ones that do, often have different ways of activating and filling the footer. The Genesis theme, for instance, uses the Customizer settings to get this done, while other themes have a different setting for it. So, you best look around in the settings to find it. Here’s one of the most used ways of adding a footer to your theme.

  • Go to Appearance > Widgets from your admin dashboard.
  • On the left of this page are widgets that you can add to various places in your site’s theme. Those locations are listed on the right.
  • Find the widget that you want to add, and drag it to the location called “Footer”.
  • That’s it!

11. How to embed Youtube videos in WordPress

To really engage your audience, making your content visually appealing is key. One of the easiest ways to do this is by adding some images, or even a video. Embedding video hasn’t always been easy, but thanks to the block editor in WordPress 5.0, it is now! When you are editing a post or a page on your site, here’s how to do it:

  • Go to Youtube and find the video you want to add to your content.
  • Click the Share icon and copy the URL it displays.
  • Open the post or page on your site you want to add the video to.
  • Press the + icon where you want the video to appear to add a new block.
  • Paste the URL of the Youtube video, and it should automatically convert to an embedded video!
  • If you want, you can change the styling of the video to make it stand out.

12. How to do SEO on WordPress

Search Engine Optimization (SEO) is the practice of optimizing your site and content to reach a high position in the search results of Google or other search engines. WordPress itself is already pretty SEO-friendly, but it still pays off to do WordPress SEO. Let’s look at a few important SEO aspects.

Technical SEO

An important first step to take when optimizing your WordPress site, is to make sure everything ‘under the hood’ of your website is in good shape. Technical SEO encompasses many things, such as:

Content SEO

Besides working on your site’s technical side, you should also optimize your content. There are three pillars of content SEO:

Holistic SEO

At Yoast, we believe in holistic SEO: ranking by being the best result. That’s why, in our opinion, flawless user experience (UX) should be part of your SEO strategy. We also believe that websites should be usable for everyone, which is why accessibility matters.

There are also outside factors that affect your (WordPress) SEO, such as link building, social media, and local SEO. We call this off-page SEO. While it can take some effort, working on this aspect of SEO for your WordPress site is also part of a holistic SEO strategy. 

Yoast SEO

As you can see, there are several sides of SEO, and it’s a lot of work to keep everything on track. Luckily, the Yoast plugin will help you work on many aspects, from site structure to content optimization to technical settings. That’s why every website needs Yoast SEO!

Keep reading: WordPress SEO: the definitive guide »

The post How to use WordPress: Answering 12 common WordPress questions appeared first on Yoast.

WordPress 5.2.3 Security and Maintenance Release

WordPress 5.2.3 is now available!

This security and maintenance release features 29 fixes and enhancements. Plus, it adds a number of security fixes—see the list below.

These bugs affect WordPress versions 5.2.2 and earlier; version 5.2.3 fixes them, so you’ll want to upgrade.

If you haven’t yet updated to 5.2, there are also updated versions of 5.0 and earlier that fix the bugs for you.

Security Updates

  • Props to Simon Scannell of RIPS Technologies for finding and disclosing two issues. The first, a cross-site scripting (XSS) vulnerability found in post previews by contributors. The second was a cross-site scripting vulnerability in stored comments. 
  • Props to Tim Coen for disclosing an issue where validation and sanitization of a URL could lead to an open redirect. 
  • Props to Anshul Jain for disclosing reflected cross-site scripting during media uploads.
  • Props to Zhouyuan Yang of Fortinet’s FortiGuard Labs who disclosed a vulnerability for cross-site scripting (XSS) in shortcode previews.
  • Props to Ian Dunn of the Core Security Team for finding and disclosing a case where reflected cross-site scripting could be found in the dashboard.
  • Props to Soroush Dalili (@irsdl) from NCC Group for disclosing an issue with URL sanitization that can lead to cross-site scripting (XSS) attacks.
  • In addition to the above changes, we are also updating jQuery on older versions of WordPress. This change was added in 5.2.1 and is now being brought to older versions. 

You can browse the full list of changes on Trac.

For more info, browse the full list of changes on Trac or check out the Version 5.2.3 documentation page.

WordPress 5.2.3 is a short-cycle maintenance release. The next major release will be version 5.3.

You can download WordPress 5.2.3 from the button at the top of this page, or visit your Dashboard → Updates and click Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

Thanks and props!

This release brings together contributions from more than 62 other people. Thank you to everyone who made this release possible!

Adam SilversteinAlex ConchaAlex GollerAndrea FerciaAndrew DuthieAndrew OzzAndy Fragen, Ashish ShuklaAslam Shekhbackermann1978Catalin DogaruChetan PrajapatiChris ApreaChristoph Herr[email protected]Daniel LlewellyndonmhicoElla van DurpeepiquerasFencer04flaviozavanGarrett HyderGary Pendergastgqevu6bsizHardik ThakkarIan BelangerIan DunnJake SpurlockJb AudrasJeffrey PauljikamensJohn BlackbournJonathan Desrosiers, Jorge Costa, karlgrovesKjell ReigstadlaurelfulfordMaje Media LLCMartin SpatovaliyskiMary BaumMonika RaoMukesh Panchalnayana123Ned ZimmermanNick Daugherty, Nilambar SharmanmenescardiPaul Vincent BeigangPedro MendonçaPeter WilsonSergey BiryukovSergey PredvoditelevSharaz ShahidStanimir StoyanovStefano MinoiaTammie ListertellthemachinestmatsuurVaishali PanchalvortfuWill West, and yarnboy.

WordPress SEO: the definitive guide

A tutorial to higher rankings for WordPress sites

This is the original WordPress SEO article since 2008, fully updated for 2020!

WordPress is one of the best content management systems when it comes to SEO. But even though it gets a lot right “out of the box”, there’s much more that you can do to improve your performance.

New to WordPress? Our FREE WordPress for beginners training is here to help. Find out how to set up your own site, learn the ins and outs of creating and maintaining it, and more. This training is part of our free training subscription, take a look at all our online SEO training subscriptions!

Optimizing your site using the tactics and best practices outlined in this article will help you improve your rankings, gain more subscribers or sales, and have a better website in general.

Because you should ingrain proper SEO in all aspects of your online marketing and PR, this guide covers quite a lot of ground! It’s a long read, so feel free to use the table of contents below to jump around.

Before we start…

This article assumes that you’re using our Yoast SEO plugin, which adds significantly more features and SEO tools to WordPress. If you’re not already using it, you can set it up right away with our beginner’s guide to Yoast SEO.

If you’re using another SEO plugin, most of the principles will still apply. Of course, we’d prefer you to switch over and make use of our potent WordPress SEO plugin, which is why we’ve written a migration guide for you. It’s a straightforward process!

Table of Contents

1. Get your basic WordPress SEO right

Out of the box, WordPress is a pretty well-optimized content management system. A basic setup can provide a strong foundation — even without extensive customization, theme optimization, and plugins. That said, there are a few things you should do to increase your chances of ranking, refine your workflow, and make sure your website is perfectly optimized.

By putting the right basic settings in place, and applying a few simple techniques, you can ensure that you have a strong foundation to build upon!

1.1. Check your health

Before you make any changes to your site, it is a good idea to see where you are now. There’s a lot to gain from getting it right: running your website on a server with updated software at a web host that offers excellent performance. So ask yourself: on what hardware and software are your sites running? What is your hosting plan? Are you using a budget shared hosting provider, or have you invested in a dedicated hosting plan at a well-known web host that fine-tuned its servers for use with WordPress?

To find out what’s going on behind the scenes of your site, you can visit the Site Health section in WordPress. Also, you could choose to install the Health Check plugin. This plugin gives you loads of technical insights and helps you get information that outside parties can use to help you improve your site. Eventually, all features of the Health Check plugin will move to WordPress core.

Site Health gives you an overview of how your site is doing

1.1.1 Check you’re using suitable hosting

According to WordPress’s technical requirements page, the recommended hosting plan to run WordPress should include a modern version of PHP, MySQL or MariaDB, and HTTPS support. It is possible to work with older server software, but that is not recommended. If you check your Site Health, you can see the technical details of your installation. In addition, if you open the dashboard of your hosting provider, you should be able to see what type of plan you are on.

Remember, paying for good WordPress hosting pays dividends.

1.1.2. Upgrade to PHP 7.0 or higher

Many WordPress sites still run on outdated versions of PHP. One look at the WordPress stats reveals that around 25% of the sites still run on a PHP version in the 5 series, while PHP 7.0 and up have been available for years.

Backward compatibility is cool and all, but it’s holding back WordPress as a technology and site owners from getting the most out of their sites. These old versions of PHP don’t receive any more security fixes and are thus increasingly vulnerable to attacks.

Luckily, the WordPress team has dropped support for anything older than PHP 5.6. Today, the project recommends running WordPress on at least PHP 7.3.

So, one of the most important things you can do to improve the performance and security of your site is upgrading your hosting environment to a modern version of PHP. There are a lot of benefits to this:

  • PHP 7 offers an incredible speed boost.
  • It runs a lot more efficiently, meaning less stress on your server.
  • Bring loads of modern development features.
  • It’s a much safer and more secure environment.
  • It’s future proof.

Now, this is something we all want, right? If you’ve checked your current hosting set-up in the previous section, you have an idea of what your site runs on now. If this shows outdated server software like PHP 5.5, it is a good idea to update this, if possible.

However, take special care before doing so. Ask for help if you’re not sure what you are doing.

Here are some steps to take:

  • (Always!) Backup your website.
  • Make a local staging environment based on a modern version of PHP.
  • Install the backup of your site on that server.
  • Test thoroughly to see if everything works properly.
  • Upgrade your live site — most of the times, your hosting provider can do this for you.

We have a post that shows you how to set up a test environment for your WordPress site. WordPress.org has a post on the advantages of updating your PHP version and what to take into consideration when doing that.

1.1.3. Make sure you’re using SSL and HTTPS

Historically, adopting SSL (getting an HTTPS URL, and a green padlock icon in the browser URL bar) was an optional tactic. Many sites, arguably, didn’t need the extra level of security that SSL provides.

Now, however, having a valid SSL certificate installed is mandatory — search engines may ‘penalize’ sites without valid SSL certificates and setups (and/or show warnings next to their search results). It’s also generally good practice for all websites to use SSL to prevent hackers and third parties from intercepting requests and data.

Additionally, many modern site speed and performance techniques require a valid SSL/HTTPS setup. To take advantage of new, faster web technologies like HTTP/2, browsers like Google Chrome and Firefox require the website to have a valid SSL certificate.

If you want to move to SSL and ensure that your site is served correctly over HTTPS, we have a handy guide with tips & tricks for moving to HTTPS.

1.2. Check your site settings

It’s worth spending some time clicking through all of the sections in the WordPress Settings menu, as many of the options there can impact the SEO of your WordPress site.

In particular, it’s worth double-checking your visibility settings in Settings → Reading, to make sure that you’re not accidentally preventing search engines from indexing your website. That’d definitely hurt your visibility!

You should also make sure that your Writing and Reading settings are all set correctly, these control your default categories, and what should be displayed on your homepage. Don’t forget to give your site a strong tagline in Settings → General, too!

Your permalink settings define what format your page and post URLs will take, which can have a big impact on SEO. So if you’re creating a new site, one of the first things you should do is change your permalink settings, which you can find in Settings → Permalinks.

If you don’t change your settings from the default, all of your pages and posts will have URLs which look like example.com/?p=123. Whilst this is perfectly okay, it’s not particularly nice, and it might impact how users and search engines perceive the quality and relevance of your pages.

Changing the permalink structure alters the components, ordering, and structure of your website’s URLs. It’s important to select the right structure when initially setting up your website, as changing it later can cause SEO issues.

We usually recommend that people use a structure which creates URLs which look like example.com/post-name/, or example.com/category/post-name/, depending on how much importance they anticipate placing on the categorization of their content. For most WordPress sites, choosing either of these options will be perfectly suitable.

For the first option, you can just change the permalink setting to /%postname%/, like so:

Changing the permalink settings to ‘Post name’, in Settings → Permalinks

To include the category, you can select “Custom Structure” and change the value to /%category%/%postname%/.

If you previously had ?p=<postid> as your permalink, WordPress will take care of all the redirects for you. This is also true if you change from /%postname%/ to /%category%/%postname%/.

If you have an established site and change from any other permalink structure, you might want to consult our article on changing your WordPress permalink structure and the tool that you’ll find within it.

1.3.1. Choose WWW or non-WWW

You need to think about what you want your site to show up as www.example.com, or simply example.com. Make sure that in your general settings, in Settings → General, the version you want to show up is properly reflected:

Setting the site URL to include or omit ‘www’

From an SEO perspective, there’s little difference either way. Additionally, most hosting and server setups will automatically redirect requests for the ‘wrong’ version, to the version you’ve selected. That makes this primarily a branding consideration — which approach feels best for your site?

From a technical perspective, there’s not a huge amount of difference, either. Some setups might have some minor headaches if they omit the ‘www’ component, but these are increasingly rare.

2. Optimize your content

Your site should provide the best content on your chosen subject — period. People are looking for engaging, authoritative articles and trustworthy answers to their questions. Writing high-quality content for your WordPress site begins with your unique ideas or distinctive take on a particular topic. But it also means presenting these ideas in a well-structured and accessible manner. Together, this will help you attract the audience you’re looking for and keep them engaged.

2.1. Research what your users want and need

Curious about the WordPress block editor?

Still haven’t tried the new block editor? Tried, but found it confusing? We’re here to help: our free WordPress block editor course explains everything you need to know!

Before writing your content, you should think about what search terms you want to be found for. You should optimize every page or post for a specific keyphrase.

But how can you determine what keyphrase you want to be found for? To find out, you need to do keyword research. In this process, you should ask yourself questions such as: what terms do I want to rank for? How realistic is that I can rank for these terms?

Imagine you have a baking blog and you’re passionate about sharing your favorite recipes and baking techniques. Optimizing a post for a term such as [best cake recipe] isn’t such a realistic goal, because it’s a very general term. There’s a lot of competition for such general terms. Instead, you should think about finding your own niche. This niche could be [healthy, low-sugar cake recipes] or [French patisserie you can make at home].

Within a niche, you can become an expert. Your expertise enables you to create content that goes beyond that of your competitors. You can go deeper than others, or shed light on different angles of the same topic. For this, you’ll want to focus on long-tail keyphrases. A long-tail keyphrase might be [how to make a low-calorie vegan blueberry cheesecake]. A keyphrase like this is more specific, and therefore easier to rank for. Also, it’ll be more suitable for your specific niche topic.

It’s also essential to think about what your audience wants to achieve by searching for a specific term. This is called search intent. For example, they could be looking for the answer to a particular question, and you can provide the necessary information. Or they might want to buy a specific product that you can offer them. Think about the needs of your visitors and address them by creating content accordingly.

Need a hand doing keyword research properly? Our Keyword research training can help. This course is part of our Yoast SEO academy training subscription

2.2. Write great content for your users

After you’ve done your keyword research and you know the topics you want to write about, you need to get to the actual writing. Most of the time that’s easier said than done. To get from an idea to a great piece of content, most likely you’ll have to follow a cycle of drafting, writing, editing, and rewriting.

Your first draft can just be an outline of your structure. You don’t have to write out everything in perfect prose at this point, but make sure that you follow a logical structure. For most pieces, that will include an introduction, your main points of argument, and a conclusion. Of course, this will vary per genre – a recipe will have a completely different structure.

You can flesh out the points further in the writing phase, where you try to come up with a first complete version of your text. Finally, in the editing phase, you should check whether your piece is engaging and easy to read. You might be an expert on your topic, but your audience probably isn’t (yet). So try to make your writing as accessible as possible. When in doubt, it’s always best to ask a friend or colleague for some feedback. Another helpful trick is to read your text out loud to yourself. You can even let your computer speak it. It will give you a better idea of whether everything flows nicely.

2.3. Optimize your individual posts & pages

When writing or editing your post, there are a number of elements you need to pay special attention to in order to make it SEO-friendly. These elements include your subheadings, your title, and your meta description. All of these need to reflect the topic of the specific post.

Don’t forget, SEO-friendly doesn’t just mean that it’s easy for a search engine to grasp the topic of a page. More importantly, it means that your visitors can get the gist of your page at a single glance.

Your meta description and your title might be a deciding factor for whether visitors click on your page in the search results in the first place. And once they’ve visited your site, elements like subheadings can be critical for visitors to decide whether they want to stay on your site.

2.3.1. Set your focus keyphrase(s)

One important rule is not to use a focus keyphrase on more than one page. Otherwise, you might end up cannibalizing yourself. Most of the time, you don’t want to rank for multiple pages on the same keyphrase, because it means that you’re setting yourself up as your own competition.

It’s also important to include the focus keyphrase in crucial elements of your post, such as the title, the introduction, your subheadings, and your meta description.

All of these elements are signals for what your post is about. Since your focus keyphrase is, in fact, the main topic of your page, it’s a logical consequence that you should make sure this topic is reflected in all of these elements.

The same logic holds for your text overall: you need to make sure that you don’t stray off-topic; if you stay on-topic, it should follow naturally that you use your keyphrase multiple times throughout your text. But avoid stuffing your writing with your keyphrase just for the sake of it. If you find it hard to include your keyphrase in your text a sufficient number of times, it might be a sign that you should take a different approach to the topic.

To avoid repetition, you can use synonyms. Synonyms are words that mean the same or more or less the same as your keyphrase. An example of this is the words film and movie. Search engines will recognize that they have the same meaning, which you can also check by having a look at the search results: if you search for movie, film will also be highlighted in the results, and vice versa.

You can also make use of related keyphrases to optimize a single page for similar, related terms. You can use these to give context to your keyphrase. For example, if your keyphrase is [pumpkin soup] your related keyphrase might be [winter weeknight dinners]. This second, broader term gives additional information about your topic. It can also create coherence by establishing a link to similar pages on your post.

The Yoast SEO Premium analysis makes it easier to optimize your post thanks to word forms, synonyms, and related keyphrases.

2.3.2. Optimize your permalink

In most cases, your post’s URL should probably contain your focus keyphrase, so that it’s obvious what your page is about from the link. That said, you should always try and keep your permalinks short, descriptive, and clean — don’t put unnecessary words in for the sake of it!

Before you publish new posts or pages, you may also wish to consider removing ‘function words‘ from your permalink. These are words like “a”, “and”, and “the”. When done carefully, this may make your permalinks more readable, and easier to use or link to. Posts with especially long titles may benefit from this approach.

For posts that you’ve have already published, we’d recommend being careful when changing permalinks. If people have already linked to your pages, changing the URLs may make a mess. Even though WordPress will sometimes redirect users to the new location (the redirect manager in Yoast SEO Premium handles this automatically, and more reliably), changing URLs can impact performance.

2.3.3. Optimize your page title

Each page’s title — the contents of the HTML <title> tag — can be one of the most important factors for ranking well in search results. Not only is it the literal title of the tab or browser window, but it’s also the first line people see in the search results. It describes what your page is, or is about, and acts as an advert which encourages users to click.

On many websites, the default structure for posts and pages isn’t necessarily the most optimal approach for SEO. A title like “My blog » Cooking » Carbonara recipe” isn’t as compelling or effective as “My 20-minute delicious carbonara recipe | My Blog”.

You must think about the structure of your titles, as well as the content of the title on each page. Typically, it’s worth considering that:

  • Search engines may put more weight on the early words — so trying to get your keywords near the start of the title might make you more likely to rank well.
  • People scanning result pages see the early words first. If your keywords are at the start of your listing your page is more likely to get clicked on.
The Google Preview in Yoast SEO gives you an idea of how your post will look in search engines. Use it to make your content stand out!

For more info on how to create enticing titles for your posts, read our article on crafting good titles for SEO.

Did you know? You can use Yoast SEO to structure your titles!

You can control the default structure of your page titles and descriptions in your Yoast SEO plugin. There are two parts of the plugin that control these. First of all, as soon as you install and activate the plugin, you get an ‘SEO’ section in your WordPress admin.

Navigate to SEO → Search Appearance and you’ll see a bunch of tabs for different types of pages on your site.

For each post type and taxonomy, you can set a so-called Title Template — as well as meta description templates. For posts on our site this looks like this:

Here are yoast.com’s settings for the individual Post URLs

This allows you to use components and variables to control how your page titles should behave by default. Of course, these can be overridden on a page-by-page basis.

For example, in the image above, you can see how we’re automatically grabbing elements like the title of the page, to stop us from having to manually write titles from scratch for every page.

There are all sorts of variables you can use in the titles and meta description, and they’re all listed and explained in the help tab on the page.

For advanced users, there are some additional cool features. For instance, you can use cf_<custom field name> to drop in any custom field — either from a post meta value or a user meta value.

NOTE: When you use these templates, be sure to check that your title tags behave as expected when viewed on the site. If they don’t, you may have a problem with the way your theme is built, and you might need to check the “Force rewrite” checkbox in our options. You can also follow these instructions to modify your templates.

2.3.4. Use headings correctly

Headings are great for structuring your content and helping readers process information in bite-sized chunks. They can also help describe a page’s layout and focus to search engines.

WordPress transforms the headings you put in your content into their respective HTML tags (<h1>, <h2>, <h3> and so on). That makes it important to think about which type of headings you use, and in which order. Getting that wrong can make your content harder to understand.

Although most themes for WordPress get the basics right, it’s worth making sure that your template sets your post title is an <h1> tag, and that you’re not using <h1> tags anywhere else on your page or in your post content.

Your post content should then ‘flow’ naturally; for example, large, significant headings should use <h2> tags, subsections should use <h3> tags, and then subsequent new sections should use <h2>.

To learn more about why proper headings are important, please read this article on headings and SEO. In addition, you can read our article about the heading structure for your blog — from which a lot applies to non-blog WordPress sites too. For an explanation on how to use them read the post on how to use headers on your site.

2.3.5. Optimize your meta description

We don’t recommend automated descriptions

Some themes and plugins try to produce descriptions automatically, by taking the first sentence or so of a post. This is a clever shortcut, but it rarely produces good descriptions. The first sentence of a post is often introductory information, which doesn’t provide a great summary or an enticing advert!

The only well-written description is a handwritten one, and if you’re thinking of auto-generating the meta description, you might as well not do anything, and let the search engine pick and control the snippet.

NOTE: Search engines may choose to ignore your meta description if they think that it’s unsuitable for the page, or they might choose to show a custom description from the page content if they think it’s a better fit. There’s no way of forcing them to use your specific snippet.

A meta description is primarily used search engines to show a description of your page in the search engine results, usually below your page title.

Tailoring and writing a descriptive meta description can encourage users to click your results in the search engine, even if you’re not necessarily ranking in the top position. It’s an advert, and your opportunity to impress.

Writing compelling, informative descriptions of your page content for every page on your site is best practice and gives you the opportunity to attract more visits.

Whilst it might feel like a lot of work to craft descriptions for every single page and post, it’s worth the effort.

If you don’t provide a meta description, the search engine will generally try to find the keyword which was searched for in your page, and automatically pick a string around that — and highlight the searched phrase in bold in the results page.

Automatically generated snippets (whether by plugins, or search engines) are rarely as descriptive or as compelling as hand-written ones. So, we recommend that you use the meta description field you find in the Yoast SEO plugin to write a meta description. Make sure it entices the reader to click through and make sure that it contains the focus keyword of your post or page at least once.

2.3.6. Optimize your images and media

An often overlooked part of WordPress SEO is how you handle your images, videos, and media content. To make sure that search engines can understand your images, you need to think about how you name and format your files. Writing descriptive accessible text descriptions helps, too, and can improve your performance significantly. As an added benefit, you’re also helping out readers who rely on assistive technologies like screen readers.

Using the proper alt attributes for images, and transcripts of videos are also something that we check in the content analysis functionality of our Yoast SEO plugin. We have a longer article on image SEO and one writing alt tags, which can give you more tips to fine-tune your image optimization!

2.4. Maintain your content quality

2.4.1 Keep your content fresh and up to date

As Google strives to show its users the best and up to date information, you should keep track of your content and revise it regularly. Even more so, because you don’t want to show the visitors of your website outdated, redundant or incorrect information.

If you publish regularly and have hundreds, or even thousands, of blog posts, this is easier said than done. That’s why we’d advise focusing on two specific areas when it comes to content maintenance: updating cornerstone content and preventing keyword cannibalization.

2.4.2. Update your cornerstone content

Some pages on your site are more important than others. The most valuable content of your site is called cornerstone content. We’ve written extensively about cornerstone articles and how they can improve your rankings.

In short, these posts or pages:

  • contain essential information for your audience;
  • are complete, up-to-date and well-written;
  • show authority;
  • get the most links from related posts within your own site;
  • rank higher than your other articles on the same topic;
  • get most organic traffic to your site.

When you’re in doubt where to start with updating your site’s content, always give priority to your cornerstone content. Your business relies on them, and they should never go stale!

2.4.3. No outdated cornerstones with Yoast SEO

Yoast SEO makes it a little easier to keep your cornerstones up to date at all times. If you use Yoast SEO on your site, you can mark a post as a cornerstone article. In doing so, these articles will undergo a more rigorous SEO analysis. In addition, they’ll appear in a separate list in your post overview, which makes it easy to browse through them and check if they’re still up to scratch.

If you’re on Yoast SEO Premium, keeping track of them is even easier. The Stale cornerstone content filter only shows your cornerstone articles that haven’t been updated in the last 6 months. You’ll find this filter in your post overview. If it doesn’t show any posts you’re good, and if there are one or more posts in it, make sure you check and update them!

Here are yoast.com’s settings for the individual Post URLs
Yoast SEO Premium keeps track of your cornerstone content and warns when they go stale

2.4.4. Keyword cannibalization

Keyword cannibalization means you’re eating away your own rankings by creating too many articles for the same or similar keywords. If you have a dozen articles on the same topic, search engines don’t know which one of those they should rank highest. As a result, you’ll be competing with your own articles for a high position in the search engines.

If you publish frequently, as we do at Yoast, you’re bound to run into keyword cannibalization issues someday. That’s why we’ve created a framework on how to deal with keyword cannibalism. In short, you’ll have to:

  • Find out for which keywords it’s happening;
  • Analyze which content performs best for those keywords;
  • Keep the best performing posts;
  • Decide if you should merge the other posts into the better performing one;
  • Or just delete and redirect them.

Check out this detailed guide on how to fix keyword cannibilization issues on your site to learn how to go about this.

2.5. Avoid accidental duplicate content

2.5.1. What is duplicate content?

Duplicate content issues arise when search engines encounter multiple URLs with the same or very similar content. As a result, search engines don’t know which of these URLs to rank higher, resulting in lower rankings for all of them.  

In the previous section, we’ve already addressed keyword cannibalization, which is caused by writing about the same topic too often. But most of the times, the root of duplicate content is technical and can happen without you even noticing.

For instance, some content management systems add session IDs or parameters for tracking to URLs. Or, you might have www and non-www versions of a certain page indexed. Accordingly, you’ll have multiple URLs showing the exact same content.

Besides the technical reasons, your articles can get scraped or copied by other parties. So, there are many different causes for duplicate content, as you can read in this extensive article on duplicate content.

If you want to find out if your site suffers from duplicate content, you can use these duplicate content tools to check your site for issues.

2.5.2. Solutions for duplicate content

How you should solve your duplicate content issue depends on the cause of the issue. In general, there are three ways to go about this — in order of preference:

  • Whenever possible, avoid creating duplicate content. If your system creates session IDs in the URL, try to turn that off, for instance.
  • Can’t avoid creating them? 301 redirect those URLs to the original version.
  • Really need to keep a duplicate article? Make sure to add a canonical link to the original version in the <head> section of the duplicate article. It will show search engines what the original version of the article is, so they can pass the link juice on to the original version. In the next section you’ll find out how easy this is with Yoast SEO.

If you want to learn how to solve specific duplicate content issues, check out Joost’s ultimate guide on causes and solutions for duplicate content.

2.5.3. Set a canonical link with Yoast SEO

With Yoast SEO, it’s very easy to add a canonical link to a post or page. No need for a developer! Just go to the Advanced tab in the Yoast SEO metabox below your post or page. There, you’ll find the Canonical URL field where you can enter the URL of the original article — the one you want to point search engines to:  

Fill in your canonical URL in the advanced section of the Yoast SEO metabox

If you don’t set a canonical, Yoast SEO will set a self-referencing canonical for you. This means that the article will point to itself. Learn why self-referencing canonicals are beneficial for SEO.

2.6. Support international audiences

To optimize your site for audiences in several countries or language regions, you’ll need to optimize both your content and your technical setup. Let’s start with the content aspects of international SEO.

Doing targeted keyword research and writing fresh content for each audience is crucial. Take items of clothing, for example. An American vest is a completely different garment from a British vest, or a Dutch vest, or a French vest, or a Spanish vest… you get the point. We don’t recommend using automated translations. Invest time and resources in proper research and translations with which to optimize your keywords and copy.

Another important aspect of international SEO is picking the right domain structure. Generally, a different ccTLD (e.g. www.yoast.de) for every variation is only a good option for very large companies with big budgets. In most cases, subdirectories (e.g. www.yoast.com/de) are the way to go.

Search engines want to display the right language version of your site to each visitor, whatever country they’re from. To help them, you need to implement hreflang. hreflang is code that tells the search engines what language variations of a page are available and helps prevent duplicate content problems. It’s quite a complex piece of code, but our hreflang guide helps you along the way — or, you can take our Multilingual SEO training. This course is part of our Yoast SEO academy training subscription

2.7. Add schema structured data

Structured data is kind of like a dictionary for search engines. By describing your content in code, you can make it instantly clear what that particular piece of content is about. Plus, you can describe who wrote it, on what site it was published and when. Also, if this article featured recipe, FAQ or how-to content, for instance, you could let search engines know about this. This way, search engines get a better understanding of your site. In return, they can use this to help your site get rich results.

Structured data is essential in this day and age. It used to be hard to add structured data to your site, but with structured data in Yoast SEO, we set out to make it easy. Today, we generate the code search engines need to make sense of your site and its connections automatically. You only need to make a couple of choices in SEO > Search Appearance. Select Person if your site is a personal site or Organization if it is a business or professional site. Don’t forget to pick or upload the correct logo or avatar.

That’s not all: you can also quickly build specific types of content pages with our structured data blocks. These blocks work in the block editor and at the moment, we have two types: for FAQs and how-tos. These blocks help you visually build the content, while generating valid structured data in the background.

Pick Person or Organization to get Yoast SEO to automatically generate the correct structured data

3. Optimize your site structure

A solid site structure helps your users and the search engines navigate your site. On top of that, it will make clear what pages on your website are most important. There are two pillars to a good site structure: organizing your site and contextual internal linking.

3.1. Organize your site

Organizing your site will help you set up a navigation path from your homepage right to your individual posts and pages, and back. Adding categories and subcategories will bring order to chaos. Ideally, your site should be organized as such:

The ideal site structure should follow a strict hierarchy

You should always make sure your homepage is clear and easy to navigate. Cluttering the homepage with too many options will make your site more difficult to understand. Adding a clear menu and breadcrumbs helps your user navigate your site wherever they are.

3.2. Connect your content with contextual internal linking

Besides organizing your site, you need to link up your content within your copy. We call this contextual internal linking because these links always appear within the context of a text.

Contextual internal links set up a network of pages, which points your users to related content. In a post on keyword research, for example, linking to an article on SEO copywriting makes a lot of sense. For search engines, these links provide insight into how pages are related to each other as well.

Always make sure that the number of links to a page reflects the importance of that page. Our ultimate guides get a lot of links from individual posts about related topics. This helps users and search engines understand that these guides are crucial pillars of our site.

When adding a contextual internal link, make sure the link makes sense within the context of the current page. Moreover, always use anchor texts which accurately describe the page you’re linking to. This provides users and search engines with the context they need to assess whether the link is useful. The internal linking tool in Yoast SEO Premium helps you connect your content by suggesting relevant links.

3.3. Manage your categories and tags

WordPress has two default ways of structuring your content: categories and tags. Categories add hierarchy to your content and group topics broadly. On a website about cooking, pasta could be a category. Tags are non-hierarchical and can be used to describe your post in more detail. Dinner party themes, for example, could be a tag.

When setting up your site structure, pick a number of main categories. Adding them to your menu can be a good idea, especially if you only have a blog. If you have a blog and several products, a different setup might make more sense. Make sure your categories are roughly the same size. If your categories become too big, make subcategories. Your category pages can be great landing pages, especially for eCommerce sites.

Tags are useful for users exploring topics, but they are often misapplied. It’s important not to use too many tags, and to use them more than once or twice. Remember, you want to group your content, not just give it a description.

If you want to structure your content differently, WordPress also allows you to create custom taxonomies. Always consider carefully whether your custom taxonomy groups content in a way that makes sense and helps your visitors.

3.4. Manage your archive pages

If you use categories and tags, you will automatically create archive pages. These pages contain a list of the posts and pages within a certain category or tag. Besides categories and tags, there are date-based archive pages and author archives. These archive pages need managing because they cause SEO problems if you don’t.

First of all, you want to prevent search engines from indexing archive pages that don’t make sense on your site. You can use the Yoast SEO plugin for this. You do this under SEO → Search Appearance, where you’ll find the following options on the “Archives” tab:

Manage your archives in Yoast SEO

The settings above are the settings for our site. As you can see, we’ve disabled the date-based archives, as we don’t use those. Any date-based link will redirect to our homepage because of this setting. We’ve left the author archives untouched, but we have set the subpages of those archives to be noindex, follow by default. This way, you’ll never land on page two of an archive on our site from the search engines.

If your blog is a one-author blog, or you don’t think you need author archives, use Yoast SEO to disable the author archives. Also, if you don’t think you need a date-based archive: disable it as we have. Even if you’re not using these archives in your template, someone might link to them and thus break your WordPress SEO…

There is one type of archive that is noindex,follow by default in the Yoast SEO plugin: your own internal search function result pages. This is a best practice from Google.

3.4.1. Pagination

If you have lots of posts on your WordPress site, you might want to think about how your pagination looks and works. Otherwise, you might find that your best content is ‘buried’ deep in your site, and users and search engines may struggle to find it. You should also consider customizing how your pagination looks and works so that it’s a bit more helpful for users and search engines. We really recommend checking out the WP-PageNavi plugin!

You’ll probably want to add breadcrumbs to your posts and pages. Breadcrumbs are the links, usually above the title post, that looks like “Home > SEO blog > WordPress SEO“. Breadcrumbs are good for two things:

  • They allow your users to easily navigate your site.
  • They allow search engines to determine the structure of your site more easily.

These breadcrumbs should link back to the homepage, and the category the post is in. If the post is in multiple categories it should pick one.

To get breadcrumb navigation to show you on your pages, you may need to adapt your single.php and page.php files in your theme, and include the code for breadcrumbs from the Yoast SEO plugin. You find the settings and instructions on how to do that in the SEO → Search Appearance section.

3.6. Manage your HTML & XML sitemaps

You can use XML sitemaps to tell Google and the other search engines that your site has been updated. Our WordPress SEO plugin automatically configures your XML sitemaps, so you don’t have to worry about anything. We generate sitemaps for your different post types, including your images, and make sure that it generates and loads really quickly.

We intelligently split your sitemaps up into smaller bits, so Google only has to fetch one new XML “sub”-sitemap when a post is published.

You can check and manage which types of your content, archives, and templates should be included in your XML sitemaps in your SEO → Search Appearance settings. Content types which are set to not show in search results will be automatically excluded from your XML sitemaps.

Lastly, our XML sitemaps support has a pretty complete API, allowing developers to add or change functionality through their plugins and themes. Our own Local SEO, News SEO and Video SEO extensions (which generate their own, specific sitemaps) are built on this API, and, other plugins frequently build their own solutions on top of our system.

For larger or more complex sites, it might make sense to provide an HTML sitemap, too. This is a normal page on your website, which helps users navigate to deeper or more specific content.

4. Speed up your WordPress website

If your website is slow, you risk frustrating your users. That makes them less likely to engage, browse, convert, or visit again. That, in turn, can make them less likely to share your content, link to your pages, or recommend your brand. In short, speed is an important part of WordPress SEO, and a huge part of the overall user experience. That means that it’s critical to measure and manage your performance — especially for users on mobile or slower connections!

4.1. Measure your site speed

Measuring the speed of your site can be confusing. Different tools give different scores and results, and sometimes even give conflicting information. That’s why we’ve put together this helpful guide on how to measure your speed — it’ll walk you through the basics of picking the right metrics, to using the right tools for the job when it comes to monitoring and diagnosing issues.

4.2. Improve your site speed

Once you’ve identified what and where your bottlenecks are, the next challenge is to make hosting, theme, plugin and performance tweaks to speed things up.

Page speed optimization is a discipline in its own right and spans well-beyond WordPress SEO. That means that the biggest opportunities will vary from site to site, and situation to situation. For some sites, the easiest wins might come from changing hosting or utilizing a CDN; for others, it might mean re-assessing their use of plugins, or, altering how they load CSS and JavaScript.

That doesn’t mean that you can’t get started, though. We’ve put together a guide on some page speed tools and easy wins that you can use to get the ball rolling.

5. Secure your WordPress website

WordPress is the most-used platform for website management in the world. It powers 37% of the web (June 2020). While that is awesome, it also means that WordPress is the most targeted platform for hackers. When running a WordPress website, basic security is dealt with by the platform, but there are things you can do yourselves to make your website more secure.

That starts with your own login. The default username in WordPress is admin, so change that first. Otherwise, a hacker’s first guess for your username is just too easy. The same goes for your password. Passwords like 123456 and welcome01 are just not enough. Use a password manager like 1Password or LastPass and pick a 20+ character password instead. WordPress also has a number of plugins for two-factor verification, so adding that to your website is easy as pie as well. Do it.

There is more you can do, of course, please read our article detailing WordPress security in a few easy steps. We’ll highlight some of the recommendations below.

5.1. Make regular backups

The next thing we’d like you to do is create regular backups. In case your site gets hacked, or something else goes wrong — for instance, when updating a plugin or theme —, it’s important that you revert that change in a heartbeat. Regular backups make sure that this can be done.

In WordPress, there is a wide range of backup options to choose from. Several plugin developers have created nice software solutions for you, so you don’t have the technical hassle of that backup. At Yoast, we recommend and have good experiences with the Blogvault backup solution. That service has additional benefits like creating staging sites and easy migration options.

5.2. Harden your setup

Hardening your setup starts with picking the right hosting company for your WordPress website. That’s just the start, as every host will do its best to help you out, but it’ll still be your responsibility to harden your setup. Also, tools like Cloudflare are good friends for any company/website in this.

An easy first step is to limit login attempts. By limiting the number of times people can try to login to your website — closing your login form after five false logins, for example — you are hardening your install against brute force attacks and other malicious acts targeting that form.

The next thing you need to do is to make sure that your WordPress install, including plugins and themes, is always up-to-date. Updates might fix security issues as well. Make sure to check regularly for updates, and keep your WordPress install up-to-date.

Another important thing to realize is that you are dealing with security every time you add a new user or writer to your WordPress install. There’s an article in the WordPress Codex regarding Roles and Capabilities you should read. It comes down to giving permissions only to those that need it when they need it and only for the time they need it. No need to give a guest blogger administrative rights to your website, right?

Authentication Keys and Salts work in conjunction with each other to protect your cookies and passwords in transit between the browser and web server. Make sure to change these keys when installing a new WordPress instance.

Another easy fix that we’d like to mention is to make sure your template files can’t be edited from the WordPress backend. You can do this in AppearanceEditor. When a hacker managed to get passed your login form, this is really the easiest way to add evil code to your website. Hardening this involves changing your wp-config file.

5.3. Use monitoring and logging

Security is an ongoing process. You need to keep a keen eye on any breaches and keep your website as secure as possible. You could put part of your WordPress security in the hands of, for instance, a company like Sucuri. In case of a hack, they’ll fix this asap. For your own monitoring, you could check your site on a regular basis with their Sitecheck tool. There are a couple of plugins that can help you secure your WordPress site by, for instance, monitor files on your server, like WordFence, iThemes or Sucuri. Pick your plugin of choice, as long as you make sure that security is monitored.

It can also be useful to just keep track of everything that’s happening on your website like file changes and logged in users. There are several plugins and tools for that as well, like WP Security Audit Log. Keeping track of these things makes sure that you can find irregularities in your install and act on these, or find what happened when in case of a security issue.

6. Cater to your mobile visitors

Take one look around and you’ll notice that our mobile devices are becoming the de facto way of browsing the web, even when we’re at home, lying on our couch. We visit mobile websites. You, as a website owner, need to cater to your mobile visitors.

According to Statcounter, mobile market share surpassed desktop market share almost all of 2018. This means that if you are only optimizing for desktop visitors, you are not optimizing for the majority of your visitors. Of course, it depends on your specific niche, since those numbers could be different. Google Analytics can give you the exact numbers for your site.

With a mobile market share like this, there is no way you can consider your mobile website an ‘extra’. Maybe it’s time to make mobile the default. It’s time for mobile SEO.

6.1. Make sure your theme is mobile-friendly

After making sure that your site is fast, make sure your website, or rather your theme, is mobile-friendly. Making your website mobile-friendly starts with making sure the links are not too close together, and buttons are easily clickable. Your font should be consistent and shouldn’t be too small and your images not too big, both in file size and dimensions.

We’d like to highlight two specific mobile theme optimizations below.

6.1.1. Use a responsive design

Responsive design means that the design of your website adapts to the screen size your visitor is using. You can do this by using specific CSS media queries. We wrote about responsive design way back when, but in the basis, things are still the same. You have to address certain ranges of screen widths and design for those. Most WordPress themes should be responsive by now.

Depending on the part of the world you are targeting, no, depending on how fast their mobile internet is (2G? Already at 5G?), you might want to change a couple of things. Think about how you use images on your site. Are you using any text enhancements or font variations that might hinder a good performance of the mobile website? Responsive design helps you build a more focused website. That brings us to the second optimization.

6.1.2. Prioritize what’s important to mobile users

Take a step back and look at your website: what do your users want to do here? Define the four to six main tasks your user performs on your website and focus on these. Maybe even give the most important task a big fat call-to-action button.

Here’s an example: If you have a local business, the two main tasks might be calling you or finding the directions to your business. That means you could add these as a special mobile menu, for instance, — some kind of bar that is visible all the time. Focus on your visitor’s main tasks and make their life as easy as possible. How to find these top tasks? Ask your visitors! Also, check Google Analytics for the most visited pages on your mobile website. More about Analytics further down this article.

6.2. Consider using AMP

If you are using WordPress, you could serve Accelerated Mobile Pages (AMP) as well. AMP is a 2015 initiative by Google and some major publishers. It allows for fast mobile pages and does so by stripping some of the design. AMP these days is used for both static content and dynamic content like news articles. AMP has pretty strict code requirements, so be sure to validate your AMP pages frequently.

One of the challenges you as a website owner might have is to make sure the AMP version of your website aligns with your branding. Make sure your visitor — used to visiting your desktop/responsive website — still clearly understands that he or she is visiting your pages. Luckily, the difference between design on all these platforms can be minimalized.

If you are looking to kick-start the AMP version of your WordPress website, be sure to check the official AMP plugin. This will add an AMP version of your website after installing the plugin.

7. Analyze and improve your performance

A good SEO campaign relies not only on implementing changes but also measuring the impact of those changes, seeing what works and doing more of that. Google has developed two amazing tools to analyze the results of your website and to identify new opportunities where you could focus on in the future.

The first one, for analyzing results, is Google Analytics. By adding Google Analytics to your website, you make sure all user data will be stored in your own account. You can, for instance, check how many visits your pages get, how many of your visitors convert, how many visitors immediately leave your website after landing on a certain page and much more. Within Google Analytics, you can see how visitors behave on your website. Here’s how to track your SEO with Google Analytics.

The second tool is meant to analyze how your website performs and to see how visitors find you in the search engine. That tool is Google Search Console. By exporting and sorting through your search queries and impression data, it’s easy to identify opportunities where you could focus on improving clickthrough rates, content, and/or rankings.

7.1. Set up and integrate Google Analytics

To start with Google Analytics, you need to create an account. Click the ‘Start for free’ button to start. To set up your account, you need to add an Account Name first. This could be your company name. However, when you’re about to add other websites to your account, we recommend choosing a more generic Account Name. Also, you can always change your Account Name later when you want to.

After setting up your account, it’s time to add a property: the website you want to add. Insert the Website Name and the Website URL. Make sure you add the precise URL: http:// or https:// and with or without www for collecting the right data.

Create a new account in Google Analytics

After setting up your property you can choose for yourself if you want to enable, some of the data sharing settings. Each data sharing option gives you a clear explanation of what you will be sharing enabling it.

Now you’re almost ready to go! The last step to connect your website to your new Google Analytics account is adding the tracking code to your website. After successfully creating your account and adding a new property you’ll see this screen with your Google Analytics tracking code on top:

Copy the tag to your site

This tag needs to be added to your website. The easiest way to do this within WordPress is by installing a Google Analytics plugin such as the MonsterInsights Plugin for WordPress. Installing this plugin, you don’t need to touch the actual code of your website to connect with Google Analytics. You just simply install and activate the plugin, insert your tracking ID and you’re set! You can also use Google’s Site Kit WordPress plugin to get data from Analytics and Search Console in your backend.

For more technical readers, it’s also possible to add the tag manually to the head of every webpage or to add the tag to Google Tag Manager.

Now your website is connected to Google Analytics, it will start collecting data of your users. Start clicking around to see what all can be found within the data or start reading one of our blog posts about Google Analytics for helpful tips.

7.2. Set up your Google Search Console account

The second tool we think is important to set up is Google Search Console. We recommend going through all steps and you will be all set! In brief, these are the steps you’ll need to follow:

  • Create or sign in to your Google Search Console account.
  • Click ‘Add a property’ under the search drop-down.
  • Enter your website URL in the box and click ‘Continue’.
  • Verify your website — within the Yoast SEO plugin, you can easily copy and paste the meta tag to make it work.

After connecting your website to Google Search Console, it will start collecting data about the performance of your website.

7.3. Other useful tools

Of course, there are plenty of other useful tools out there to get valuable insights into your website and to find SEO opportunities. Everyone has their own favorite tools, so it’s important to just start playing with different tools to find out what tool brings you what you need most.

There are all-in-one SEO tools which give you a complete overview of your performance and there are more in-depth tools which give you more specific data. Think about site speed tools, duplicate content tools, site analysis tools, keyword research tools and much more.

Some tools we use besides Google Analytics and Google Search Console:

Bing Webmaster Tools

Within the Source/Medium section of Google Analytics, you can see what percentage of your traffic is coming from Bing. When this is a sufficient amount of traffic, you might want to create a Bing Webmaster Tools account as well. Bing Webmaster Tools is the Google Search Console variant for Bing. It shows you your site’s health and performance in the Bing search results.

Ryte

Ryte is one of the all-in-one SEO suites you could use to analyze on-page SEO. The tool crawls your website to give you a bunch of data on indexing, errors, links, speed and much more. You can try Ryte for free to see what it has in it for you. Ryte even integrates with Yoast SEO.

Google Lighthouse

Google Lighthouse is a Chrome extension which you can download for free. With the Lighthouse tool, you can easily generate a report with scores for Performance, Progressive Web App, Accessibility, Best Practices, and SEO. This report will give you a quick overview of how your site is doing and you can immediately start working on the areas that need the most attention. You can also use the web-based version on web.dev/measure.

Hotjar

To get insights on how your visitors actually move, scroll and click on your webpages, you could use a tool like Hotjar. This user research tool also has options to add polls or surveys to your site to start doing research. You can try it for free, and the paid packages have competitive prices.

Interested in more valuable tools? Check our list of favorite SEO tools here!

8. Promote your site

You put a lot of time and effort into the content of your site and making sure that readers can find that content via search engines thanks to SEO, but there are other ways to get people to visit your WordPress site and read your posts. But how do you get and grow such an audience? Simply writing posts and putting these out there won’t do the trick: you need to promote your site!

8.1. Encourage engagement

It’s always fun to interact with your readers, but how do you get them to engage? With engagement, we mean all the different ways people can interact with your post. It could be leaving a comment, sharing it on social media or taking action on the topic in general.

But how do you get people to engage? You can always ask them! Write in an engaging way, and then ask your readers for their opinion. Then respond to these comments in order to keep the conversation going and build a relationship with your readers.

Engagement also benefits SEO, as it shows that your site is alive and active. If you want to dive deeper into blog engagement, you can read our post on how you can increase blog engagement.

8.2. Grow your reach

Using social media is the best way to reach and grow the audience of your blog. You should be active on the social media channels where your (potential) audience is present. Facebook, Instagram, Pinterest, and Twitter are examples of popular social media. It might be a lot to decide on, so you can find out more in our blog post on social media strategy: where to begin?

8.3. Build a mailing list

In addition to using social media to promote your blog, it is often a good idea to invest in a digital newsletter. Let people sign up for it and send out emails with your latest blog posts and some other fun facts.

Make sure that you offer a subscribe field beneath your posts and on other visible places on your website. Make sure that your newsletter is mobile-friendly. But, most of all, make sure your newsletter is truly something special! We use MailChimp for our newsletter, which is free up until 2,000 subscribers.

8.4. Amplify your content

The number of blog posts published every day is enormous, which is why it’s becoming much harder to stand out. Your articles have a big chance of getting lost in the vast sea of content. To help your content reach its full potential you need to amplify it.

If your content is original and well-structured, you’re probably able to reach new audiences. Take a look at how you can reach new audiences, beyond your organic reach.

Maybe advertising on Facebook or Instagram might be a good way to reach new audiences for your content? Analyze what channels you already use and decide where you can do more in order to broaden your audience.

9. Conclusions

This guide gives you a lot of stuff you can do on your WordPress site. It goes from technical SEO tips to conversion tips, to content tips, to conversation tips, and a whole lot in between. There’s a catch though: if you want to rank for highly competitive terms, you’ll have to actually do most of it and create great and compelling content in the process.

You’re competing with every other website and business on the planet for attention, visitors, and outcomes. That means you have to put in a lot of hard work!

But don’t worry — we’re here to help.

So if you want to keep updated on the latest news about WordPress, SEO, and our plugins, then you can subscribe to our newsletter and stay one step ahead of the competition!

Read more: How to use WordPress: Answering 12 common WordPress questions »

The post WordPress SEO: the definitive guide appeared first on Yoast.

WordPress 5.0.1 Security Release

WordPress 5.0.1 is now available. This is a security release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.

Plugin authors are encouraged to read the 5.0.1 developer notes for information on backwards-compatibility.

WordPress versions 5.0 and earlier are affected by the following bugs, which are fixed in version 5.0.1. Updated versions of WordPress 4.9 and older releases are also available, for users who have not yet updated to 5.0.

  • Karim El Ouerghemmi discovered that authors could alter meta data to delete files that they weren’t authorized to.
  • Simon Scannell of RIPS Technologies discovered that authors could create posts of unauthorized post types with specially crafted input.
  • Sam Thomas discovered that contributors could craft meta data in a way that resulted in PHP object injection.
  • Tim Coen discovered that contributors could edit new comments from higher-privileged users, potentially leading to a cross-site scripting vulnerability.
  • Tim Coen also discovered that specially crafted URL inputs could lead to a cross-site scripting vulnerability in some circumstances. WordPress itself was not affected, but plugins could be in some situations.
  • Team Yoast discovered that the user activation screen could be indexed by search engines in some uncommon configurations, leading to exposure of email addresses, and in some rare cases, default generated passwords.
  • Tim Coen and Slavco discovered that authors on Apache-hosted sites could upload specifically crafted files that bypass MIME verification, leading to a cross-site scripting vulnerability.

Thank you to all of the reporters for privately disclosing the vulnerabilities, which gave us time to fix them before WordPress sites could be attacked.

Download WordPress 5.0.1, or venture over to Dashboard → Updates and click Update Now. Sites that support automatic background updates are already beginning to update automatically.

In addition to the security researchers mentioned above, thank you to everyone who contributed to WordPress 5.0.1:

Alex Shiels, Alex Concha, Anton Timmermans, Andrew Ozz, Aaron Campbell, Andrea Middleton, Ben Bidner, Barry Abrahamson, Chris Christoff, David Newman, Demitrious Kelly, Dion Hulse, Hannah Notess, Gary PendergastHerre Groen, Ian Dunn, Jeremy FeltJoe McGill, John James Jacoby, Jonathan DesrosiersJosepha Haden, Joost de Valk, Mo Jangda, Nick Daugherty, Peter Wilson, Pascal Birchler, Sergey Biryukov, and Valentyn Pylypchuk.

Moving your website to HTTPS / SSL: tips & tricks

In 2014, we decided to switch over to the (now) commonly-used HTTPS to encrypt sensitive data that’s being sent across our website. This post describes some useful tips based on our own experiences that might come in handy if you’re considering switching. 

Optimize your site for search & social media and keep it optimized with Yoast SEO Premium »

Yoast SEO for WordPress pluginBuy now » Info

A little backstory

Back in 2014 HTTPS became a hot-topic after the Heartbleed bug became public. This bug allowed people with ill intent to listen in on traffic being transferred over SSL/TLS. It also gave them the ability to hijack and/or read the data. Luckily, this bug got patched quickly after its discovery. This incident was a wake-up call that properly encrypting user information over the internet is a necessity and shouldn’t be an optional thing.

To emphasize the importance of encrypting sensitive data, Google Chrome (since January, 2017) displays a clear warning next to the address bar whenever you visit a website that doesn’t encrypt – potential – sensitive data, such as forms.

How do I switch?

Because it’s important that your data is safe, we took steps in 2014 to ensure that we have SSL-certificates across our own websites. If you decide to switch (you really should!), there are a few things that you need to take into account to ensure your website fully works as intended once you’re done.

  • You need to change all your internal links. This also means updating links to assets (where necessary). Make sure to go through your theme and alter references to CSS, images and JavaScript files. Additionally, you can change all your links to start with // instead of https:// which will result in protocol-relative URLs.
  • Ensure your CDN supports SSL as well. We make use of MaxCDN, which allows you to easily set up SSL on your CDN subdomain.
  • There are various levels of SSL that you can choose from, each with their own pros and cons. You will find more information about that later on.
  • Ensure you have a canonical link present in the <head> section of your website to properly redirect all traffic coming in from http:// to https://.

Google also published a handy guide on how to move to HTTPS without massively impacting your ranking, which can be found here.

How does this influence my rankings?

Like stated in the previous section, moving from HTTP to HTTPS can influence your rankings slightly if you don’t plan accordingly. However, after you switch over to HTTPS, your rankings will actually improve over time. Google announced in 2014 that having an SSL certificate will be considered a positive ranking factor, so it’s worth the investment.

To make sure Googlebot can re-index your website more rapidly after the move, make sure you migrate to https:// during low-traffic hours. This way Googlebot can use more of your server’s resources. Just take into account that a medium-sized website might take a while to regain rankings. Have a sitemap? Then Googlebot might be able to recalculate and re-index your website even faster.

Setting up HTTPS & SSL on your server

Generally speaking, hosting providers have a service to allow you to enable HTTPS/order a certificate. There are a few types of certificates you can choose from, which differ in a few ways. Every variant also has their own price tag, so before purchasing one, make sure that you go with a certificate that fits your needs and budget!

If you’re a bit strapped for cash and tech-savvy, go take a look at Let’s Encrypt to acquire a free(!) certificate.

If you run and manage your own web server, there are a few things that you’ll have to enable in your server configuration before being able to use SSL certificates. This tutorial explains what steps to take to get a certificate running on your server.

OCSP stapling

Having to check the validity of an SSL certificate can result in a small hit in loading speed. To overcome this, you can make use of OCSP stapling. OCSP stapling is a feature that enables the server to download a copy of the certificate vendor’s response when checking the SSL certificate. This means that once a browser connects to the server, it checks the validity of the certificate based on the copy on the server instead of having to query the certificate vendor itself, resulting in a significant performance improvement.

Apache

Before enabling OCSP stapling on your Apache server, please check that you’re running version 2.3.3+ of Apache by running the command apache2 -v (or httpd -v) on your server. Lower versions of Apache do not support this feature.

If you went through the process of setting up HTTPS on your server as described in the ‘Setting up HTTPS & SSL on your server’ section, then you should have come into contact with a VirtualHost configuration specifically made for usage with HTTPS/SSL.

In that file, take the following steps:

  1. Inside the <VirtualHost></VirtualHost> section, you should add SSLUseStapling on.
  2. Just above the <VirtualHost></VirtualHost> section, add SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
  3. Check that the configuration is still valid by running apachectl -t. If so, reload Apache by running service apache2 reload.

Nginx

Nginx also supports OCSP stapling. Before editing the server configuration, please check that you’re running version 1.3.7+ of Nginx by running the command nginx -v on your server. Lower versions of Nginx do not support this feature.

If you went through the process of setting up HTTPS on your server as described in the ‘Setting up HTTPS & SSL on your server’ section, then you should have come into contact with an Nginx configuration specifically made for usage with HTTPS/SSL.

In that file, add the following lines in the server {} section:

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;

The last line references a file that contains a list of trusted CA certificates. This file is used to verify client certificates when using OCSP.

After adding these lines to the file, check that the configuration is still valid by running service nginx configtest. If so, reload Nginx by running service nginx reload

Become a technical SEO expert with our Technical SEO 1 training! »

Technical SEO 1 training$ 199 - Buy now » Info

Strict Transport Security header

The Strict Transport Security Header (HSTS) is another handy feature that basically enforces browsers to use the HTTPS request instead of the HTTP equivalent. Enabling this feature is relatively painless.

Apache

If you’re running Apache, first enable the Apache Headers module by running a2enmod headers. After this, it’s only a matter of adding the following line to your VirtualHost configuration (in the <VirtualHost></VirtualHost> section) that you set up earlier for HTTPS:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Reload the Apache service and you’re good to go!

Nginx

Nginx requires you to add the following line in the server{} section of your server configuration file:

add_header Strict-Transport-Security max-age=31536000;

Testing

To see if your SSL certificate is working properly, head over to SSL Labs, fill in your domain name and see what kind of score you get.

Redirecting URLs

To ensure requests are properly redirected to the HTTPS URL, you need to add an extra line to you configuration. This way, traffic that tries to visit your website over HTTP, will automatically be redirected to HTTPS.

Apache

In your default VirtualHost configuration (so the one that’s used for HTTP requests), add the following to ensure URLs get properly redirected:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

As with the other changes we made before, don’t forget to reload Apache!

Nginx

In Nginx, change the default configuration file that was used for HTTP requests and alter it as such:

server {
    listen 80;
    server_name your-site.com www.your-site.com;
    return 301 https://your-site.com$request_uri;
}

Don’t forget to reload Nginx before testing these changes.

Conclusion

“Should I switch over to HTTPS?” Short answer: Yes. Using HTTPS ensures that private (user) information is being sent across the web in a more secure manner. Especially if you’re dealing with monetary transactions, HTTPS is a must.

What type of certificate you end up going with, depends on your specific use case and budget. Make sure to properly research your options beforehand.

Read more: ‘WordPress security in a few easy steps’ »