Category: Security

Websites have always run on code, but it wasn’t always the case that they used multiple programming languages. Most modern sites use languages like JavaScript and CSS for scripts and design elements – back in the day, though, websites were typically just written in HTML.

Users who load up sites with their web browsers can point to the CSS and JavaScript elements present on a site, but there’s another highly important programming language that’s running on a website’s server: PHP. If you’re loading or hosting a WordPress site, PHP is responsible for almost everything on the front and back end.

From page templates and the WordPress dashboard to the plugins and themes installed on a website, PHP is a programming language that is inextricable from the platform we call WordPress.

What is PHP?

PHP is a popular programming language that’s mainly used to create websites. It’s an open-source language that’s free to use, just like WordPress. In light of this fact, it’s easy to see why PHP is among the most commonly used languages in web development.

For example, popular websites such as Facebook have PHP running behind the scenes. It’s also what most of WordPress core is coded with. And you can use PHP for many exciting things, such as automating your WordPress login page and managing your WordPress posts.

Unlike languages such as HTML and CSS, which dictate the style and layout of a website, PHP is responsible for what a website actually does. PHP is server-side, so it gets processed on whatever machine is using a hard drive that stores the PHP code. This differs from client-side languages, such as JavaScript, that display the work they do on a user’s internet browser.

Because PHP is a server-side language, you’ll have to tackle site performance issues related to PHP by yourself. Even if someone had the most cutting-edge computer in the world, they’d still encounter issues when loading your website if you’re dealing with PHP-related site performance problems.

Why Updating Your WordPress Site’s PHP Version is Important

PHP is inextricable from your WordPress site and its performance – it’s responsible for pulling the right data from your database, packing it up in CSS and HTML, and rendering a complete website visible from your users’ internet browsers. In other words, if PHP slows down, so does everything else.

Additionally, it’s important that you keep your WordPress site’s PHP version up to date since using old versions can compromise your site’s security to vulnerabilities and cybersecurity threats. It’s little wonder, then, that PHP as a language has been consistently iterated throughout the years, spawning a ton of versions as a result.

According to WordPress’s official recommendation, you’ll want your server to at least be running PHP 7.4 so that you can run the current version of WordPress. As PHP improves over time, it becomes much faster and more secure. Security and speed are especially important for WordPress site owners or their employees who may need to access their sites remotely through a VPN (which is common, as statistics show that 15% of people utilize a VPN daily). At the time of this article’s writing, you’ll have the greatest speed and security if you’re running PHP 8.1 on your server.

Before you jump into checking and updating your WordPress site’s PHP version, it’s important to know that active support for older PHP versions is running out. Support for version 7.4, for instance, was removed in 2020, with its security support ceasing toward the end of 2021. So, if you need other reasons to update your WordPress site’s PHP version, the lack of active and security support for older versions will hopefully convince you.

How to Check Your WordPress Site PHP Version

There are several options at your disposal when it comes to checking your WordPress site’s PHP version. We’ll focus on three ways to view it below.

View Your PHP Version in WordPress’ Site Health Section

The first and easiest way to view your PHP version is to simply log into your site and navigate to Tools > Site Health and click on the ‘Info’ tab. Then scroll down to where you see an accordion label for ‘Server’ and click to open it. Here you can quickly find your current PHP version, along with lots of other helpful information about your server, themes, plugins and your WordPress site in general.

Check Your PHP Version with Your Hosting Provider

Another way to check your site’s PHP version is by checking your hosting management panel. If you access your hosting account and search its back end, you should be able to locate a menu named something similar to general ‘Site Information’ or ‘PHP Settings.’

For WP Engine users, this information is promptly displayed on your Sites section when you login. You can see which version you’re using directly through these settings, and you’ll be able to upgrade to a later version through the same settings as well.

Use a Troubleshooting Plugin

As a WordPress site owner, you have the luxury of being able to use plugins. And depending on your needs you may already be using (or want to install) an all-in-one type troubleshooting plugin like WP Tools. For this plugin specifically there is a ‘PHPINFO’ tool that will display your PHP version, server configuration, etc. Using this plugin is straightforward: simply install it and then activate it, after which you’ll be able to check what your current PHP version is via your WordPress dashboard (as well as a ton of other information).

Now, if you already happen to be running the latest PHP version on your server, you can stop here. If, however, you need to upgrade your PHP version safely, then keep reading.

How to Update Your PHP Version for WordPress

Before you upgrade your PHP version, first things first.

1. Check to see what the latest compatible version of PHP is for WordPress. You can view PHP compatibility in the Make WordPress Handbook, as well as a nifty chart that shows which WordPress versions play nice with each PHP version.
2. Backup your WordPress site in case you run into incompatibilities between your site’s existing code (such as your WP themes, scripts, and plugins) and the version of PHP that you’re upgrading to.

Once you’ve created your local copy and finished backing up your site, you can also use the free PHP Compatibility Checker WordPress plugin to verify that you have no compatibility issues. Install the plugin and, once it’s installed, scan for potential errors and warnings and then update or possibly replace your incompatible themes or plugins. You can also follow the suggestions that PHP Compatibility Checker gives you.

Upgrade PHP

To actually upgrade your version of PHP, log into your hosting provider’s administrator dashboard. For WP Engine users, you’ll see a warning symbol next to your PHP version if there is an update available.

Just click to open a popup window and proceed with your PHP upgrade. It’s that easy!

Alternatively, your admin dashboard might have a menu item called something similar to ‘PHP Version Manager,’ after which you can go to the location of your website and choose the PHP version you want to run. Certain admin panels may require you to conduct your own search to find the necessary tool with which to upgrade – in this case; you may want to contact your provider.

PHP is the thing that keeps all the pieces of your WordPress site together, and it’s essential that you keep your PHP version updated. Doing so will provide you with greater site security and speed, and if you’ve checked and upgraded your PHP version per the steps laid out in this article, your site is in perfect shape to continue into the future!

Even if you are confident in the security of your WordPress site, you should still take precautions. A security breach can wreak irreparable damage to your online business. Hackers frequently use bots to saturate your website with spam, which can get out of hand quickly.

Fortunately, spammers and bots may be kept out of your site using a sophisticated tool. WordPress CAPTCHA is a simple and easy-to-use test that enables security on your website and offers an extra layer of protection.

Let’s take a closer look at how to use CAPTCHA to protect your website.

What Is CAPTCHA?

CAPTCHA is the acronym for the “Completely Automated Public Turing test to tell Computers and Humans Apart” test. Computers can distinguish between automated and human users thanks to CAPTCHA, which does precisely what its name implies. Humans can breeze through these tasks efficiently, but an automated script might struggle.

Traditional CAPTCHA tests require the user to enter distorted text, but reCAPTCHA is a newer, complex CAPTCHA type that has been around for a while (and noCAPTCHA, a sort of reCAPTCHA spinoff). Invisible CAPTCHA, the most recent version, is now available too.

How Do CAPTCHAs Protect Your WordPress Website?

Hackers, spammers, or bots can assault your site’s login and registration pages. Typically, their goal is to access the administration area. Forms, where you need to enter usernames and passwords, are excellent for hackers to use as entry points.

When an unauthorized user gains access to your WordPress admin area, a lot may go wrong, including:

• Crashing a network of websites
• Distributing malware
• Reducing website traffic
• Demanding a ransom
• Hurting search optimization efforts
• Spamming the comments  section
• Stealing personal information

WordPress CAPTCHA helps protect your site from hackers and spam bots by confirming if an actual human is attempting to use a form on your site. Traditionally this includes visually stretching, distorting, or otherwise manipulating numbers and letters, then relying on the human ability to recognize the symbols.

Types Of CAPTCHA

Above a traditional CAPTCHA, the test was mentioned however CAPTCHA tests come in various forms. Over time, newer, more accurate, and more efficient software has replaced older versions. In this section, we’ll go over the most common types, the differences between them, and the plugins that you can use to implement them on your WordPress site.

Human-Assisted OCR

With this common type of CAPTCHA, users must understand distorted text or pictures to log in or complete a form.

ReCAPTCHA, Google’s service that uses human-assisted OCR, is one of the most well-known CAPTCHA tests. OCR (Optical Character Recognition) helps users who cannot recognize the scanned text due to visual impairments. The OCR software includes an audio equivalent to help those who are deaf or do not hear properly complete the test.

Google reCAPTCHA is an effective CAPTCHA solution that secures your website against fraud, bots, and abuse and aids in ensuring compliance with the PCI-DSS standards to secure customer data as well.

The simply named reCaptcha plugin is a good option for WordPress sites. Make sure to utilize it with other plugins, such as contact form plugins, to get the most out of it.

It’s a quick and straightforward way to solve CAPTCHA tests. The plugin uses response image files to verify answers when a user enters them, and if the answer is correct, the form can be submitted.

No CAPTCHA and Invisible CAPTCHA

With noCAPTCHA or Invisible CAPTCHA there is nothing for the user to do. Instead it relies on a user being active on your website, so when they click links or existing buttons their validity as a human is confirmed.

The WordPress plugin CAPTCHA 4WP adds noCAPTCHA and invisible reCAPTCHA to display CAPTCHA on your comment form, login page, password reset page, registration page, etc.

Multiple CAPTCHAs can be displayed on the same page (though that’s usually a bit much). And a contingent login can be created and displayed after several failed attempts. You may also choose whether or not to show a CAPTCHA to logged-in visitors.

Logic Questions

In a logic questions test, the user is given a single or series of questions to answer. The questions are usually very simple (such as basic math or recognizing a simple pattern), so even seven-year-olds should have no trouble answering them.

WC Captcha is an excellent WordPress plugin for logic questions. It requires visitors to complete simple math questions to access your site. Additional features include hiding the CAPTCHA test for logged-in visitors, choosing which mathematical operation to apply, displaying the CAPTCHA as figures or words, selecting the box title, and entering the time.

Image Recognition

Text-based CAPTCHAs have been phased out and replaced by image-based ones. Instead of relying on distorted text, an image is used to illustrate the idea.

Image recognition requires users to identify a particular object in an image. As a general rule, image-based CAPTCHAs ask users to choose pictures that fit a topic or recognize images that don’t. These CAPTCHAs use graphics components like photographs of animals, shapes, or scenes.

Various options are available, including a single image divided into portions by a grid, two independent photos presented next to each other or asking a user to choose the correct graphic. KC Computing has a couple of good form-specific options on WordPress.org, like this Image Captcha for Gravity forms.

User Interaction CAPTCHA

A simple action, such as sliding a slider across the screen, is used in user interaction tests. Despite its simplicity, computers have difficulty passing this type of test, so it’s almost a foolproof way to protect your website.

An example of a user interaction CAPTCHA is the WP Forms Puzzle Captcha plugin. A puzzle piece slides into a slot instead of a three-digit code in this plugin, which works the same way as the Simple Login Captcha plugin. It’s a good solution to prevent bots from gaining access to your site because they haven’t worked out how to solve these puzzles yet.

Where in WordPress Should the CAPTCHA Plugin Be Enabled?

A WordPress CAPTCHA is an excellent way to protect any form on your website where users are required to provide personal information to prevent spam and hacking. The following elements of your site could benefit from a CAPTCHA feature:

• Content submissions
• Contact forms
• Login pages
• Email signup forms
• Password recovery pages
• User registration forms
• Surveys
• Forums

And more, for example if you have a store, memberships, etc. Anywhere you have a form.

Steps to Add CAPTCHA Protection to WordPress

Now that you know what CAPTCHA is, here is a quick look at how you can easily add this extra layer of protection to your WordPress site.

Step 1: Install a WordPress CAPTCHA Plugin

First, download your chosen WordPress plugin for your website. We shared a handful of good options above, but most free CAPTCHA plugins in the WordPress directory will do the job. You don’t need to pay extra to secure your website!

Before installing a free plugin, certain things must be considered:

• First, decide which CAPTCHA version or type you require since there are various options. Select the one that suits your website the best.
• The plugin should operate on numerous pages of your website, not simply the login page.
• Ensure the plugin works everywhere you’ve installed a form on your website so bots can be filtered out. So if you’re using a form or ecommerce plugin be sure the CAPTCHA you choose is compatible.

Step 2: Add Google reCAPTCHA to Your Website

If your WordPress CAPTCHA plugin or general security plugin uses Google reCAPTCHA, you must first create an account and fill out this Google ReCAPTCHA form for your site.

At the time of writing, there are two versions that you can choose from – reCAPTCHA v3  and v2. Depending on your preference, you can verify with a score or a challenge. Either way, the user experience shouldn’t be affected.

After completing the Google reCAPTCHA form, click submit. The next page shows the site key and secret key. The keys must be input in WordPress’ CAPTCHA settings.

The next step may vary a bit depending on the plugin, but you’ll need to locate the reCAPTCHA key fields within your plugin’s settings or admin page. Then just copy the two keys and paste them into the corresponding areas for your CAPTCHA or security plugin. Finally, make sure to save. You should now be all set to start using Google reCAPTCHA!

Step 3: Protecting Sections of Your Website With CAPTCHA

When installing a WordPress CAPTCHA plugin you’ll typically have the option to activate your CAPTCHA protection on all forms, or specific pages/sections.

As mentioned before, CAPTCHA can be used on pretty much any login form, including:

• Registration forms
• Admin pages
• Comments forms
• Reset password forms

And this includes the related forms for WooCommerce, EDD and BuddyPress too.

Depending on the plugin you choose the CAPTCHA may be automatically enabled on all of you forms, there may be a shortcode you need to add to your forms in your form builder, or there could be an admin or settings panel to enable CAPTCHA for various sections of your site.

For example, for the Advanced Google reCAPTCHA plugin, there is a settings panel under eCaptcha > Settings > General > Enable reCaptcha where you can enable CAPTCHA for your default forms (login, registration, reset the password, comments) and third-party plugin forms (WooCommerce, BuddyPress, etc.)

But if you’ve selected a CAPTCHA add-on for a specific plugin, such as Really Simple CAPTCHA for Contact Form 7, there is instead a shortcode similar to [captchac captcha-1] [captchar captcha-1] that can be added when building a form. There are also additional styling options and settings that can be coded in.

One of the key processes on modern WordPress sites is restricting access to bots and automated scripts. Implementing Google reCAPTCHA using various WordPress plugins is one of the best solutions for preventing such behaviors from occurring on your website.