Why every website needs a 50,000 mile checkup

By David Innes, | May 27, 2023
Oil Change by Flickr User Tobin
Oil Change by Flickr User Tobin

Hey, if WordPress is so great why do so many web developers offer maintenance plans? Is WordPress really that insecure? Fragile? Hackable? No! A well-built WordPress site on a good hosting plan is surprisingly secure. So… why should you still get a good WordPress maintenance plan?

Here’s how I explain things to my clients: WordPress is like a car. Once you get your car from the dealer, you can drive wherever you want. You don’t need a mechanic in your car to help you change gears, right?But even the nicest cars still oil changes and 50,000 mile tune-ups. And if you take it off-road, or if it gets wrecked or stolen, you’re going to need a mechanic to help you get it back in the road.

It’s the same with WordPress, or any other site that’s not pure HTML with maybe a little CSS. Web protocols change. Just like a car you don’t need a developer to help you use WordPress day to day. But over time browsers get more capabilities and site visitors get less and less patient with slow performance. Over time server software changes. WordPress software changes too. And it’s almost all driven by impatient visitors who expect more and, of course, hackers. Hackers and their bots have a lot of incentive to exploit your website, and every year they get more and more (and more!) creative.*

So, yeah, you’ll always need basic maintenance and updates for your site, server, and software stacks just like you need routine maintenance for your car. And that’s why WordPress (and all other websites) need routine maintenance too.

* Speaking of hackers, they’ve already been using simple AI/ML-like techniques for at least a decade, so it won’t be long before they’ll begin using surprisingly sophisticated GPT queries to challenge even the most security-through-obscurity-coded website.


Note to self: converting a site to Google Analytics 4

By David Innes, | February 22, 2023

This post includes the steps for converting a site from Google Analytics 3 (GA3) to Google Analytics 4 (GA4.) I’m posting it so I’ll be able to find it myself, but it may be helpful for others as well. If I find further information about making the switch I’ll try to update this post.

Earlier today I got an email from a client asking me for help with a warning she’d received from Google Analytics

“Today I noticed this alarming notice at the top of the page, which I don’t quite understand, see below. Can you explain this to me and hopefully assist me if a new google analytics site needs to be set up. Thanks in advance”

Email with screenshot from a client

Since I specialize in building, fixing, and maintaining websites I typically leave Analytics to my clients’ marketers. ut this was a great customer and they were genuinely concerned so I decided to take it on.

This is a change Google has been “threatening” for at least a year, and for most of that year people (including marketers) have expressed a lot of confusion about it. And when I logged in I was… equally confused.

So I reached out to the local WordPress community with the following request

Ok, has anyone figured out the shortest-path steps to convert a client from regular old Google Analytics to GA4? Most of my small-biz clients only use GA to track simple site visits rather than all the ad-word and phone-app stuff GA seems to have morphed into.

I just tried setting up a client with the GA “conversion assistant” option and while it seems to have done the conversion it also seems like

  • They want me to add new tracking codes to the website, but
  • I’m not seeing any evidence of where such a new script can be found.

But then since I just build and fix website instead of SEO and marketing I have the patience of a goldfish for Google’s change-of-the-month-club approach.

Any explain-it-like-I’m-5 links would be appreciated.

I got a great answer from Matthew Woicik, the owner of ML2 Solutions. Even though SEO happens on websites it’s a marketing function. Matt’s company specializes in social media, business listings, paid advertising, and search engine optimization and analytics. (That’s an endorsement, by the way.)

Here’s what Matt told me, lightly formatted to make the steps more clear:

…the simplest path is to use the GA4 Setup Assistant that is in the admin interface. That should transfer most of the settings to a new Google Analytics 4 property. However, like you found out, you might need to update the tracking code. Here is how to find the tracking code:

  • Login to Google Analytics and go to the Google Analytics 4 property.
  • Click on the gear icon for the Admin configuration.
  • Click on “Data Streams”.
  • Click on the data stream that should have been created as part of the GA4 Setup Assistant process.
  • Click on “Configure tag settings”.
  • Click on the link for “Installation instructions”.
  • Finally, click on the tab labeled “install manually” for the tracking code.
Matthew Woicik, the owner of ML2 Solutions

I have to admit that looking in the “data streams” property wouldn’t have been the first… or even 7th place I looked. Nor was it clear from any of Google’s extensive but never-very-helpful documentation. So I’m really grateful. Thanks!

The final step for me was to copy the resulting code snippet and using it to replace the old google analytics code in my client’s site headers.

I’ll be able to check tomorrow to see if the new tracking code is actually, well, tracking. And if it is then…

Then I’ll be able to apply these steps for any other clients who need help making the conversion.


Another Bogus DMCA Infringement Notice based on a forged blog post

By David Innes, | January 11, 2023

Have you received a bogus “DMCA takedown notice” from an individual (falsely) claiming to be a lawyer with the email address “”? Was the claim based on a dubiously-dated post on a website called “Global News” or “Global Express News?” If so this might interest you.

Back in June, 2022 I got a bogus takedown notice for a post I’d written warning about a scam-like “domain listing” company that sends invoices that look like a domain registration renewal, charges more than 10x the actual price to renew a domain registration and… doesn’t actually renew your domain registration.

I’ve written about this problematic invoicing ploy several times… and received and debunked a bogus DMCA takedown notice last year. So I wrote about yet another similarly bogus “domain listing ploy the other day aaannnddd… this morning I got another bogus takedown notice, seemingly from the same “black-hat PR” individual

Annotated screenshot of the bogus contact-form submission
Annotated screenshot of the bogus contact-form submission

I want to be really clear that I’ve spoken to the real Thomas Ross named in some of these takedown notices and it’s absolutely clear someone is stealing his identity! I’ve spoken to other attorneys who’ve worked with the real Tomas and they’ve assured me he wouldn’t be involved with this sort of scam.

As I mentioned last June, the scam seems to involve finding negative blog posts, copying their contents and posting them to this “Global Express News” blog with a hacked earlier post date!

The “Global Express News” site seems to only *cough* post these sort of negative stories, marked as “no index” so they won’t show up in Google and other searches. After I made that earlier post others got in touch with me saying the same thing had happened to them.

The good news is

  • These takedown notices are entirely bogus
  • They’re not worded legally
  • If you got one of these things you’re not the only one
  • You can probably use this and my earlier blog post as evidence if your hosting provider or CND asks for an explanation

Read fine print before paying “Domain Listings” $288.00

By David Innes, | January 7, 2023

It must be that time of year again. I just opened a suspiciously invoice-like “offering” from a company called “Domain Listings” that offers to add you to their “Annual Website Domain Listings on Internet Directory” for the low-low unreasonably-expensive price of $288 per year.

Please note that Google will do this for you for free. In fact, chances are Google will “list” your site unless you go out of your way to ask them not to.

I’d leave people like this “Domain Listings” company and the older but equally sketchy “Domain Authority” alone if they’d just advertise their expensive listing services the old-fashoned way. But they don’t. Instead they mail “window” envelopes containing “offerings” that look very, very much like invoices from domain registration companies.

Annotated photo of a "Domain Authority" letter.

Note: I get half a dozen calls a year from people asking why their website’s domain registration expired after they paid this company or one like it. Usually they’re very angry or very hurt. I’ll help recover their registration if I can — usually you get a grace period after your website disappears when you can recover it. But really the better deal would be if these companies grew a conscience and stopped running this… misleading… offer.

Extra funny. On the back of this letter, in very small print, they say “All Listings are final.” Because as soon as the average website owner gets a real invoice for their domain registration (usually for less than $20/year) they’re naturally going to ask these people for their money back.

Extra credit: their “domain listing” service looks very slick but since relatively few people fall for this kind of thing their actual listings are pretty sparse. For instance if you search for “lawyer” in tech-savvy Seattle you’ll find… exactly none have been dumb enough to list there. Or how about searching for a single webmaster, anywhere, who’s paid these guys?

Screen shot of website showing no webmasters listed in any city or post code.

Again, it’s your money, and if you want to get listed with them that’s totally fine. But don’t mistake their advertisement for an invoice. Don’t imagine you’re renewing your domain registration when you pay this.


Answering the question “Why is email through WordPress so complicated?”

By David Innes, | January 4, 2023
Junk mail envelope marked with the words "Return to Sender"
Image by Flickr user Judith E. Bell

Why aren’t website’s contact form messages showing up in my inbox? It’s a common problem. It’s a common question. Here’s an answer.

On a Reddit support forum for WordPress users, in a now-deleted post, someone said they were having trouble getting their contact forms and other email delivered when using 3rd-party email providers like Microsoft’s Office 365. They added that the “easy” answer, using an email plugin, is actually incredibly complicated. It’s a good question and common enough that I thought I should repost my answer here.

The problem isn’t with WordPress or even your hosting company. Other services (e.g. newsletter vendors, billing companies, cloud-based contact and project managers, etc.) that send email from your domain (e.g. typically have the same problems.

And really? Really the problem is spammers and scammers that force mail providers to continuously tighten security screws to prevent random hackers from spoofing your email addresses.

From a customer’s perspective, MS365’s fanatical security is awesome. For site owners, web developers, and 3rd-party communications providers it’s a royal pain. But again, not WordPress’s fault.

Basically what’s going on is that your server sends email on your behalf, using some core PHP or server function to send email. The server dutifully sends a message to the client claiming to be from, right? But when the email provider’s server receives the email it goes “no, wait a minute, as far as I know I’m the only official server for all email, so this has to be a forgery. So I’m rejecting it even before it goes into my user’s spam box.”

As email users that’s actually what we want to happen 99.9999% of the time, right? The alternative would be going back to the days when you’d get mail claiming to be from your aunt trying to sell you counterfeit watches.

The solution is to configure your DNS tables with records that will let Microsoft (or Gmail, SendMail, etc.) known that you’ve also authorized your web server to send mail on your behalf.

The main way you do that is by modifying the SPF record, but depending on how paranoid they’re feeling you may also have to have the correct DKIM, or DMARC records. You might even need to have text records with codes authenticating your account (e.g. ms=12345678)

If you’re using Microsoft Office 365 check with your account rep, or log into the 365 admin panel, then root around to find the correct records to use. (I think there may also be a way to specify your server and/or serve IP address for the SPF record.) If you use Gmail or another less-strict provider check with their support documentation.

And yes, the alternative as the original poster mentioned is to set up an SMPT plugin and then jump through all the (enormous!) hoops to create the right configurations, administrative permissions, and app passwords and keys Microsoft and Google require since they (unfortunately but correctly) won’t just let you add your username and password since the information have to be stored in more or less plain text somewhere on your website or web server.

One final possibility: a small handful of hosting companies disable all outbound email by default, in order to prevent poorly designed or poorly secured customer sites from sending spam. They do this to prevent their servers from winding up on email blacklists. You may want to contact their technical support to have that “option” turned off.


From the horse’s mouth – what content does Google look for?

By David Innes, | November 11, 2022
Screenshot of Google's Documentation page

Summary: Cool set of questions that Google looks for when ranking website content.

You’ll often hear people say the best way to boost your ranking with Google is to have great, useful, relevant content. Which to be honest ought to be pretty obvious… but isn’t, given the zillions of ways people come up with to try and game the SEO system.

So… what exactly does Google mean when they say it? I stumbled across an extremely helpful explanation from Google itself: Creating helpful, reliable, people-first content

Google’s automated ranking systems are designed to present helpful, reliable information that’s primarily created to benefit people, not to gain search engine rankings, in the top Search results. This page is designed to help creators evaluate if they’re producing such content.

From SEO Fundamentals,

The whole article is worth reading. Even better, the questions they ask are aimed at non-technical website owners.

Here are a couple of questions they recommend looking into when it comes to your content on your website or social media posts (sample questions are copied directly from the Google article)

Content and quality questions:

  • Does the content provide original information, reporting, research, or analysis?
  • Does the main heading or page title avoid exaggerating or being shocking in nature?
  • Is this the sort of page you’d want to bookmark, share with a friend, or recommend?

Expertise questions

  • If someone researched the site producing the content, would they come away with the impression that it is well-trusted or widely recognized as an authority on its topic?

Presentation and production questions

  • Is the content mass-produced by or outsourced to a large number of creators, or spread across a large network of sites, so that individual pages or sites don’t get as much attention or care?
  • Does content display well for mobile devices when viewed on them?

That’s still just a sample of the questions, so definitely go read the original. But the summary is the same as what I and most other internet old-timers are going to tell you: write for people first, avoid SEO “tactics” like stuffing keywords to try to make search-engine algorithms think your content is more interesting to people than it really is.


Bogus DMCA infringement notices may be the product of “black hat” PR agencies.

By David Innes, | July 20, 2022

Have you received an email claiming you’ve infringed the Digital Millenium Copyright Act (DMCA) recently?

Screenshot of Cloudflare infringement complaint

For people with screen readers here’s the relevant text from the screenshot

Cloudflare received a DMCA copyright infringement complaint regarding:
The information we received was the following:

Work: I, XXXXXXXXXXX, would like to draw your attention towards this website owner who copied the content from our website !! I did not authorize or approve this website owner to post them here. …… Kindly act expeditiously to remove this infringing or unauthorized content post from this website ASAP.

We have forwarded this complaint to your hosting provider.
The Cloudflare Team

I got one of those and turns out quite a few others have received similar notifications. I called the attorney listed on the complaint and they adamantly denied any involvement. (No surprise: the address used in the complaint is a vacant lot!). It looks like the lawyer may also be a victim of identity theft!

After reviewing the takedown request the lawyer informally (not legal advice!) told me that since he didn’t make the complaint the infringement notice is not actionable.

So what’s going on?

First of all, what they’re doing

It looks like the actors behind this behavior do this one neat trick

  • Identifies a “controversial” or negative post about one of their clients
  • Copies the contents and posts it on their own website…
  • …using the names of attorneys (at least one) as the authors
  • Manipulates the publication date to one day before the original’s published date
  • Uses “no-index” methods to prevent search engines from indexing their bogus post
  • Submits an infringement notification with the alleged lawyer’s name and a phony Gmail address
  • Make money

They’ve got a lot of !%# gall, right?

In my case I’ve got an iron-clad “alibi.” The original post they copied and complained is actually a follow-up to a previous post. The first sentence has a link back to that post.

Both posts have very similar contents and very similar images (since I created them myself using the same tools and formats.)

The back-dated copy doesn’t link back to anything — no surprise since they’ve just copied and pasted my content.

Second of all, a strong guess about why they’re doing it

I’ve been in contact with several other people who’s posts have been similarly copied, back-dated, and then hit with infringement notices.

In each case the subjects of the target posts call companies or individuals into question. It’s not unreasonable to assume that some people might like to see negative information about their enterprises scrubbed from the internet. And some of those people might hire an “aggressive” reputation management company to try and deal with it. And some of those companies might not be above pulling “black hat PR” moves… like hacking the DMCA infringement regulations by back-dating other people’s posts and claiming the original posters needed to be shut down.

One of the other victims of this exploit contacted me and told me they’ve spoken with at least eight other site owners who’ve had the same experience. Two of them (including the one who contacted me) had not just the “offending” post but their entire websites taken offline as a result!

I’m not going to say any more about this at the moment, because other parties and possibly their lawyers seem to be getting involved.

Instead I’m just going to say if you get one of these takedown notices and you haven’t actually plagiarized someone else’s content it might be a good idea to do a little due diligence.

  • Definitely push back.
  • Get on a search engine to find the real lawyers who’s identities are being misrepresented in the infringement notices and get clarification that they’re not involved.
  • And let your hosting company know, in no uncertain terms, that the notices are invalid.

Chances are very good that neither the black-hat PR companies nor the people who hire them are up to any good.


Fix missing Ninja Forms on your WordPress website

By David Innes, | June 23, 2022

So, about the WordPress Ninja Forms plugin and missing forms.

If you use NinjaForms and got that forced security update in mid June, 2022, your forms may have disappeared from your Contact page or other places on your site. Chances are the site isn’t really broken. Instead the plugin may have disabled the forms by putting itself into “maintenance mode.”

Here’s how to fix it:

Screen shot of the Ninja Forms settings page with arrows showing how to fix disabled forms.  The steps are repeated in text, below.
Steps to fix disabled Ninja Forms forms on your WordPress website

Follow these simple steps

  • log in to your site’s dashboard
  • visit NinjaForms -> Settings
  • manually click the “Remove Mantenance Mode” button near the bottom of the settings page.
  • don’t forget to clear any caches too

While this post is specifically about the forced update in June, 2022, you may also run into disappearing NinjaForms forms other times as well, especially after migrating a site to a new server, and possibly when an update requires changes to the database.

I found missing forms on around half the sites I manage that use NinjaForms! To be safe I went ahead and applied the fix on every site that uses NinjaForms. The steps, above, are very simple but when you’re talking about dozens of sites it… takes a while. (I’m posting this while taking a break from the chore!)

This seems like a really awful “feature.” I understand their reasoning, but contact forms and other forms are often the life’s blood of a working website. If those forms disappear it’s bad for your visitors and bad for the site’s owners as well!


Read the “fine print” before sending money to Domain Authority

By David Innes, | March 31, 2022

I’ve discussed this issue before but a lot of my clients get this “Renewal Notice” from a company called Domain Authority. Looks like they’ve updated their stationery but they’ve been sending these things out for years.

Screen shot of Domain Authority "invoice" calling out the fine print.
Note: They don’t disclose that Domain Authority is not a domain registrar till the second page

Almost everything about the letter implies it’s an invoice to renew your domain name until you get to the “fine print” on the second page where they admit it’s just a solicitation to have your site listed in their “yellow pages” style directory.

As I mentioned in that previous post what they’re doing seems to be technically legal so I probably can’t legally say it’s a “scam.” But I can say without qualification that everyone should think twice ten times 100 times before you send 289 hard-earned dollars to some random directory listing in Hendersonville, North Carolina (the address on their solicitations) or possibly Sante Fe, New Mexico (the address on their website.)

If you go to their website you’ll see an even more clear disclaimer at the bottom of their home page:

Domain Networks is an online directory listings top websites from local businesses from around the world. We do not provide domain registration or domain renewal services.

Disclaimers in their FAQ are even more direct

Q: I received a mailer that looks like a bill.
A: What you received in the mail is not a bill. This is an advertisement for our domain listing services.

I’ll repeat: paying these guys will not renew your domain! You do that through your actual domain registrar.


On Facebook outages and why it’s still ok to “own your own content”

By David Innes, | October 7, 2021
“Eggs in One Basket” by Flickr user John U.

Over at PostStatus David Bisset has a thoughtful post about brushing off the recent Facebook/Instagram/WeChat outage with quips about “own your own content.”

Time will tell if Facebook being down on Oct 4th will be the single greatest system failure in tech in 2021. There’s been some good writing explaining what went wrong (and the fact that mistakes happen), but predictably when sites and networks fail like this there are reactions on social media. Eventually, especially in the WordPress community, when it comes to corporate sites and social networks someone is there to wag a finger and say “See? Own Your Own Content.” Me included.

This time around — maybe because it was Facebook or I’m just showing my age — it felt different saying “Own your own content.” Yes, you should own your own content. But that’s not possible for many people today, and many were hit harder than you may realize. 

David Bisset, PostStatus

I agree there’s a certain amount of “first-world problem” elitism when small (and large) web publishing advocates say “own your content.” And as you say, in some parts of the world Facebook and its messaging properties are the only available media for business and government (and also, evidently, human trafficking and organized crime!)

But the point of “own your own content” isn’t necessarily to have your own bespoke WordPress website. Instead it’s to… well… own your content. Preferably across a range of platforms.

In my experience as a WordPress support specialist, Facebook (or Amazon, or Google, etc.) outages are very rare compared to even very well-run individual websites. 99.9% uptime still means about 8 hours of downtime per year, right? So it would be risky to publish only on WordPress as well!

I still recommend that people have their own websites, not because they’re more reliable or more popular but because it’s a great foundation for the COPE/CORE publishing strategy: Create Once Post/Repost Everywhere.

It doesn’t necessarily matter where you create your content. Twitter is great for short messaging. Tumblr and Tiktok are surprisingly usable. Matt Mullenweg’s commercial but largely free is fine too. Even Facebook can be ok if you’re able to finesse their algorithms and/or pay to boost your posts, though unlike any of the above it’s harder to get a reliable permalink for cross-posting. Same with Weibo, Zhihu, Pinterest, Wix, etc.

But mostly it’s a good idea to cross-post your content to multiple platforms. Create your content somewhere and paste links elsewhere so they won’t get lost. Or filtered. Or censored. Or “shadowbanned.” WordPress is quite good for all of that that but as I’ve said it doesn’t have to be the only place.

Finally, as far as affordability goes, the WordPress Hosting group on Facebook (ironic I know) is filled with discussions of people using and troubleshooting $1/month hosting in places where SiteGround or Cloudways are extravagant luxuries. So it’s not as though WordPress is completely out of reach.

I definitely get your point, but I think it’s still ok to say own your own content. Even if sometimes that only means control your own content.