Never leave a File Manager plugin on your WordPress website in the first place!

By David Innes, | September 2, 2020

A File Manager plugin can be a very useful tool when you need it, but you can say the same thing about a stick of dynamite! It’s not something you want to leave in the kitchen junk drawer in case you need it later!

David Innes, owner of

The ultra-tech website Ars Technica reported a serious problem with an already crazy-risky WordPress plugin. Let me quickly explain how to fix it:

Delete the $%# plugin File Manager plugin if it’s installed on your website!

Done? Good. Now let’s talk about why you really, really don’t want or need the WP File Manager, an FTP client plugin, or any other kind of tunnel-into-your-server plugins on your live WordPress website. (Or any other kind of website for that matter!)

Even if the plugin didn’t have coding vulnerabilities, if you can just breeze into your server configuration from your website then… so can anyone else who can get into your site! In other words, even if the code was 100% secure the feature would still be an intrinsic vulnerability.

It’s always going to be 100% safer, more secure, and probably more efficient to use your hosting company’s control panel or a secure SFTP/FTP tool to access, manage, and edit files on your server. It’ll be a separate login for one thing. For another, hosting companies tend to be waaaay more security conscious and attentive than anyone who might randomly access your website’s dashboard — with or without your permission.

Question: do I think the developers who create plugins like File Manager are bad, wrong, wicked, irresponsible, or dumb for creating inherently insecure tools like a File Manager?

No! Not at all! There are certain cases where you really might have no other way to access your file system:

  • you’re locked out of your server, for instance.
  • your hosting plan is so old and obsolete that their control panel is basically unworkable
  • you’re a contract developer trying to debug a particular issue for a client where you don’t have access to their hosting account and you’ve determined that the problem is with a file or directory that can’t be managed any other way.

Those are all really great reasons! But! They’re all really great reasons to install and activate the plugin, and then deactivate and uninstall the plugin the minute you’ve done what needs to be done.

Want to know the real reason 700,000 WordPress websites have the FileManager plugin installed on their website?

  • Because they thought they might need it later
  • They (or their developer) added it because they needed it while they were setting up the website but then never got around to removing it

Those are really bad reasons. A File Manager plugin can be a very useful tool when you need it, but you can say the same thing about a stick of dynamite! It’s not something you want to leave in the kitchen junk drawer in case you need it later!

Oh yeah, and on the offhand chance you’re actually using the File Manager plugin and you don’t want to delete it? Log in to your site and update it — the update at least appears to have fixed the code vulnerability. (If not the inherent vulnerability.)


If you get email from GSuite saying remove links (you’re probably ok)

By David Innes, | August 13, 2020
Rusty Chain - #57 by Flickr user Melmark44
Photo: Rusty Chain – #57 by Flickr user Melmark44

First things first: if you got a confusing email from GSuite that says something like “[Action Required] Remove internal links to the G Suite Domain Contact page for your organization” don’t panic!

Bottom line up top: They’re just recommending that you clean up any old links to an out-of-date service that you probably weren’t aware of and almost certainly never used.

The rest of this post is a more detailed explanation, a little more reassurance, what to look for (just in case), where to look, and… a little more reassurance.


If you use Google’s GSuite for Business for email you may have gotten confusing email from them. Here’s what the email says and I’ll tell you what to do about it

Subject: [Action Required] Remove internal links to the G Suite Domain Contact page for your organization

Dear G Suite Administrator,

You are receiving this email because users within your organization may have active links within their documents, websites, scripts, or applications that go to Google’s G Suite Domain Contact page. On August 31, 2020, the Domain Contact page will be removed, since it contains the Admin contact details of Google’s customers. If your users don’t remove internal links to this page in their resources, the links will break as of August 31, 2020, resulting in a “404 Error” code.

What do I need to do?

Instruct your users to remove the following Domain Contact page link within your organization’s internal documents, websites, scripts, or applications:<domain-name>/DomainContact.

You will need to provide your users with the <domain-name> for your organization and send them the following step-by-step instructions:

  • To remove the Domain Contact link, follow the steps below:
    • Step 1: Open your internal documents, websites, scripts, or applications.
    • Step 2: Search for any links that reference<domain-name> with your domain name filled in for <domain-name>.
    • Step 3: Look for links that contain DomainContact.
    • Step 4: Remove each link.
    • Step 5: Replace the link with a tested, live link to a document or website.
    • Step 6: Save your document, website, script, or application.

What if I don’t do anything?

Google is not providing a redirection link for the G Suite Domain Contact page. This may cause a 404 “Page Not Found” error when your internal users attempt to use documents, websites, scripts or applications that rely on the link.

Your domain-names(s) listed below are affected:

  • Domain:

How can I get help?

If you have additional questions or need assistance, please contact G Suite support. When you call or submit your support case, reference issue number 151080983.

Thanks for choosing G Suite.

—The G Suite Team

What to do if you think maybe you ever did link to Google’s “Domain Contact” service page?

Well. First of all if you did have a link you probably know it! Or more accurately, if you did have a link your company’s probably big enough that you have an IT specialist and they know about it.

What to look for

But just to be sure, as the directions say, to search your site for links that look like

Then remove those links

Places to look:

  • Your “contact us” page
  • Other pages for or about current clients or current employees
  • Other pages (unlikely)
  • Blog posts (unlikely)
  • “Social” links at the top or bottom of every page (possible)
  • Other links at the bottom of your page (possible)
  • In sidebar widgets (slightly more possible if your site is so old it still has sidebars!)

While you’re at it

  • Remove any Google+ links you find, because Google+ is also obsolete

But really, don’t worry. As I said all the way at the top, the folks at GSuite just recommending that you clean up any old links to an out-of-date service that you probably weren’t aware of and almost certainly never used.


How cheap is “cheap” hosting vs a “cheap” VPN?

By David Innes, | July 3, 2020
cheap photo

Photo by H.L.I.T.

In a private Facebook group for WordPress hosting someone who’s trying to save as much money as possible asked a specific question about two hosting plans. They’d initially bought a plan from commodity provider HostGator but had been advised to switch a more premium SiteGround account. It was time for them to renew on SiteGround and they wondered if they could just go back to HostGator since it’s cheaper. (They’d never closed their HostGator account.

For some participants in that group the answer to any question (including “what’s your favorite color” will be “Cloudways” or “GridPane” or some other manager for virtual private server companies like Digital Ocean, Linode, Vultr, etc.

Being fairly new the original poster asked “thanks. Is Digital Ocean a host company?”

The rest of this post answers that question and considers the overall likely costs before getting back their actual, original question

What is a VPS and what is a VPS manager?

Digital Ocean hosts virtual private servers (VPS.) Very good, very fast, very inexpensive. Also very “bare metal.” Typically you have to setup the server as well as the website. Their support is almost exclusively related to “does the basic operating system boot and run.” If you’re comfortable doing Linux system administration then a plain Digital Ocean VPS would be a very good choice.

The recommendations above are to subscribe to a company that will setup, maintain, and monitor a VPS from a provider like Digital Ocean. Three commonly-mentioned companies that will do that for you are Cloudways, GridPane, and ServerPilot. There are a number of others. The pricing for those varies but it tends to roughly double what the base VPS would cost.

Depending on your hosting needs this is often as much as or more than you’d pay for HostGator, and often more than what you’d pay after renewing SiteGround.

Comparing Cloudways, SiteGround and HostGator pricing

For instance the least expensive offering from Cloudways is $10/month for a single Digital Ocean “droplet.” The regular price for SiteGround’s “startup” hosting is $11/month. HostGator’s “baby” plan, which is probably the lowest you’d want to go, is about $7.00 if their 60% discount expires.

Admittedly you’ll get much better performance out of a $10 or $20/month Cloudways/Digital Ocean server, and you’ll almost certainly get better performance and more security from an $11/month starter SiteGround account. But if price is really a bigger concern than performance, then to answer your immediate question, if your site will actually run on your HostGator then that really would be the cheapest option.

Accounting for domain name registration when considering hosting prices.

As for your domain, domain names are separate from hosting the way a phone-book listing is different from a phone. The domain name is just a friendly way to point to your server’s hardware address. Moving domain registration from one company to another is relatively tedious, plus you have to pay the new registrar even if you still have time on your old one. So most people don’t bother — they just point the domain to the new server instead.

Some hosting companies will waive the registration fee if you buy hosting from them. If HostGator gave you a free registration and you drop your hosting plan with them then they’ll begin charging you their regular registration fee when it’s time to renew. So that’s another cost consideration.

Cloudways, GridPane, and Digital Ocean don’t do domain registration, so if you went with them you’d still be out the ~15 dollars U.S. for domain name renewal on top of whatever you’d be paying them. Same for email, incidentally, as none of them offer free email either. If you go with SiteGround or another hosting company you can transfer the domain over to them… but they may or may not offer “free” registration for a transferred domain.

Lots of information, I know. But, again, if you’re really scraping the barrel for cash then switching back to HostGator will save you the most money. But, again, almost certainly at the price of considerably reduced performance.

Note: While none of the links, above, are affiliate links (meaning we don’t get kickbacks or click-based revenue for linking to them) RealBasics does like, use, and recommend both SiteGround for shared hosting and Cloudways for VPS management. The links below are affiliate links, which means if you use one of those links the price to you will be the same but RealBasics will get a small commission.

  • SiteGround Blue-ribbon shared hosting — very well reviewed, very well respected, innovative and responsive. Their initial 1-3 year signups are heavily discounted but we strongly feel their higher regular prices are very much worth it. Check out SiteGround shared hosting
  • We’re a little late to the VPS market as most of our small-business clients don’t need the kind of horsepower you can get with a good VPS.  And to be honest, until fairly recently managing your own VPS involved considerable system-administration skills — something we rarely see in non-technical professions.  That’s where Cloudways comes in!  They take care of the nuts and bolts server security and management tasks!  Another cool thing about them?  Since they’re only managing servers you can sign up with a healthy array of very powerful world-wide cloud-service providers like Digital Ocean, Amazon Web Services,  Linode and Vultr, and Google CloudPlatform!  Unlike smaller and shared-hosting services that can “run out of room” as your business grows, with Cloudways you can scale your website to handle truly gigantic traffic. Check out Cloudways managed VPS hosting

Tips for converting a Visual Composer or similar website

By David Innes, | June 24, 2020
Example of a page after deactivating a shortcode-based page composer (Fusion Builder in this recent example but Visual Composer shortcodes are very similar.) It’s usually better just to rebuilt but this post explains that you can clean it up.

This post is a little bit “in the weeds” for regular business owners, but this might come in handy for more adventurous do-it-yourselfers and less-experienced WordPress professionals.

On a closed Facebook group for WordPress users someone asked

I’ve never converted a Visual Composer website to [another page builder.] I imagine it is a total rebuild from top to bottom? Any ‘best practices’ to convert a site that used VC?

Rebuilding usually is the best bet with shortcode-intensive page composers, though in some circumstances the following information might be helpful. All might not be lost but it can be a bit of a pain if you don’t know where to start.

It’s never a bad idea to rebuild from scratch, since Visual Composer most often comes included in “shovelware” themes that have all sorts of other less… necessary plugins, post types, and “demo” content.

I’ve done seven or eight conversions from shortcode-based page builders or Themes (Visual Composer, Aveda, Divi.) The good news is that the shortcodes tend to come in giant chunks.

The other good news is that DIY and low-cost “professional” sites made with Visual Composer rarely use too many features. These kinds of tools tend to be complicated, so most do-it-yourselfers tend to keep it simple.

The following steps will work for converting to other page builders or Gutenberg blocks, or even plain-old classic pages. So if the site isn’t too weighed down you might try the following:

  • Disable Visual Composer and any VC-related helper plugins
  • Add your page builder if you’re using one
  • Open a page with the editor of your choice
  • All the old content will be in one giant text or “classic” module
  • There will be acres of [shortcode] blocks.
  • With just a little bit of practice you can figure out what’s inside the shortcodes — it’s usually an opening block, headers, images, or sometimes column blocks.
  • Cut everything out that doesn’t look like real information (e.g. header text, image links.)
  • Next, you’ll need to re-apply header formats and re-insert images from the Media Library. If it’s an information-only page that may be all you need to do.
  • If the layout you’re copying is a little more complex you may need to add columns and edit/paste content from the main block into smaller chunks.
  • If the layout also includes dedicated module content — for instance galleries, slide shows, or contact forms that are built into Visual Composer — you’ll need to re-create those with new tools.

This is useful mainly for sites with lots of simple posts or pages. You’ll usually still have to rebuild the homepage, the contact page, and other “main” pages with more complex content. But I did it recently for a site with tons of reference pages and once you know what you’re looking for it can go pretty quickly.


Good reasons not to rely (completely) on backup from (even really great) hosting plans

By David Innes, | June 21, 2020
backup photo

Photo by tacker

So another participant in a private Facebook group for WordPress users echoed something I’d said about the importance of making your own backups.

Similar to David Innes I use [a commercial backup plugin] for Scheduled backups ([cloud-based storage firm] is my choice, but there are many others)…
And a lot of people when backups have been discussed say “why should I do my own backups when my hosting company does it for me?” – my answer is trust no-one! Make sure you have reliable backups that you have 100% access to in the case of an emergency situation!

Member of a private Facebook group for WordPress users

It was a great point and here’s how I followed up

Yes! Trust no one is awesome advice when it comes to backups! 😂

(Somewhat) more seriously, virtually all hosting companies do daily backups, and all the halfway decent ones store the daily backups for 30 days. That’s a welcome change.

Less welcome is that they tend to be restore-only backups, meaning you can’t download and archive them. (This makes sense because to save space and processor resources they tend to be incremental rather than complete.)

The downside of that is that after 30 days the backups evaporate. To be fair, if something goes sour pretty much anybody is going to notice within 30 days. But!

  1. Ransomware often takes that into account and can hold off announcing for 3 or more months!
  2. With modern caching (CDNS, host-based, etc.) a site’s back end can be totally snarled for weeks or (for one prospect who contacted me) months while still “working” just great on the public side.
  3. Oh, finally, since I do a lot of emergency-repair work (I really enjoy helping people get back online) I’ve had quite a few clients who don’t notice their hosting account has expired till it’s gone, and I’ve had two clients whose whole hosting provider has shut down and never restarted! In all those cases, server-side, and server-stored backups disappear too.

Anyway, just can’t overstate how important it is to have your own complete, restorable archives in one or more safe places (not just on the server.) Or how important it is to keep copies for at least a year, just in case.

Here’s when RealBasics makes and downloads a backup for our clients

  • Manual backup before we start working on their site for the first time (stored for at least three years)
  • Manual backup before we start working on their site the next time (stored for at least three years.)
  • Automated daily for maintenance clients (stored offsite for about 2 weeks)
  • Automated weekly for maintenance clients (stored 156 weeks, a.k.a. three years.)

Bottom line: hosting-plan backups are great. Good hosting companies do the right thing and keep 30 days of daily backups. Restoring from a server backup is almost always dead easy. And…

You still can’t ever have enough good backups!


Scam: threatening email or contact-form spam from “Melissa”

By David Innes, | June 10, 2020

Our standard maintenance plan includes one hour of consulting a month. In the last couple of days several maintenance clients have contacted me after receiving scary, threatening “copyright infringement” messages coming from their contact forms or other sources.

Here’s one example. Note the suspicious elements.

And here’s another, note the similar email address? Others I’ve seen are So it’s a pattern. The email addresses may also be spoofed.

Name: Melissa
Phone: 14161744402
Hello there!

This is Melissa and I am a qualified photographer.

I was puzzled, to put it nicely, when I came across my images at your web-site. If you use a copyrighted image without my approval, you must be aware that you could be sued by the owner.

It’s illicitly to use stolen images and it’s so filthy!

Check out this document with the links to my images you used at XXXYYYZZZ.XYZ and my earlier publications to get evidence of my copyrights.

Download it now and check this out for yourself:

If you don’t remove the images mentioned in the document above within the next several days, I’ll write a complaint on you to your hosting provider stating that my copyrights have been infringed and I am trying to protect my intellectual property.

And if it doesn’t work, you may be pretty damn sure I am going to report and sue you! And I will not bother myself to let you know of it in advance.

“It’s illicitly to use stolen images and it’s so filthy!” It’s misspellingly too! That’s actually fairly common for scammers — they’re not interested in replies from people with great English skills. Or skeptical ones. They want suckers!

Look. It really, truly, honestly is the case that you shouldn’t use other people’s images without permission on your website. And it’s true that you can be asked to take them down, and even penalized if you don’t. For that reason it’s a good idea to have some form of “receipt” for images you use — the URL you got it from, a notation that you either took the photo yourself, licensed it from a stock photo company, or with credit if you downloaded it from a free-to-use creative-commons source. You don’t have to publish the credits (though it’s always polite if you acknowledge free-to-use creators somewhere on your site.)

But it’s very nice to be able to say “oh yeah, #!%! you, I got that image legally from XYZ when someone sends you an actual legal takedown notice. Extra credit? You may be able to sue someone who sends you a false takedown notice!

Bottom line: While you might get real takedown notices if you really are using content that doesn’t belong to you, this “Melissa” character is a spammer and a scammer and you can safely ignore messages from them.

Big hats off to everyone who was smart enough to ask first before clicking that link!


Spring, 1998, building my first website with my son…

By David Innes (Admin) | June 6, 2020
That’s me and my 9-month old son, sitting at the kitchen table while I read one of my first books about HTML sometime in the spring of 1997.

It’s funny how much things have changed since I built my first website back in 1997 or so. It might have been for a hand-coded “blog” I tried to manage all in HTML (not a good idea, but WordPress and precursors like MovableType weren’t really a thing yet.) Or it might have been for an extended family calendar.

Either way they never really got off the ground. Registering a domain name “only” cost $300/year! (Down from $1,000/year!) From the only domain registrar on the planet. If you wanted to actually serve a website you had to have a computer and a static IP address… also a dedicated phone line since back then even DIY web hosting involved dialup access unless you were a really big institution. And that 283×283 pixel photo of the two of us? Back then that was daringly big!

Times have changed since 1997. My son’s now grown, out of college, and on his own! We no longer have to worry about Netscape Navigator 4.0. Or any version of Internet Explorer.

Somethings haven’t changed. For instance most people (up to 85% for some sites and almost all apps) are back to using their phones to access the internet! 😂

One thing hasn’t changed though. I still really enjoy working on websites! It never gets old.


What to look for in appointment-scheduling plugins for WordPress

By David Innes, | May 29, 2020
appointment photo

Photo by trendingtopics

On a WordPress-related Facebook group someone asked…

I’m looking for something similar to Schedulista that can do the following:
-Allow people to book appointments on a website
-Remove unavailable appointments in real-time
-Send SMS/Email reminders to people who book the appointments
-Create a calendar each employee can access from an app
-Open source to manipulate how it appears on a WordPress website
Any Suggestions?

I’ve had clients who use the cloud-based Acuity and Schedulicity appointment managers, and one client has had great success with the self-hosted BirchPress plugin. (No affiliate links, just tools clients have used.) I don’t have very strong opinions about which is best.

My advice is always to look for ones with a well-reviewed companion/connecting plugin for WordPress.

More important, no matter what you choose: look for two-way synchronization with your calendar apps whether it’s Google Calendar, Outlook, Cal, or whatever. It’s WAAAY easier to have the appointment scheduler that automatically blocks out time on your schedule when you have a doctor’s appointment or an unplanned day off.

Being able to enter an appointment once and having it automatically update to your schedule saves you from having to remember to enter those things in two places. Having new client appointments show up on your personal calendar makes sure you don’t overbook yourself with them!

This is all in keeping, by the way, with the internet-authoring goal to “Create Once, Publish Everywhere.” Something I spend a lot of time talking to clients about and really ought to spend more time blogging about as well.


About WordPress and image compression

By David Innes, | May 29, 2020

A contributor to a WordPress Facebook had a question about image compression:

 I have [an image-optimization] plugin installed to compress my images and I noticed while doing a bulk compression that there are multiples of the same image (in different sizes) that it compressed. I did not do this manually. It seems that something created multiple images in different sizes when I used one. Is that normal procedure or have I goofed royally?

Here’s how I answered

Yes, WordPress automatically generates multiple “thumbnail” images when you upload a photo. The defaults are 150×150 literal thumbnails for galleries, etc. But also 300px “medium” and (I think) 1024px “large” format. A few months ago it started generating hidden 1536px and 2048px thumbnails for… reasons?

Some themes (cough*themeforest*cough) will sometimes generate a dozen or more additional ones for very particular, often-little-used sizes.

it used to be a much better idea to limit the number of thumbnails generated (still is, actually, for those oddball 1900x75px banner liners a Themeforest theme might cook up.) But WordPress now sends lists of available image sizes to browsers so they can pick the smallest, most appropriate size for the user’s screen.

The result is more storage on your server, but sometimes very much faster page speeds for mobile devices.

The good news is that optimizing plugins like Optimole will process all the thumbnails as well as the originals. You might optimize the dickens out of your original uploads, but the server-based thumbnail generating routines WordPress has to rely on usually aren’t as efficient. So it’s a good thing when optimizing plugins do a pass on those as well.


Case Study: Converting an old page-builder website

By David Innes (Admin) | December 21, 2019

On a Facebook group for the Beaver Builder page builder, someone asked “Maybe a crazy question… Would it be possible to take HTML from another page builder and import into BB?” Here’s how I answered the question.

I did this just the other day (Thursday!) It was a horribly slow site built with an expired version of the popular but old-school Enfold theme/builder. The site broke into a shower of colorful code errors if you bumped the PHP version past the obsolete version 5.6.

So based on my recent experience the short answer is that yes, it does speed things up a little since you don’t have to re-type the content and it’s fairly easy to delete the enormous shortcode blobs that Enfold (and Divi, WP Bakery, etc.) create.

Partial screen shot of the site before disabling the old-school page builder.
Here’s a snippet of the page before the old-school page builder was disabled

The first thing to do is replace the current theme and disable whatever page builder they were using. (Often they’re intertwined so it’s hard to turn one-off without turning off the other.) In my case when I switched to the Beaver Builder theme the client’s site reverted to a whole mess of shortcodes.

When you turn off the original page builder all that's left is a huge amount of text enclosed in [brackets], a.k.a. "shortcodes."
The site was full of shortcodes after turning off the old page builder.

The shortcodes usually have identifying info in them — e.g. column widths, image filenames, colors, etc. And of course I was able to use the original live version as a reference. Between that and the leftover bodies of text it was pretty easy to delete the leftover shortcode text and rebuild the pages.

One big advantage, of course, is that the page and menu/navigation structures are intact. If you’re going to use widgets in your new design instead of Beaver Builder modules and/or the Beaver Themer plugin then you can simply re-add those from the “unused widgets” section of the Appearances->Widgets page.

Another big advantage, sort of, maybe, is that all the images are in the Media Library so it’s a matter of finding them (you can search by the filename if nothing else) and placing them. The downside, though, is that with older sites (this one was from 2016) the images are often too small to look good in full-width situations so I still had to do a little fishing for larger versions.

All in all I’d say it saved me two or three hours on the project.

But there’s no way to do it automatically. (I’ve heard of plugins that will “re-interpret” shortcodes into simple WordPress elements but didn’t find one when I looked before starting the project.)

It’s actually pretty fun — good practice! But only slightly less work than rebuilding from scratch, copying and pasting content from the original site.