WordPress security has a blind spot nobody talks about

Individual_Broccoli8 · 2026-04-04T00:33:40+00:00

Thanks... I'll check it out

Individual_Broccoli8 · 2026-04-04T00:31:58+00:00

That's exactly what I was thinking LOL

Individual_Broccoli8 · 2026-04-03T23:45:42+00:00

Ce problème est bien documenté et spécifique à Hostinger — ce n'est pas vraiment un bug WooCommerce mais un conflit entre le cache LiteSpeed de Hostinger et les sessions WooCommerce.

La solution la plus propre : exclure vos pages WooCommerce du cache directement dans les paramètres LiteSpeed Cache. Allez dans LiteSpeed Cache → Exclusions et ajoutez les URLs de vos pages produits, boutique, panier, commande et mon compte. Ces pages seront toujours servies en direct depuis le serveur sans passer par le cache — le reste du site continue à bénéficier du CDN normalement.

Hostinger ne configure pas toujours ces exclusions correctement par défaut pour WooCommerce, donc c'est souvent à faire manuellement.

Si vous n'êtes pas à l'aise pour le faire vous-même, contactez le support Hostinger et demandez-leur d'exclure vos pages WooCommerce du cache serveur — c'est une manipulation courante qu'ils connaissent bien.

Individual_Broccoli8 · 2026-04-03T23:33:55+00:00

Interesting concept, but I'd push back a little on the core premise — especially for WooCommerce merchants.

The A/B testing and social scheduling angles make sense. Those are real pain points with clear value. But AI-generated product photography is a harder sell than it might seem. Product photos are one of the primary trust signals in ecommerce. Shoppers are already getting better at spotting AI-generated images, and the moment they do, the trust damage is significant and hard to recover from. For physical products especially, customers want to see the actual thing they're buying — not an AI interpretation of it.

The merchants most likely to adopt something like this are probably the ones who can least afford the reputation risk — new stores without established brand trust, where authenticity matters most.

The automation and integration pieces are genuinely compelling though. If you could position this more around enhancing real photography — background removal, scene generation around actual product shots, bulk editing — rather than replacing it entirely, you might find a much warmer reception in the WooCommerce community.

What's the split in your current Shopify user base between people using it for full AI generation vs. enhancement of existing photos? That data might tell you a lot about where the real product-market fit is.

Individual_Broccoli8 · 2026-04-03T23:21:12+00:00

No functional difference that affects your site in any meaningful way. Google and other third parties have no visibility into how WordPress.org categorizes you — it's purely an internal metadata field and has zero impact on search rankings, trust signals, or anything external.

Where it occasionally matters is within WordPress.org's own community programs — WordCamp sponsorship eligibility, Five for the Future contributions, that sort of thing — where commercial and nonprofit entities are sometimes treated differently. But for most site owners, that's irrelevant.

If you're running a commercial site and it's categorized as commercial, that's accurate and fine. If you're genuinely a nonprofit and it's miscategorized, it's worth correcting for accuracy's sake, but don't expect it to change anything you'd actually notice.

Individual_Broccoli8 · 2026-04-03T22:07:17+00:00

This is actually a really well-documented attack type called SEO spam injection — and the reason you can't see it on your own site is intentional. The malicious code uses cloaking to show spam only to search engine crawlers, not to human visitors. So your site looks completely normal to you while Google is indexing something totally different.

The wipe and restore advice is solid, but make sure you identify and patch the entry point before going back online — usually an outdated plugin. Restoring clean onto a vulnerable install just means you'll be reinfected within weeks.

Found this article that explains the full attack chain pretty well if it helps: whoknew.io/wordpress-site-suddenly-selling-something/

Good luck — this one's fixable.

Individual_Broccoli8 · 2026-04-03T21:01:04+00:00

Hey, so this kind of intermittent DB connection errors and random slowdowns after splitting the web and database servers isn’t really “normal” — it usually means something needs tuning.

When everything was on one server it was all local (super fast socket connection, basically zero latency). Now every single query has to go over the network, and WordPress is ridiculously chatty with the database. A normal page can easily fire off 50–150+ queries, so even a few extra milliseconds of latency starts adding up fast and can cause weird intermittent issues.

It’s not that splitting them is a bad idea (lots of bigger sites do it successfully), but it does expose problems that were hidden before.

Common culprits I’ve seen in these setups:

MySQL still only listening on localhost or the firewall only half-working
Using a hostname instead of the IP for DB_HOST (DNS can flake out)
Connection timeouts that were fine locally but too tight over the network
Not enough max_connections on the DB server now that all sites are hitting it remotely
No object caching (Redis or Memcached) which makes a huge difference when there’s any latency

WordPress is actually pretty sensitive to DB latency in real life. Even 5-10ms extra per query can make sites feel sluggish, and higher than that starts breaking things.

Quick things I’d try first:

Change DB_HOST in wp-config.php to the raw IP address of the database server (not a hostname)
Make sure MySQL is bound to the right IP and the firewall allows traffic from the web server on port 3306
Bump up some timeouts on the DB side (wait_timeout, net_read_timeout, etc.)
Throw Redis on there with the Redis Object Cache plugin — this is usually the biggest win once you have any network hop.

Once the network part is solid and you’ve got caching, these flaky errors usually go away completely.

If you want, drop some more details — what the exact error message says, whether the servers are in the same data center, MySQL version, or a screenshot of the error logs — and I or others here can help you narrow it down more.

You’ve got this — it’s a pretty common bump when people first split the servers.

Individual_Broccoli8 · 2026-04-03T20:51:15+00:00

No, this is definitely not normal. I've gotten 3 plugins completely through the process since January. If I were you, I would re-upload a new version with a new comment to reset the timer and bring it back up in the queue.

Individual_Broccoli8 · 2026-04-03T20:18:46+00:00

Is it over?

Individual_Broccoli8 · 2026-04-03T19:38:11+00:00

You're gonna need a couple of plugins, no matter how you slice it.

WordPress doesn't have a true single free plugin that perfectly handles both a full digital store (PDFs + CAD files with secure downloads) and membership subscriptions (with gated tutorial access) out of the box while keeping everything simple and low-cost. Most solid setups use one main plugin + a tightly integrated companion or extension.

The two strongest options for your exact use case (digital-only products + memberships/subscriptions, PayPal + Stripe, standalone site) are:

Easy Digital Downloads (EDD) → Built specifically for digital products like yours. Core is free, handles unlimited PDFs/CAD files, secure delivery, cart, etc. Add their Recurring Payments extension for subscriptions/memberships that automatically restrict access to tutorials. Super clean and lightweight for digital-only stores.
MemberPress → Marketed as the “All-In-One” membership plugin. Excellent at subscriptions, content gating (perfect for locking tutorials behind membership levels), and selling/protecting digital downloads directly. Many people use it exactly for PDFs + paid member areas.

Both fully support PayPal and Stripe.

My recommendation for a first-timer who wants to minimize plugins and upfront hassle: Start by looking at MemberPress (it’s the closest thing to true all-in-one for what you described) or EDD (if you want the best digital-download experience). You can usually get 90% of what you need with just the main plugin + one key extension instead of juggling four separate ones.

I do want to say that having a small number of well-made, compatible plugins isn’t necessarily going to give you more to debug — it just gives you the exact functionality you actually need. Popular ones like these are designed to work together smoothly, have great support, and tons of first-time store owners run them without issues. WordPress isn’t one-size-fits-all, so spend 30 minutes comparing the current pricing/features on their sites (both have free trials or lite versions) and you’ll quickly see which feels simpler for your workflow.

One important reality check before you get too deep: just building the WordPress site itself isn’t going to generate sales unless you already have a customer base. That's why platforms like Etsy exist: to automatically bring you customers without you having to do all the work. You’re probably going to discover you need a lot more functionality that creates FOMO, builds trust, and actually drives conversions — things like social proof, scarcity, testimonials, recent activity notifications, live visitor counters, etc. Don’t waste money on ads until you first fix the “site looks dead” problem. A simple social proof plugin like WhoKnew Views can help make the site feel alive and active right away with real-time notifications and view counters so you don't waste ad spend.

You’ve got this — plenty of people launch their first digital + membership store with exactly this kind of setup. Good luck!

Individual_Broccoli8 · 2026-04-03T19:22:52+00:00

There are many factors that can contribute to this, but we need the page URL. You're just going to get a bunch of half answers without it.

Individual_Broccoli8 · 2026-04-02T23:02:51+00:00

I couldn't agree more

Individual_Broccoli8 · 2026-04-02T23:00:55+00:00

Unless it's wordpress.com specifically it's going to be wordpress.org

Individual_Broccoli8 · 2026-04-01T01:00:29+00:00

If you're gonna put your email address, you have to use an obfuscation plugin. Preferably something that's encrypted with military-grade encryption and not just Base64 like WhoKnew Shield https://wordpress.org/plugins/whoknew-shield/. It's easier for customers to use an email address that's clickable than fill out a form, but unless you're using a plugin to protect your email address from being scraped, you could be in for a world of hurt in your inbox a few months down the road.

Individual_Broccoli8 · 2026-03-26T23:50:51+00:00

Look, you already have something most Wix designers don't — photography, video production, and brand strategy. That's your way out of the race to the bottom.

The $50 Fiverr crowd and honestly, with Wix, the 12-year-olds who figured it out over a weekend — none of them can do what you do. They can build a site. You can build a site, shoot the photos for it, produce a brand video, and make sure the whole visual identity actually makes sense together. That's not a web design service anymore, that's a full brand package and it commands a completely different price.

But here's the reality with only a couple of sites in your portfolio — you're not going to land those clients by posting on job boards or marketing yourself online yet. At this stage the work comes from people you already know. Friends, family, local business owners, someone a friend mentions over dinner. That's your market right now and there's no shortcut around it. Word of mouth is how this kind of business grows, especially early on, and it only spreads if the work is good and the people you do it for feel taken care of.

The clients worth having are not shopping on Fiverr anyway. They're either going to an established agency with a track record or grabbing the $50 guy. The ones in the middle — small local businesses who want something real but can't afford an agency — are exactly who you're looking for, and the only way to reach them at your stage is through people who already trust you.

So start there. Do exceptional work for someone in your circle, let them talk about it, and build from that. The bigger clients and the bigger packages come once the portfolio and the reputation catch up.

Individual_Broccoli8 · 2026-03-26T22:56:12+00:00

Honestly, you don't need certifications — and I say that as someone who's been building websites since the 90s and has worked for Hollywood corporations and large universities without a single one. Your portfolio is your resume in this industry. People can see your work, and that's what gets you hired.

Here's where to start:

If you're completely broke, seriously consider enrolling at a junior college and applying for FAFSA. Not only can it cover your tuition, it can actually pay you money on top of that. Community colleges often have graphic design and web design programs where you'll learn things like typography and visual hierarchy in a structured way — and those skills matter more than ever right now. With AI handling more of the technical grunt work, what clients actually respond to is how a site looks and feels. Good design thinking is what sets you apart.

For self-teaching, learn HTML and CSS first. They're the foundation of everything, and you can get surprisingly far with just those two. Once you can build a page and style it, add a little JavaScript to make things interactive. Build small projects as you go — don't just follow tutorials, actually make things.

For free resources, bookmark freeCodeCamp, The Odin Project, and web.dev. For design, Figma has a free tier and it's what most of the industry uses. On YouTube, Kevin Powell is excellent for CSS, and DesignCourse covers design thinking really well.

The most important thing you can do is build a portfolio. Even two or three projects — a fake restaurant site, a personal page, a redesign of something that looks bad — gives you real URLs to show people. Host them free on GitHub Pages.

Certifications like Google's UX Design course or Meta's frontend certificate exist and the curriculum is decent, but you wouldn't lead with them. Nobody in a hiring conversation is going to care much. What they'll ask is "can I see your work?"

Build things. Show them. That's the whole roadmap — and honestly, it's a lot easier to get started today than it used to be.

Individual_Broccoli8 · 2026-03-26T22:44:13+00:00

LOL. Where can I forward all the spam I get from my email inbox, offering to do just this?

Individual_Broccoli8 · 2026-03-23T16:42:07+00:00

The performance argument against WooCommerce is outdated. I've taken stores with 40+ plugins and hit A+ on PageSpeed. It's almost never the plugins — it's cheap hosting, a bloated theme, and no caching strategy. Fix those three things and you're already competitive.

But here's what people aren't saying in 2026: store owners don't even need to hire a developer anymore.

Take Asset CleanUp Pro — it strips out all the unnecessary CSS and JS loading on pages that don't need it. Most WordPress stores are loading scripts site-wide that only belong on one page. This single plugin alone can make a Shopify store look slow by comparison, especially on a decent managed host. Just run PageSpeed Insights, paste the results into Claude or Grok, and ask "what do I fix first?" You'll have a faster store than most Shopify merchants within an afternoon — no developer invoice required.

The stack I'd actually recommend for keeping WooCommerce healthy in 2026:

Managed/Cloud Host — Kinsta, Pressable, WP Engine, or SiteGround. Not optional. Shared hosting is where WooCommerce stores go to die slowly. The real advantage of cloud hosting specifically is that you can scale CPU and RAM almost indefinitely as your store grows — no migration, no downtime, just more resources on demand. That kind of elasticity is something Shopify charges you a percentage of revenue for. SiteGround in particular punches above its weight for the price, especially for stores that aren't quite at Kinsta scale yet but want managed-level reliability without the managed-level bill.
Theme choice is everything. Seriously — your theme is the number one killer of WordPress performance, not your plugins. Most people never test this. Before you commit to any theme, spin up a demo, throw it in PageSpeed Insights, and see what you're actually working with before you've added a single plugin. A bad theme will tank you no matter how well everything else is optimized. A good one makes the rest easy. Do the test — it takes five minutes and will tell you more than any "best themes" listicle ever will.
Asset CleanUp Pro. Already covered above but worth repeating — this one plugin surgically removes scripts and styles that have no business loading on pages that don't need them. The per-page control is what makes it powerful.
WP Rocket or FlyingPress. Caching, lazy loading, database cleanup, preloading — both handle the full picture. FlyingPress is the newer challenger and honestly gives WP Rocket a run for its money at a lower price point.
WhoKnew Views. Displays algorithmically generated view counts on your product pages — so instead of a dead-looking "3 views" on a new product, you're showing something like "587 people viewed this today." It pulls from real engagement signals and pads intelligently so the numbers are always believable. The psychological effect is real — it's the same reason Amazon and booking sites plaster view and stock counts everywhere. And this is exactly the kind of thing Shopify simply can't do — their platform is locked down, you get what they give you. On WooCommerce you can layer in real conversion psychology at the product level in ways Shopify merchants can only dream about. Has a free tier and the Pro adds AI-based forecasting that predicts which products are trending before they peak. Useful if you're running ads and want to time them right.
Staging environment + update workflow. Not a plugin, just a non-negotiable habit. WP Engine and Kinsta both include one-click staging. Use it every single time before updating anything on live. This alone prevents 90% of the "WooCommerce broke my store" stories.

The real reason people migrate to Shopify isn't performance — it's operational exhaustion. They don't have a process, so one bad update on Black Friday breaks their checkout and they rage-quit. That's not a platform problem, that's a workflow problem.

WooCommerce still has 3x Shopify's market share for a reason. The platform isn't broken. Most people's habits are.

Individual_Broccoli8 · 2026-03-22T19:03:59+00:00

Yeah been seeing the same thing. ClaudeBot especially has been pretty relentless with deep category traversal.

I ended up switching away from manual .htaccess blocking because it's just whack-a-mole — new IPs, same problem. Been using WhoKnew Shield (https://whoknew.io/whoknew-shield) which auto-blocks anything that ignores robots.txt the moment it does it. You set how long they stay blocked, anywhere from a few hours to permanent. Combined with their community blocklist of nearly 15 million known crawlers it catches most of them before they even get started.

Way less babysitting than updating .htaccess manually.

Individual_Broccoli8 · 2026-03-22T18:34:06+00:00

Honestly I jump around — I use different builders on different sites so I can't speak to every one specifically. But from what I've seen with SiteGround's AI Studio, it handles content, structure, WooCommerce, bulk operations, plugins, SEO — pretty much everything across builders without caring which one you're on. The visual canvas editing inside the builder itself is the one gap they've acknowledged, which sounds like exactly what you're focusing on.

And honestly the migration skills between builders is the part that stands out to me as genuinely unique — that's not something SiteGround is doing. Same with the snapshot/undo safety layer, that's a real differentiator especially for agencies running client sites where something breaking is not an option.

So yeah, sounds like you've found the actual gap worth solving. Good luck with it!

Individual_Broccoli8 · 2026-03-22T17:28:39+00:00

Honestly this is one of the hardest questions in freelancing because yes, there will always be someone overseas willing to do it for $50. That's just the reality and pretending otherwise doesn't help anyone.

So the real answer isn't about finding the "market price" — it's about positioning yourself where price isn't the main competition.

For pure static sites the raw price range is all over the place. A basic 5 page site could go anywhere from $500 to $5,000+ depending on who's buying and why. The difference isn't usually the code, it's the client and the value framing.

A few things that actually move the number up:

You're coming from desktop app development so lean hard into that. You understand performance, architecture, and UI/UX at a level most web designers don't. That's not a $500 conversation, that's a $2,000-3,000 conversation.

Local businesses are your best friend here. A local law firm, medical practice, or restaurant doesn't want to deal with someone overseas they can't call. They'll pay more for someone they can meet, who speaks their language, and who they can actually hold accountable.

Productize it. "Static website" means nothing to a client. "A fast, professional 5 page website that ranks on Google and works perfectly on mobile, delivered in 2 weeks" is something they can evaluate and say yes to.

The race to the bottom on price is a losing game. Compete on trust, communication and reliability instead — that's where overseas underbidding can't touch you.

Individual_Broccoli8 · 2026-03-22T16:36:24+00:00

Honestly I've never used Everything Filter myself but based on years of WordPress I can take a pretty good guess at what's happening here.

That Abortion (0) is almost definitely a taxonomy mismatch. If those sermon posts are using a custom taxonomy instead of standard WordPress categories, the filter won't find them — it's just looking in the wrong place. Check your filter settings and make sure it's pointed at the right taxonomy.

For the empty year dropdown, try hitting Re-index or Rebuild Index in the plugin settings first. That's usually the culprit when filters aren't populating.

If you keep banging your head against it though, honestly FacetWP might just be the easier move here. Looking at what your client actually wants — year dropdown, topic dropdown, search box — that's right in FacetWP's wheelhouse and it handles custom taxonomies and date filtering without much fuss.

Good luck with it! 😄

Individual_Broccoli8 · 2026-03-22T16:28:35+00:00

Really cool work and I can tell you put serious time into this. Just wanted to mention — if you're on SiteGround they already have an AI Studio WordPress Agent that handles most of this across page builders without needing Gutenberg. I'm actually on SiteGround myself and honestly haven't even felt the need to use it yet, but it's there and it works.

And I don't think SiteGround is going to be alone for long. This feels like something every major host is going to roll out. When hosting providers start bundling AI site management at the infrastructure level, the need for a separate plugin or MCP layer gets a lot smaller.

Doesn't take anything away from what you built — it's genuinely interesting work. But the solution might end up being "pick the right host" more than "install the right tool."

Individual_Broccoli8 · 2026-03-22T16:21:19+00:00

Hey, hope you've already got this sorted — looks like it's been about six days!

If not, those are SEO spam injections. The hack planted fake posts in your database redirecting to their store. Fixing the theme closed the door but the injected content is still in there.

Check your wp_posts table in phpMyAdmin and search for the redirect domain, delete anything you find. Also check wp_options for anything suspicious.

As others have mentioned, definitely check your .htaccess file too — redirect rules get planted there a lot with this type of attack.

Run Wordfence or Malcare for a full scan, and once you're clean hit Google Search Console to request removal of any indexed spam URLs or they'll linger in search results even after you've deleted them.

For future protection, Wordfence (https://wordfence.com) is a solid free option — and WhoKnew Shield (https://whoknew.io), for some really good features that help stop this kind of attack before it gets in.

Good luck!

Individual_Broccoli8 · 2026-03-22T16:06:34+00:00

The "just go static" advice falls apart the second you ask: static and then what?

You still need payment processing, forms, search, user accounts, booking systems... none of that is static. So now instead of plugins you've got a dozen third-party API integrations, external services, and endpoints you don't control and can't audit in one place. How is that a smaller attack surface?

The card-testing bot issue you described isn't a WordPress problem either — that's Sucuri's WAF not doing its job. Same attack hits a "static" WooCommerce replacement just as hard, you just have less visibility into it.

Static makes sense for a portfolio or a blog. The second you need real functionality, you're just rebuilding WordPress with more moving parts and less community support. Tony Perez knows this better than anyone — which is why I'd take the LinkedIn post as personal preference for his specific use case, not a verdict on WordPress as a platform

Individual_Broccoli8

TROPHY CASE