Jumpstart Your WordPress SEO with Yoast & Plesk SEO Toolkit

WordPress SEO - Yoast and SEO Toolkit

Now we’ve established that, if you want your website to succeed, you need to understand WordPress SEO and implement best practices. If you’re a WordPress admin, you might think SEO has all been taken care of. But while WordPress does cater for SEO to an extent, there’s still more you can do to improve your website’s performance.

To keep up, you’ll need tools that’ll help you audit your website, and monitor its performance continuously. For this, we recommend the Yoast SEO WordPress plugin and Plesk SEO Toolkit. So let’s dive into how to use these tools so they can get your SEO started right.

Yoast SEO WordPress Plugin

Yoast SEO WordPress Plugin

With more than five million installations and counting, Yoast SEO rightly claims to be the #1 WordPress SEO plugin. Since 2010, Yoast SEO has been helping WordPress site masters improve their search engine rankings. Yoast SEO is among the top four downloaded WordPress plugins, and is likely to be already installed on your WordPress.

Plesk SEO Toolkit

SEO Toolkit is a Plesk extension which uses the power of XOVI SEO engine. This tool helps website owners improve their website’s SEO, and track their performance. Plesk SEO Toolkit offers insights into website rankings in search engines, as well as social media reach. You can also compare your websites to main competitors, plus receive advice on how to best optimize your website to attract more visitors.

Plesk seo toolkit

Take off with Plesk SEO Toolkit

If you’ve got an existing Plesk installation, you can just login and go to Server Management > Extension. Then Find SEO Toolkit and click Install Now. You’re now ready to start with the free version of the extension. Alternatively, you can buy a license and install it through Server Management > Tools & Settings > License Management > Additional Licenses.

Start with Plesk SEO Toolkit

You can now access the extension at any time through the SEO Toolkit link in the main menu.

If you’re new to Plesk – no problem! If you like, you can Download Plesk free from here. Then install it on your internet host where your WordPress site is located. However, you can also ask your internet hosting provider to install it for you.

The cool thing about the Plesk SEO Toolkit is that it can take care of all your websites hosted on the server where it’s installed. You just need to tell it which website to connect to when you start:

  1. Navigate to SEO Toolkit
  2. Click Wizard
  3. Select the domain of your WordPress website
Domain selection for WordPress website
  1. Click Next. The tool will do a first audit of your website and present the results. You can now follow through the next steps. But, for now, we’ll quit by clicking Skip wizard instead.

Now whenever you open SEO Toolkit, you’ll have direct access to your website(s) with an overview of all important SEO statistics and messages.

SEO statistics

Installation for Yoast SEO

In WordPress – navigate to Plugins > Install new, find Yoast SEO, click Install Now, then Activate. You’ll see a new menu called SEO.

new menu called SEO

Now start the Configuration Wizard found on the Dashboard of the General page. It’ll show you all the relevant basic SEO settings step by step:

  1. Activate site for indexing through search engine spiders
  2. Select the type of site
  3. Enter information about the company represented for use in Google’s Knowledge graph
  4. Select whether pages should be shown in the search results. This controls which content will be included in the sitemaps (see discussion below in the section ‘Creating XML sitemaps’
  5. Select if there will be single or multiple authors
  6. Set up the template for page titles
Set up the template for page titles

Your basic settings are now complete. But you can return to the configuration wizard anytime if you need to change any settings.

Using technical WordPress tuning tools

Once installed, you’re finally ready to get down to the exciting business of SEO.

Connecting to Google Search Console

After adding your website to the search console, Google needs to verify your website belongs to you. Yoast SEO makes this easy:

  1. Choose the verification method HTML tag
  2. Copy the meta tag in the box
  3. In WordPress – open SEO > General > Webmaster tools
  4. Paste the code in the Google field and click Save Changes.
  5. Go back to Google Search Console and click Verify.

Google can run into problems with your site when indexing it. But the Google Search Console tracks and displays these errors, and alerts you whenever something critical happens. It can also guide you through possible solutions.

Creating xml sitemaps

It’s best practice to let Google know about the pages and posts you want indexed by submitting a sitemap.

Yoast SEO takes care of this automatically. You can verify this by:

  1. Navigating to SEO > General > Features
  2. Finding the toggle XML sitemaps and expanding the box
  3. Clicking on See the XML sitemap to view the file that was generated.

Yoast SEO will update your sitemap automatically when you add or remove a page, post or category.

XML Sitemaps

Creating Canonical URLs

Yoast SEO renders the correct canonical URL for almost any page type in a WordPress install automatically.

If you ever need to change it for a specific piece of content – be it a post or a page – you can do so in the content settings.

SEO Auditing with Plesk SEO Toolkit

Plesk SEO Toolkit enables you to keep tabs on everything SEO-related on your website.

The Site Audit feature lets you do a quick SEO check as a first step.

  • To start the site audit:

Click Wizard on the main page of SEO Toolkit, then select the domain you want to check and click Next.

The Site Audit will show you immediately if all of your important settings are correct.

settings are correct - Plesk
  • To do a complete scan:

Open up the domain tab on the main page and click Site Audit. Then click Rescan <domain>.

The scan can take some time to complete, depending on the number of pages your site contains. The results show as a summary of your site’s health.Below that you’ll find a detailed listing divided into Content, SEO and Technology. For each item, the tool displays the state (ok or error), the number of occurrences, and its importance.

The power of Site Audit is in the large number of details it checks automatically. On everything from blocked elements through to problems with indexation, server errors, issues with canonicals, loading time, and content audit. Noone could ever keep all of these in mind, let alone check them manually.

Seo Audit

You can drill down into every issue to find the exact place, setting or page where the issue was found, together with recommendations for solving the problem.

H1 missing - solving the problem

But there’s more! To help you keep track of all fixes, Site Audit creates tasks and task reminders for you.

Seo task reminders

Site Audit rescans your site automatically every 20 minutes. All you have to do is come back regularly to see if any issues need your attention.

SEO Auditing for Yoast SEO

It’s important to make sure that while your site changes and grows over time, you preserve its optimal state. Both Yoast SEO and Plesk SEO Toolkit can help you do this well.

If the Yoast plugin finds any issues with SEO on your site, it’ll show you a message on the dashboard. However, if everything is fine it’ll look like this:

SEO Auditing for Yoast SEO

Otherwise, you’ll see a warning message along with information on how you can resolve the issue:

Problems - resolve the issue

Getting your content right

Are you happy with the results so far? Now that we’ve covered the technical side of things, it’s time to use the power of these two SEO tools to create and optimize content.

1. Audit your Content with Plesk SEO Toolkit

SEO Toolkit’s Site Audit component runs periodic checks on your site, and your content. You’ll find all issues related to content on the Content tab in Site Audit. The Tasks component also helps you work on content issues by creating a list of recommended tasks to help you improve your site’s SEO. Actionable insights cover issues with duplicated content, defective links, missing H1/H2/H3, title tags, and more.

Audit your Content with Plesk SEO Toolkit

To quickly check on recent issues and stats – simply visit the start page of SEO Toolkit where you’ll see the overall health score, as well as the number of open and already completed tasks at a glance.

2. Optimize your content

Yoast SEO supports you with content creation right where you type it. So at the bottom of the page or post editor, you’ll see the Yoast Meta Box. From here, it’ll help you by analyzing your text and document settings on the fly and presenting you with any issues and recommendations it finds.

Optimize your content - Plesk

In the box, you’ll see an instant overall rating of how you’re doing in terms of SEO and Readability –  indicated by the red, orange or green icons.

3. Understanding Yoast’s SEO Analysis

In the section SEO analysis, you’ll find a list of all details checked and issues found, together with clear recommendations on how to fix them. This gives you an idea of which problems to tackle first.

3. Understanding Yoast’s SEO Analysis - plesk

The features in the Yoast meta box can also help you optimize the meta-information for a page or post.

Open the section Snippet Preview to check how your search result will look in Google SERPs. You can also edit and optimize the title and description.

snippet preview plesk

Don’t forget to create a highly-focused meta description – since this is the text Google uses to display a summary of your page in the SERP. Both the title and description have a recommended length, as indicated by the green or red line below the editor box. The SEO analysis tool also automatically checks the readability of your text, taking into account sentence length, use of active vs. passive voice, and the Flesch reading score.

Flesch reading score - plesk


Hopefully this guide proves that you can confidently tackle SEO yourself – with the help of two SEO tools: Yoast SEO and Plesk SEO Toolkit. Not only do these tools remove the burden of tweaking the technical aspects of SEO, but they also actively support you in creating fully-optimized content.

Next up: How to analyze your on-page SEO success for WordPress.

Gain traction with Google by checking keyword rankings, comparing your site with competitors and ensuring crawlers can do their job properly.

We’d love to hear your experience of working with Plesk SEO Toolkit or Yoast SEO. So let us know how they’ve helped you optimize your WordPress website in the comments below.

How Simplyyourself.online Found More Time For Their Clients

Simplyyourself.online Web Agency Success Story - Plesk

Miłosz Ryćko-Bożeński lives in Gdańsk, Poland and runs a Web Agency co-owned by his wife. Together they have over 40 years experience in all things internet-related. Most of their customers are small and mid-sized businesses (B2B) and Simplyyourself.online is responsible for clients’ websites. From design and brand creation to development to marketing strategy and campaign execution.

How Simplyyourself.online found more Time For Their Clients - Plesk
Miłosz Ryćko-Bożeński

Let’s be honest – nowadays it’s not too difficult to get into website building. One of the things that sets us apart from the freelancer and agency crowd is our focus on security, marketing and convenience. In our opinion it’s best for our clients if they focus on running their business instead of being distracted by creating or managing their websites.

Plesk WordPress Toolkit helped us create a product which fits the needs of a conscious market. Thanks to that, we can focus on giving value, sharing knowledge and helping our clients develop their online businesses. But it was not always smooth-sailing – Here’s our story.

How Simplyyourself.online partnered with Plesk

How Simplyyourself.online partnered with Plesk

"Without Plesk I wouldn’t have time to share my knowledge with my clients."

Two years ago, we decided to completely revamp the way our business runs. I wanted to find a solution that would allow me to utilize my wide range of technical skills. Plus offer me almost endless automatization.

At first, I was looking for free, open-source solutions. But then I found Plesk. And I fell in love with its possibilities right from the start. Plesk addresses the needs of people like me – understanding how crucial ease of use is. By pairing Plesk’s flexibility with my technical skills, I was able to create a highly automated product. Thanks to Plesk, my server ‘just works’.

"We love the transparency Plesk offers"

Another reason Simplyyourself.online loves Plesk is the transparency it offers.The market is full of agencies who offer websites and hosting, but don’t give clients access to the server or WordPress admin panel. In our opinion, such an approach is unethical. With Plesk we can continue to perform our tasks, while also giving our clients freedom of action, plus a sense of security.

"Plesk works

When correctly configured, it works uninterrupted."

Plesk works. This may sound like a simplistic description, but it’s one of Plesk’s biggest advantages. By simply working, Plesk allows me to focus on sharing my knowledge with my clients. And helping them to improve their business.

How our business has improved

How our business has improved - Plesk

Since introducing Plesk and DigitalOcean, business has improved for us in a number of ways. Especially since our cost have lowered, as have our stress levels – We have more time. Also we have a market advantage.

  • Cost reduction.

Before partnering with Plesk, I considered hiring a dedicated server administrator. But, with Plesk, this was unnecessary. As it gave me operational freedom, allowing me to manage everything easily myself. With more time to dedicate to clients, I was also able to significantly lower the costs of my services.

  • Time and stress. 

Thanks to Plesk WordPress Toolkit and Smart Updates, managing my clients’ websites is almost maintenance-free. Moreover, if I have any issues, I simply contact the highly-qualified Plesk team, who always give timely responses. No longer do I have to worry that something will stop working any moment. Now I can act with a ‘don’t touch a running system’ phrase in mind.

  • Market advantage. 

Our partnership not only saves us time, but also gives us a market advantage. With more time, I can now offer a wider range of services. So I can fully meet all of my clients’ needs, including beginners, as well as advanced users, who may want to use specialized tools, like, for example, Docker.

Simplyyourself.online’s bright future

Simplyyourself.online’s Bright Future - Plesk

We have exciting plans in the pipeline. As an ongoing project, we want to further develop our services, as well as provide 99.99% yearly uptime. Moreover, we want to work on implementing High Availability solutions, and eventually translate our offer into English. Another plan for the future is to become a Plesk partner, and help in the development of the WordPress Toolkit.

We hope to maintain our strong and trusted relationship with Plesk WordPress Toolkit and DigitalOcean going forward. With them on board, I can continue to save valuable time, and work on helping my clients improve their business instead.

Duetsoft Profits Grow by 25% Using Plesk WordPress Toolkit & DigitalOcean

Duetsoft success story with Plesk and DigitalOcean - Plesk

Khandaker Ikrama, owner of Duetsoft web development agency, sheds light on how Plesk’s WordPress Toolkit helps his agency work effectively. Managing custom development and web design for WordPress on multiple customer websites. Read the story of Duetsoft, Plesk and DigitalOcean below.

Why we partnered with Plesk

Why Duetsoft partnered with Plesk

My agency began as a very small company two years ago. At that time, the agency’s ability to deliver services was wholly dependent on me and my skills. However, I soon made the decision to scale my business.

The problem was that all my customer’s had different site and maintenance priorities. And, unfortunately, I didn’t have a team large enough to cover all of their needs well. So I needed to find a reputable company to outsource all of these maintenance tasks.

Plesk came into the picture when I read a piece of content on WPMayor about How To Manage Multiple WordPress Sites Efficiently.

When I realized I could keep over a dozen websites simultaneously updated and supported with Plesk, I was relieved. Now I could put that extra time towards other activities – ones which might net the company a higher profit margin.

“Automation is a term I was familiar with - in this context it simply means having software or a tool that can perform a routine job automatically, without the need for constant input.”

Moreover, the fact that, with Plesk, I wouldn’t need to hire and manage a lot of freelancers was a bonus.

Duetsoft’s smooth transition to Plesk

Duetsoft's smooth transition into Plesk

“Plesk is super easy to install and configure on DigitalOcean in just a few clicks.”

Getting started with Plesk was as easy as 1-2-3: We used the Plesk One Click App from the DigitalOcean Marketplace. Then started with one website on DigitalOcean. The first test website went really well, and it just grew from there. The transition going forward was just as smooth as the test and startup phase.

I can honestly say that testing new plugins, features and design ideas is easy with the WordPress Toolkit Extension. You simply test everything in a sandbox before publishing live on the website. Furthermore, you don’t need any extra plugins or separate servers for this – the WordPress Toolkit in Plesk manages everything.

“The WordPress Toolkit is an agency dream, giving you an array of tools for customization, management, security, hosting, and automation for all your websites and the infrastructure they rely on.”

Overall, our partnership with Plesk has been one of honesty and transparency. And we always receive timely responses. This enables my agency to make sure our clients always have support on everything from basic requests to Remote Management or Smart Updates powered by AI from Plesk’s Extension Catalog.

Business benefits for Duetsoft

Business Benefits

The initial goal in using Plesk and the WordPress Toolkit was to automate and offload WordPress maintenance tasks. However, I got much more than I originally bargained for. There were three key areas in which Plesk helped my agency grow:

1. Revenues increased with more clients

‘’Since we started working with Plesk on DigitalOcean, revenue has increased - a lot!”

It wasn’t only about making various WordPress maintenance tasks easier and automating them as much as we could. But also about having the capacity to no longer turn clients away. Now, I can capture them all.

2. Profitability has gone up with investment in automation

The total amount of revenue coming in isn’t the only way I’m reaping the rewards either. Profit margins are much higher now, too. With the WordPress Toolkit, agency team members can now focus on tackling tasks that play to their strengths. It’s this investment in automation and task orchestration that’s made my operations run much more efficiently.

3. Greater functionality gave added value to customers

Since Plesk are WordPress specialists, and provide so many different features and functionality, I now feel as though my customers are truly taken care of. It’s this added value from features like Smart Updates powered by AI or Remote WordPress Management that has contributed to my agency’s growth.

Future goals for our Plesk partnership

Last year, a lot of our goals were based on basic financials. Now we want to move forward in 2019 (and beyond). We anticipate to continue to experience the same level of growth.

Khandaker Ikrama owner of Duetsoft Plesk

“My agency experienced a 25% increase in profitability”

I also hope to expand further on our value-added services. Managed services are becoming increasingly popular with businesses around the world. eCommerce, in particular, is an area that I hope to do more with, as it’s a particular niche with a lot of ongoing needs. However, I believe that my agency, in conjunction with Plesk managed services, can easily take care of them.

Managing WordPress for one website or thousands doesn’t have to be a chore. And it shouldn’t be something that holds your company back from scaling, or generating a solid profit margin either. If you want to give the best to both your customers and your agency, then you need to work with an infrastructure provider and partner you can rely on. Thankfully I found trusted partners in Plesk WordPress Toolkit and DigitalOcean.

About Duetsoft

About Duetsoft Plesk

Duetsoft is an intentionally small web development agency based in Dhaka, Bangladesh. They focus on custom development and web design for WordPress, the CMS of choice for businesses of all sizes. Whether they are individuals, resellers, ISVs, SMBs, or enterprises.

Why WordPress Admins Need More Than One SEO Tool

WordPress SEO Tools

Traffic to your website doesn’t come easy. You have to make your site as search-friendly as possible to attract users, promote your brand, and sell your product or service. While WordPress makes publishing content simple, managing SEO is trickier, requiring more time, effort, specialized knowledge, and SEO tools.

The right SEO tools can help you by automating a lot of tasks. So let’s explore why you need SEO for your WP site – and how to do it using a clever combo of SEO tools.

First, Here’s Why You Need SEO Tools


In today’s highly competitive world – first impressions are everything. Regardless of whether you’re a startup, small business owner, blogger, freelance developer, sysadmin, agency or full-blown enterprise. Your online presence needs to resonate with your target audience, so they remain engaged with your website, and ultimately – your brand.

If your website runs on WordPress, you’re in good company because it powers 33.4% of the top 10 million sites. From SMBs to large enterprises, it’s got 60% of the market. Reason being it’s simple and offers a plugin for virtually every need – no developers needed.

However, for your business to succeed, building a great website is not enough. Your audience needs to find you and choose you above a million others. This is where good search engine optimization (SEO) comes in.

Understanding the SEO Basics

SEO is about tracking, monitoring and improving your website’s position in search engine results. Ideally you want to rank as high as possible, since a good ranking means more traffic to your site. More specifically – traffic to your website that you don’t have to pay for via advertising.

SEO Basics

Being found on Google means ranking at the top of page one for a certain keyword. Check out these numbers: Position one receives about 31% of the traffic, position two is at around 15%, whereas position ten draws a meager 1.1 % to your website. Needless to say, website links found on page two or later are hardly visible at all and attract below 6% of all website clicks.

How to Get Google to Rank You Highly

How to Rank You High On Google

Google makes this decision by evaluating over 200 factors from your website. Considering everything from credibility to content relevancy for the user, technical aspects, content quality, user experience, and more. Sounds daunting? Don’t panic! You can start getting your SEO right by simply focusing on these top three critical factors.

1. Creating relevant content for your website.

You’ve probably heard the saying, “Content is king!”. Mainly because it’s the most crucial part of SEO. Search engines honor sites that serve relevant content, giving visitors the best possible answer to their search intent. To create optimal content, you need to understand your visitor’s needs, choose the right keywords, and use the correct format.

2. Optimizing your website using on-page SEO

On-page SEO refers to the ongoing ways in which you can optimize your content, technology, and other aspects of the user experience to rank better and attract more traffic from search engines. For example, to rank highly, all links between pages must work, and all resources (images, CSS, and JavaScript) must load smoothly and fast.

3. Promoting your content with off-page SEO

After optimizing on-page SEO, you can think about off-page SEO by building links and engaging in social media marketing. This is important as how many other websites and social media posts link back to the website has a big impact on the website’s search ranking. Moreover, websites that link to other websites based on similar topics usually rank higher.

Don’t Rely on WordPress Alone

Don’t Rely on Just On WordPress

Now that we know how important SEO is, let’s check out how search engine friendly WordPress is. WordPress claims to be ‘search engine friendly’ out of the box. But while WordPress allows you to publish content and have it crawled by search engines – the support for SEO success stops here. WordPress code, however, does follow SEO best practices.

While these are two really important factors that have an impact on your rankings, Google uses over 200 different factors to calculate search result rankings. So we know we have a long list of other aspects to work on and improve.

This is a great first step to help you improve your SEO, as Yoast SEO will help you with a lot of important SEO tasks. But please keep in mind, no tool will do what is your foremost job – create brilliant content. What Yoast SEO does do is help you optimize your content from a technical standpoint.

So while WordPress takes care of some of the basic SEO best practices out of the box, it still leaves room for improvement.

Quick SEO Tips for WordPress

Make sure all the critical aspects of your WordPress site are configured correctly from the get-go. For this, you’ll need to tweak some WordPress settings.

1. Check visibility settings

First check the search engine visibility box isn’t marked, as this can hide your site from search engines. You can check it in Settings > Reading.

Check visibility settings plesk

2. Use a search engine friendly URL structure

Search engines consider yoursite.com and www.yoursite.com to be two different websites. So you need to decide which one you’ll use when you set up your WordPress website. You can set your preferred URL under Settings > General for both WordPress Address and Site Address.

Use a search engine friendly URL structure Plesk

Make sure your website’s URL is human-readable and contains the keywords of your content. You can change the selection under Settings > Permalinks. Add /%category%/%postname%/ in Custom Structure. You also need to leave the Category base field empty, so that the title of your post or page is included in your URL automatically.

included in your URL automatically Plesk

3. Exclude pages from search engines

Search engines honor a clean information structure. To ensure crawlers exclude irrelevant pages (eg. login pages), simply add a robots meta tag with a noindex and/or nofollow attribute to the HTML code of a page.


<meta name="robots" content="noindex,nofollow"/>

Unfortunately, WordPress doesn’t make this easy. So you’ll either have to edit code or use a plugin.

4. Add schema.org for rich snippets

Google can add additional information, like review stars or images, to your page summary in the search result to make it more eye-catching. But you have to provide this information in a standardized schema.org format first.

Add schema.org for rich snippets Plesk

Some WordPress themes or specialized plugins provide the necessary markup you need to create a rich snippet. If not, you’ll need to edit the code yourself.

Assessing content quality and relevance

Once you configure the technical foundations correctly, you’re ready to create and publish content. Remember: Google honors content that answers a user’s question in the most relevant and complete way first. So,

  • Choose a keyword that’s relevant to your users, matches your content, and has enough search traffic. You can find lots of techniques and tools to support your research.
  • Create a good title and use it as a headline following best practices.
  • Create a readable text – paying attention to critical SEO signals: length, internal linking, use of headlines, use of keywords in headlines, and overall readability.
  • Use keywords in image captions, as well as title tags and alt tags for images.
Assessing content quality and relevance Plesk

You should also regularly assess the quality of your existing content. You can do this by updating content on a particular page, improving internal linking, or adding external backlinks.

Add XML Sitemaps

Google recommends you provide an XML sitemap for your website, containing links to all of the pages you want indexed. WordPress doesn’t come with XML sitemap support. So you’ll have to use a plugin, or create and update it manually. Don’t forget to submit it to Google via the Google Search Console.

Auditing the site

Because things can break or go wrong with your site, you should regularly check for common SEO issues, like:

  • Crawlability: Can the search engine spiders crawl every page you want to be indexed, or are they getting rejected?
  • Orphaned pages: Is every page linked to correctly, and do you provide enough links?
  • 404 errors: Are there any broken links in your site causing a ‘page not found’ error, or code 404?

Every site owner should register their website in the Google Search Console, as it checks everything from indexing and broken links to mobile problems. It also gives you visibility into the traffic you receive from the search engine.

Auditing the site plesk

Rank tracking

To track how your site is doing in terms of attracting traffic and converting users:

  • Keep an eye on your website’s ranking for all important keywords and pages.
  • Follow trends for critical KPIs (key performance indicators): eg. ranking in search engines, ranking for keywords, etc.
  • Compare your site’s performance with selected competitors, and see where your rankings for keywords are doing well.

By continuously analyzing meaningful indicators, you’ll get actionable insight into necessary site optimizations. You’ll also notice immediately if any trends develop on- or off-page. So you can act before something affects the success of your website.

SEO Tools and Best Practices

ongoing seo best practices plesk

You need SEO. Period. Although it can be tedious, you don’t actually need to be an expert to master SEO. If you configure your WordPress website correctly, craft your content well, and use essential SEO tools like Yoast and Plesk SEO Toolkit. Then you’re well equipped to manage SEO successfully for your website.

How to manually remove website malware – when an antivirus can’t

Remove website malware

Do you need help learning how to manually remove website malware? Because, as a web hoster, you face daily cybersecurity challenges. No matter how hard you try, you’ll never reduce the chances of being hacked to zero.

But server security solutions are here to help prevent and detect unauthorized access. So, let us help you get one step ahead of the hackers with our guide to manually removing website malware.

File with malware

Main malware strains

Main malware strains

Hackers can get into your systems in various ways. One popular way is via injections attacks. Injections happen when an attacker inserts a file, in-memory cache or database entry into a system component.

Code injection

  • You can insert code into existing PHP or Perl programs to create backdoors or automated uploaders.
  • You can modify the contents of the .htaccess file to redirect visitors to other sites for the purpose of phishing or SEO hijacking.
  • You can alter JavaScript (.js) and HTML files to insert unwanted advertising scripts or content (so-called malverstising).
  • An attacker can modify and use Exif information (meta-data to add info to image files eg. JPG) to carry malicious payloads to other parts of the file system or other sites.

Hackers will often take full advantage of their position, and plant malicious code in multiple places.

Cache injection

A cache is a small, high-performance store of memory. If you don’t secure the server that maintains the caches, then memory can be overwritten in situ. If the affected portion of memory is a cached version of a web page, then a hacker can inject code or malicious content without changing website functionality.

Hacker scripts

Hacker scripts can take many forms, and serve many purposes. Scripts for back doors, uploaders, spammers, and phishing links can create web doorways, or site entry points to manipulate search engine indexes. Hackers can also create defacement scripts simply to cause damage, or prop up their own ego.

Replacing system components

Every hacker wants root access to your server, so they can replace any web server component with their own malicious version. Attackers can control entire sites, and add or modify their behavior as they need. They can also remotely control the script to issue redirects or new portions of malicious code. If an attacker hides this component carefully, then it’s difficult to detect. Because the website appears to be working normally.

How to manually remove malware and repair your website

Manually removing malware

Now let’s assume you’re scanning your site with your favorite cybersecurity software, like Imunify360 or ImunifyAV. Use the following manual inspection techniques to make sure it’s doing a good job and start to manually remove malware.

IMPORTANT: Before continuing, ensure you have a full and working backup of your entire system.

File scanning

Traditionally, Linux-type systems have limited facilities for detailed file scanning and inspection. So let’s use what we have, in the form of find and grep. First, by searching the file system for all modified files within the past 7 days, where the file name extension begins with ph (to cover .php and .phtml):

find . -name '*.ph*' -mtime -7

However, what if a hacker considers this first? And resets file modification dates. Then check to see if file attributes have changed. Here’s how to do that for .phtml and .php files.

find . -name '*.ph*' -ctime -7

We can narrow down the period we’re looking at, by using the newermt option of find. Eg. To look for a file changed between the 25th and 30th of January 2019:

find . -name '*.ph*' -newermt 2019-01-25 ! -newermt 2019-01-30 -ls

Now we can introduce the grep command. This can recursively scan for and report patterns in files. Eg. To look for a portion of a URL in any file in the current directory, or any within it:

grep -ril 'example.com/google-analytics/jquery-1.6.5.min.js' *

Permissions checks

If you suspect a breach in your web server or file system, check file permissions. You can do this with the following command:

sudo find / -perm -4000 -o -perm -2000

Check for active processes

If a file system scan shows nothing unusual, take a look at what’s running on the system. See what PHP scripts are running using:

lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk '{ if(!str) { str=$1 } else { str=str","}} END{print str}'` | grep vhosts | grep php

Analyzing malicious code: what to look for

You now know some of the basic techniques to search for files and file content. To go deeper when you manually remove site malware, you need to know what to look for. Here’s a helpful checklist.

Check rarely visited directories

System administrators rarely look in directories like upload, cache, tmp, backup, log, and images, making them ideal locations for hackers to hide malicious files.

Note: On PHP-based CMSes such as Joomla, check directories for .php files in the wrong places. If you’re on a WordPress site, check the wp-content/uploads, and the backup and theme cache directories.

Here’s an example of a command that checks for PHP files in an images folder:

find ./images -name '*.ph*'

Treat any similar files in such places suspiciously.

Files with strange names

Even though file names come in a wide variety, certain names should raise a red flag. Here are some examples:

  • php (no extension)
  • fyi.php
  • n2fd2.php

Note any unusual patterns or combinations in file names, letters, symbols and numbers. File names that are naturally unreadable are:

  • srrfwz.php
  • ath.php
  • kirill.php
  • b374k.php.php (double extension)
  • tryag.php

Hackers also exploit the habit of some programs that append numbers to copies of existing files. So lookout for files like:

  • index9.php
  • wp3-login.php

Look for unusual file name extensions

You don’t normally associate certain file name extensions with CMSes like WordPress. So if you see any of these, take note:

  • .py (Python code extension)
  • .rb (Ruby code extension)
  • .pl (Perl code extension)
  • .cgi (CGI code extension)
  • .so (Shared object extension)
  • .c (C source code extension)

Moreover, you also wouldn’t expect to find files with extensions like .phtml or .php3. If you discover any of the above on a PHP-based CMS website, then you should inspect it closely.

Look for non-standard attributes and creation dates on files

Another sign of suspicious files involves the file owner attribute. So you need to watch out for the following:

If you see a number of .php files sent to a server via ftp or sftp were transferred with the owner attribute set to myuser. But in the same directory you see files where the owner attribute is www-data.

You must also check script creation dates. If the date is earlier than website creation, then you need to be suspicious.

Look for large numbers of files

Directories containing hundreds or thousands of files are good places for a hacker to hide malicious scripts and payloads. Such large numbers of files indicate a doorway, or a form of blackhat SEO.

You can detect such directories with the find command. We recommend you start in a specific directory to limit your search and avoid loading a system. The following example helps you find the top 25 directories with the largest number of files.

find ./ -xdev -type d -print0 | while IFS= read -d '' dir; do echo "$(find "$dir" -maxdepth 1 -print0 | grep -zc .) $dir"; done | sort -rn | head -25

(You can read more about file (inode) searching at StackExchange.)

Checking your server logs

Check server logs

You can also check any system through an inspection of the server log files. Here you can learn many things. For example:

  • You can tell how spam email was sent (when and where it was sent from, the access_log file, and what script invoked the mail command).
  • You can check FTP logging. Tools such as xferlog tell you what was uploaded or changed, and who did it.
  • You can discover the location of any mail-sending PHP scripts with the correct configuration of your mail and PHP servers.
  • You can check to see whether your CMS has additional logs to help you track down the source of an attack. This might help you determine whether an attack was external or came in via a CMS plugin.

Both access_log and error_log files are good sources of information. If you know which scripts are the attack vectors, you may be able to find the source IP address, or the HTTP user agent value. You may also be able to see if a POST request was made at the same time of the attack.

Checking the integrity of files

You deal with attacks more easily if you have adequate preparations in place, like recording the state of files in their pristine state. You can then compare them to the same files after an attack. You can do this in various ways:

Use source code control systems such as git, SVN or CVS. In the case of git, you can simply utilize these commands:

git status 

git diff

Using source code control ensures you have a backup copy of server files. You can restore these easily in the event of a cyber attack.

Tools that can alert you when anything on a file system changes include:

In some cases, version control isn’t possible. For example, when using shared hosting. One workaround is to use CMS extensions or plugins to monitor file changes. Some CMSes even have their own built-in file integrity.

You can keep track of what files you have at any one time with the command to catalog all the files on a system:

ls -lahR > original_file.txt

You can compare this file later with a fresher copy using comparison tools like WinDiff, AraxisMerge Tool, BeyondCompare, the Linux diff command, or even compare snapshots online. This lets you see what files have been added or removed.

About ImunifyAV


Having a comprehensive server security solution such as ImunifyAV is the first step towards a safe and secure website. ImunifyAV is a free antivirus and anti-malware scanner. You can easily upgrade to ImunifyAV+ and get a built-in, one-click, fully automated cleanup feature. But for added confidence, it’s good to know how to manually check your system for problems. And it’s a good way to learn some system administration techniques, like how to manually remove malware.

Let us know if ImunifyAV is helping you stay secure in the comments below.

arrow icon - Plesk

Simple Paid Marketing Tips for Web Hosting Businesses

Paid Marketing Tips for Hosting Businesses - Plesk Partners

Do you need help with your paid marketing efforts so that you can grow your web hosting business? Well, never fear. Follow our six handy tips for paid marketing for web hosting businesses, and make your Cost-Per-Click campaign on Google Ads and other CPC programs a huge success.

1. Choose the right Pay-Per-Click platform

Paid Marketing - platform choice

First, you’ve got to know your platforms and your audience. So that you can choose the most effective platform for you. Which platform does your audience use most? Are they actively searching Google, Yahoo! or Bing? Or are they spending more time browsing social media or professional networks like Facebook or LinkedIn?

Google may have the largest search volume, but LinkedIn and Facebook support targeting options. Each platform is different. Try out all the different options to find the channel that performs best for you. Don’t forget to consider your budget too. Maybe, for your budget, one channel makes more sense than another.

2. Utilize negative keywords

Negative keywords - Paid Marketing

To run a positive campaign, you need negative keywords. Negative keywords ensure you don’t waste your time and resources targeting irrelevant markets. So take advantage of them. Add keywords unrelated to your product or service to your campaign. And filter out those costly clicks and traffic. See your average cost-per-click go down and help your click-through-rate go up by cutting out irrelevant traffic.

3. Know your campaign’s peak times

Paid Marketing - Know your campaign’s peak times

A little research goes a long way. Find out when your audience is most active. Then run your ads during this time. It makes sense, right? So adjust your campaign with user peak times in mind. Then use the Ad Scheduling tool to switch your Google campaign off and on at specific times. Increase your budget for peak times and decrease it for off-peak times for maximum success.

4. Create stand-out copy

Paid Marketing - Ad Copy

If you want your ad to stand out, you need to bring in your greatest weapon – brilliant ad copy. This is what differentiates you from your competitors. Great ad copy makes you stand out in the advert crowd. You’ll naturally put in any relevant keywords and search terms. But try and add some eye-catching, funny or bold words to really call people to attention.

5. Mix the paid with the organic

Mix the paid with the organic plesk

Whatever you do, don’t focus solely on your paid marketing campaigns. To maximize your chances of success, you should ideally integrate or combine both your organic and paid marketing efforts. By doing this, you’ll reach a wider audience – getting higher quality engagement from a larger, but still highly-targeted, audience.

6. Don’t stop testing

Paid Marketing - A/B testing

Once you set up your campaign. Don’t forget about it. You need to keep on testing. Running a CPC campaign requires continued testing and optimization. So try out various keywords and different ad copy, as well as other bidding strategies and landing pages. And see how you do! Refresh your ad to sustain campaign performance and help improve ROI.

So, there you have it. Six super useful paid marketing tips for continued CPC campaign success for your web hosting business.

You can find even more paid marketing tips here as we talk about the most common paid ad mistakes for SaaS companies.

Test them out. Then let us know how you get on in the comments below.

Getting Plesk support for your HTTP/2

Plesk HTTP/2 support

Getting Plesk support for your HTTP/2

To help you understand how Plesk can offer support for your HTTP/2, let’s first visualize how it differs from HTTP/1. Imagine a remote village whose only link to the city is a tiny footbridge. The footbridge is so small it only allows one person to walk on it at a time. With this infrastructure, transferring supplies takes ages.

Now, imagine that the village builds a bridge big enough to support trucks travelling in either direction. The time taken to shift supplies dramatically reduces. This, in a nutshell, is the difference between HTTP/1 and HTTP/2.

*HTTP/2 (also HTTP/2.0 and HTTP 2.0) is the second major version of the HTTP network protocol we use online. HTTP/2 support is available for Plesk customers starting from version 12.5.30 Update #28 and requires the latest version of NGINX.

Having HTTP/2 on your website

HTTP/2 on your website under Plesk

Luckily, as a developer or owner, you don’t need to worry about building bridges. Your main concern is to find ways to improve your website’s loading time. And avoid losing valuable viewers. As a Plesk user, this relatively new protocol is available to you. You simply need to upgrade your existing website to utilize this Plesk technology.

Plesk’s support for HTTP/2 helps increase the speed and efficiency with which a website loads. This benefits areas such as SEO, which is greatly improved when a website loads quickly. Moreover, the rise in popularity of mobile sites means you need almost-instant loading times. An HTTP/2-enabled website will quickly top rankings, beating other sites still using the original protocol.

Before Switching from HTTP/1 to HTTP/2

Switching from HTTP/1 to HTTP/2

Before switching from HTTP/1 to HTTP/2, you need to ensure that your website complies with certain criteria. You need to have –

  1. Plesk’s latest update, version 12.5.30, update #28.
  2. The latest version of NGINX
  3. SSL encryption on your website

If you don’t meet all 3 of these requirements, your website will continue to run on HTTP 1.1.

The process to switch your site to HTTP/2 is pretty simple. You can follow our detailed guide, including the command lines you need to input. If you’re unsure whether you have successfully switched protocol, online testing services can confirm whether a particular domain is HTTP/2 enabled.

How to Enable HTTP/2 support for your website

Make sure your NGINX server is up-to-date and running from Tools & Settings -> Server Components and Tools & Settings -> Services Management.

How to Enable HTTP/2 support
How to Enable HTTP/2 support for your website 2 - plesk

Login to your server via SSH under root and enable Plesk HTTP/2 support using the following command line utility:

# plesk bin http2_pref enable

During the last step your NGINX server will be tuned to use the TLS protocol. Thus rebuilding the whole web server configuration, so your websites and your customers’ websites with SSL support will transfer to HTTP/2.

Please check the output of the command for errors or warnings during switching to HTTP/2. If there are any problems, skip below for Troubleshooting.

To return to HTTP 1.x and to disable HTTP/2, please use the following command:

# plesk bin http2_pref disable

ALPN Support

For HTTP/2 to work properly on Google Chrome, the NGINX web server must support the ALPN. Normally, this requires you to go through detailed documentation and testing. But, with Plesk, the hard work is already done for you.

The operating systems that Plesk supports for HTTP/2 are –

  1. CentOS 7
  2. RedHat Enterprise Linux 7
  3. Ubuntu 14.04
  4. Ubuntu 16.04
  5. Debian 8

HTTP/2 Support Troubleshooting

HTTP/2 Troubleshooting

If you have trouble enabling HTTP/2 support, or when checking the site you see HTTP 1.x protocol, try the steps below.

1. Make sure that SSL support is enabled for the web site in the Hosting Settings section of the domain. HTTP/2 is for SSL sites only, so non-SSL sites will continue to work under HTTP /1.x. That is a restriction of nginx web server and web browsers.

2. Check that nginx is enabled:
# plesk sbin nginxmng -s

Enable it if necessary:
# plesk sbin nginxmng -e

3. Check that OpenSSL package has the version 1.0.1 or higher:

# rpm -qa | grep openssl


4. Check that there is no custom configuration template in /usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php.

Remove it if it was found and re-create configuration files:
# plesk sbin httpdmng --reconfigure-all

Alternatively, if you do not want to remove your customizations, you can modify the following file


Do this by first finding the row similar to

($OPT['default'] ? ' default_server' : '') . ($OPT['ssl'] ? ' ssl' : '') ?>;

Then, replace it with the following two rows:

($OPT['default'] ? ' default_server' : '') . ($OPT['ssl'] ? ' ssl' : '') .

($OPT['ssl'] && $VAR->domain->physicalHosting->proxySettings['nginxHttp2'] ? ' http2' : '') ?>;

After that run the command:

# plesk bin http2_pref enable

5. In case of ssl connection problems with HTTP/2 enabled, ensure that the ssl_ciphers directive in /etc/nginx/conf.d/ssl.conf or in customized nginxDomainVirtualHost.php has the following value:


6. If your site doesn’t work in browsers with HTTP/2 enabled, you probably don’t have the right ciphers and protocols for HTTP/2 support. So use the sslmng utility from Plesk to set up available protocols and TLS ciphers list after enabling HTTP/2. For example, if you want to use exactly the same ciphers list as Plesk, the command is the following.

#plesk sbin sslmng --services=nginx --custom --ciphers="EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20" --protocols="TLSv1 TLSv1.1 TLSv1.2"

Configuration will be stored in the /etc/nginx/conf.d/ssl.conf file, but we don’t recommend editing this file manually.

If none of the steps above help you, please contact our Plesk technical support.

Ongoing Plesk support for HTTP/2

Plesk HTTP/2 support

This new technology ensures major search engines have enough time to crawl through large parts of your website. In a short period of time, you should see better indexation of your website. And, potentially, a lower bounce rate thanks to the faster loading time delivered by HTTP/2.

Once you upgrade your website to use HTTP/2, remember Plesk always has your back. If you have any issues, our support guide and trained technical staff can always give you the help you need.

What do you think about the switch from HTTP/1 to HTTP/2? Let us know in the comments below!

arrow icon - Plesk

How to enable NGINX caching to speed up your servers and sites

NGINX caching for servers and sites

Web cache is a form of information technology, involving the temporary storage of web documents such as HTML pages and images. You need it because it helps alleviate server lag – speeding up servers and websites considerably. You can access a variety of web cache technologies, such as Polipo, Squid and Varnish. But, because of two main factors, administrators are increasingly choosing to enable NGINX caching as an alternative.

  1. NGINX serves static content in an efficient way, meaning it’s an important asset when static files are on the same server as NGINX.
  2. NGINX can act as a ‘true’ cache server when it’s in front of an application server.

If you want to enable NGINX caching for your server and websites, you can do so by using the latest version of Plesk Obsidian.

Benefits of NGINX caching

NGINX caching - benefits

NGINX is a versatile technology, as it can proxy requests to other web servers or apps. By doing this, it increases performance for serving static files. While other proxying applications request to other processes. Moreover, NGINX can also act as a cache server, so it can cache content from other servers.

NGINX can sit ‘in front’ of web servers where it acts as a gateway to other applications or servers – in a way similar to a load balancer. Additionally, it can also cache the results of requests proxied to FastCGI and uWSGI processes, as well as to other HTTP servers.

Getting started with NGINX caching

NGINX Caching - Getting started

When administrators enable NGINX caching, they get access to the NGINX proxy server. With this, they can cache certain dynamic website content. When this happens, cached data is stored for a very small period of time, usually no more than several seconds. As a result, you’ll see an overall increase in speed of website load time. Plus a reduction in server load.

You should consider NGINX caching depending on a website’s profile and usage. So if you have a website that experiences high traffic or that you regularly upload content to every few seconds, you should enable NGINX caching for it. This includes websites such as popular blogs and news portals.

On the other hand, enabling NGINX caching for websites that have low or moderate traffic and fewer content updates might be potentially harmful, or simply plain pointless. The same scenario applies for websites that use personalized content, like those that take note of a visitor’s geographical location or the contents of a shopping cart.

You can also enable NGINX caching for individual domains and hosting plans. In fact, every time you create a new subscription based on a current hosting plan, NGINX caching is automatically enabled.

NGINX customization is important

NGINX Customization

As with most technologies, you have the option to customize your default NGINX caching settings directly on your Plesk panel. For example, you can change features, such as cache size and cache timeout. Plus maximum cache size, the cache key, and so on.

You can do this by editing the panel.ini file. When administrators customize settings, the new custom values only apply to new hosting plans, domains, and subdomains. And won’t affect those hosting plans, domains, etc. that already exist.

Before you enable NGINX caching, we highly recommend you switch PHP files processing to a PHP-FPM application served by an NGINX type.

A cache server such as NGINX is a great way for administrators to put less load on their servers and websites. With its versatile nature, being used for both static or dynamic assets, NGINX caching can handle numerous requests by itself. This brilliant feature is available in the latest version of Plesk Obsidian, which comes with a comprehensive installation guide.

Will you enable NGINX caching to speed up your servers and sites? Let us know in the comments below.

arrow icon - Plesk

Automated testing for your WordPress – Steve Grunwell at WCUS

Automated testing for your WordPress

Steve Grunwell is a Senior Software Engineer at Liquid Web who works on Managed WordPress platforms, specializing in WP and web app development. He says WordPress is a tightly-coupled system with a history of ideas, decisions and technical shifts that can mean consequences for even simpler tasks. However, you can ensure software is released regularly with low regression risk with automated testing.

Steve Grunwell WCUS 2019 - Plesk

Building WordPress plugins with tests can seem challenging, however there are tools to set up a test harness within an existing codebase with ease. In his WCUS talk, Steve talked about the fundamentals of automated testing, particularly in regards to WordPress. Plus, how to start testing plugins and themes using features from PHPUnit and the WordPress core testing framework. In order to finally build and release quality software.

About Automated Testing

Achieving continuous integration and delivery is the holy grail. We can start automated the entire process from writing code to production. Automated testing plays a vital part in letting us reduce time and chance of human error. It is easily reproducible and a gateway to CI/CD.

For WordPress automation, testing, staging, smart updates and more, check out our complete Plesk WordPress Toolkit.

Test Types

Unit Test – Tests the smallest possible unit of an app. It’s often a single function.

Integration Test – Takes all the unit tests and finds if they work together in the way we’re expecting.

E2E (end-to-end) – Tests the entire path through the organization.

automated testing pyramid - Steve Grunwell

They may cost more to test the higher up the pyramid you go but maybe they take even longer to run. You are after all in many cases making HTTP requests.

SUT (System Under Test)

This refers to the current system we’re trying to test. It can be a single method, a class, or a whole feature. What are we trying to accomplish with our test? And how do we get everything else out of the way so we can focus on that?

When it comes to WP, we do have to shift a little. As we said, it’s a very tightly-coupled system. So, it’s very hard to test single items in true isolation. But this doesn’t mean we can’t do this effectively. And this is what Steve talked about at WCUS 2019.

PHPUnit – Our testing toolbox

Steve talked about PHPUnit by first explaining its structure.

Test Suite – This is a collection of test classes.

Test Class– a collection of one or more test cases.

Test Case – A single scenario you’re going to test.

It’s going to be comprised of one or more assertions. Do things work the way that we expect? Here are a few scenarios that Steve Grunwell highlights.

Is it true or false?

assertTrue () $value ===true?


assertFalse () $value ===false?



assertEquals()  $expected == $actual?

$this->assertEquals($expected, $actual);

assertSame()  $expected == $actual?

$this->assertSame($expected, $actual);

Verifying contents of things

assertContains () Does $value contain $expected?

$this->assertContains('b', ['a', 'b', 'c']);

assertRegexp() Does $value match the given $regex?

$this->assertRegexp('/^Fo+/', 'Foo Bar');

Negative assertions

For every assertion, there is a positive and negative assertion.

assertEquals () $expected ==$actual?

assertNotEquals () $expected ==$actual?


assertContains () $expected ==$actual?

assertNotContains () $expected ==$actual?


assertCount () $expected ==$actual?

assertNotCount () $expected ==$actual?


assertArrayHasKey () $expected ==$actual?

assertNotArrayHasKey () $expected ==$actual?


Do we have at least one match? Everything comes down to true or false. The key to understanding assertions in our tests. Here is an example of a test report:

PHPUnit 7.5.1 by Sebastian Bergmann and contributors.

...............................................  47 / 511 ( 9%)

...............................................  94 / 511 ( 18%)

...................................SSSS........ 141 / 511 ( 27%)

............................................... 188 / 511 ( 36%)

............................................... 235 / 511 ( 45%)

............................................... 282 / 511 ( 55%)

............................................... 329 / 511 ( 64%)

............................................... 376 / 511 ( 73%)

............................................... 423 / 511 ( 82%)

............................................... 470 / 511 ( 91%)

.........................................       511 / 511 (100%)


Time: 1.13 minutes, Memory: 42.00MB


OK, but incomplete, skipped, or risky tests!

Tests: 511, Assertions: 1085, Skipped: 4.


PHPUnit 7.5.1 by Sebastian Bergmann and contributors.


.......F........                                 16/16 (100%)


Time: 7.15 seconds, Memory: 14.00MB


There was 1 failure:


1) Tests\CoffeeTest::test_get_good_coffee

Failed asserting that two strings are identical.

--- Expected

+++ Actual

@@ @@

-'great, well-balanced coffee'






Tests: 16, Assertions: 19, Failures: 1.

It ran through over 1K test in under a minute. If you were to do this manually it would take days instead of minutes. 

Test Doubles

As we test things, sometimes we want to get things out of the way in our code. This is where test doubles come into play. The general idea is to remove any variables in our code and give ourselves test versions to replace actual systems. Always returning known values and ensuring systems behave a certain way. When dealing with test doubles, a popular library for creating test doubles is Mockery.

public function test_handles_empty_order_list() {

    $api = Mockery::mock( Api::class )->makePartial();

    $api->shouldReceive( 'get_all_orders' )


        ->andReturn( [] );

    $this->assertEmpty( $api->get_recent_orders() );


There’s also the PHPUnit Markup assertions, powered by DOMDocument. Lets use DOMDocuments to make a DOM query.

function test_button_contains_active_state() {

    $output = some_function();

    $this->assertContainsSelector('.button.active', $output);


WP Core Test Suite

This is what WP core itself uses to ensure all the PHP in WP is behaving the way we expect it to. If we want to use the core test suite, you can run $ wp scaffold plugin-tests my-plugin to generate test scaffolding via WP-CLI. Get the test suite out of the box.

We want to make sure certain things happen before every test method. You don’t have to write it every time, only once.

We have the concept of groups where we run tests of a similar nature across suites and classes. I can just run the following code.


 * @group Posts

 * @group PostMeta


public function test_includes_private_posts()


    // ...


$ phpunit --group=Posts

This comes in handy when you have a large test suite and want to make sure related things aren’t going to break.

Data Providers

Often in our testing you can have the same test but different data. For this, we have a nice tool called data providers. You can run through them without having to paste the same method over and over again. So we specify a data provider for it. If you’re working with simple data types like strings and integers. You can choose to define just one method for example:


 * @dataProvider my_data_provider()


public function test_my_function( $expected, $value ) {

    $this->assertEquals( $expected, my_function( $value ) );



public function my_data_provider() {

    return [

        'Description of case 1' => ['foo', 'bar'],

        'Description of case 2' => ['bar', 'baz'],




 * @testWith ["foo", "bar"]

 *           ["bar", "baz"]


public function test_my_function( $expected, $value ) {

    $this->assertEquals( $expected, my_function( $value ) );


You can even generate dummy data with factories tests. You can generate users, posts and more – for testing purposes.

// Create the post and retrieve its ID.

$post_id = $this->factory->post->create();


// Create and retrieve the new post.

$post = $this->factory->post->create_and_get();


// Override default parameters.

$post = $this->factory->post->create_and_get( [

    'post_title'  => 'My Test Post',

    'post_author' => $author_id,

] );


// Create multiple instances.

$posts = $this->factory->post->create_many( 5, [

    'post_author' => $author_id,

] );

Checking for WP_ERRORS

Was the response an instance of WP_Error? Coming back to the search for truth – Is truth a WP_Error? As we write our code, there’s a pattern for how this should be arranged to set up the scenario.

public function test_function_can_return_wp_error() {

    $response = myplugin_function();




Next we execute the code, and finally we make assertions around it – in other words, verify that things happened as you expected.

Testing Permissions

public function test_non_admins_cannot_clear_cache() {

    // Arrange

    $user_id = $this->factory->user->create( [

        'role' => 'author',

    ] );


    wp_set_current_user( $user_id );


    // Act

    $response = myplugin_clear_cache();


    // Assert


    $this->assertSame(403, $response->get_error_code());


Registering a custom post type

public function test_book_cpt_is_registered() {



    $post_type = get_post_type_object( 'book' );


    // Verify the post type is registered along with key properties.

    $this->assertNotNull( $post_type );

    $this->assertTrue( $post_type->public );

    $this->assertFalse( $post_type->hierarchical );


Testing Hooks

public function test_function_does_action() {



    $this->assertSame( 1, did_action( 'myplugin_action' ) );


public function test_function_does_action() {

    $called = false;


    // Register a callback to validate arguments.

    add_action( 'myplugin_action', function () use (&$called) {


        // Only return true if validations passed.

        $called = true;

    } );




    $this->assertTrue( $called );


Testing Output

public function test_shortcode_output() {


    do_shortcode( '[recent-posts title="Latest Posts"]' );

    $output = ob_get_clean();


    $this->assertContains( '<h2>Latest Posts</h2>', $output );


public function test_shortcode_output() {

    $this->expectOutput( '<h2>Latest Posts</h2>' );


    do_shortcode( '[recent-posts title="Latest Posts"]' );


Stubbing HTTP Requests

add_filter( 'pre_http_request', function () {

    return [

        'headers'  => [],

        'body'     => '',

        'response' => [

            'code'    => 200,

            'message' => 'OK',


        'cookies'  => [],

        'filename' => '',


} );

Basic Automated Testing Workflow

Steve explains the basic idea behind TDD – test driven development.

  1. Write a (failing) test to describe the functionality/behavior. You’re describing how it should work. This can be called ‘red’ – there is a broken code.
  2. Write the code necessary to make the test pass. All we have to do is get the test to pass. This can be known as green – the code that works.
  3. Refactor, rinse, & repeat. Now we can go back and refine the code.

Automation is the way forward and one that strongly resonates with Plesk’s values and beliefs. You can find the slide deck from the talk here. Thanks Steve for sharing your expertise on automated testing!

Tools and Tricks to Manage Multisite and Control Your Network

Tools and Tricks to Manage Multisite and Control Your Network - Plesk at WCUS 2019

Matthew Rodela started out in IT consulting and has been building WP websites for about 10 years now. He acquired a theme called Website Builder for IT businesses. It came with tutorials on how to configure the theme and so on. He decided to turn it into more of a platform. Hence, after lots of trial and error, techsitebuilder.com was born. Turns out an automated Multisite was a better model for both his customers and his business.

“WordPress is a powerful platform that can really help organize and streamline website development.” 

However, Multisite can prove tricky to manage without the right tools and processes. That’s why Matthew chose to talk about plugins that can better help you manage your network. Plus the effective processes that can keep everything up-to-date, secure and backed up. Matthew’s lightning talk was not for developers specifically, but anyone who offers WordPress services to customers.

Providing your customers with the best WordPress solution

You may be used to the WordPress dashboard and how well it works. But oftentimes our clients are intimidated by it or don’t understand how to use it. So this is how you can develop a simpler, more controlled platform for your clients to use and become more successful.


Matthew explained that WordPress Multisite is built into the WordPress core and allows you to create subsites. These act as their own standalone WordPress install but they’re all sharing resources with one WordPress installation. Therefore, you only need to install the plugins, themes, and so on, once. It’s easier for you to manage and use your resources efficiently. For example, you update a plugin once and it’s basically updated on all sites.


Matthew uses WaaS – Websites as a service (like Wix, for example) to explain this model. Applying the Saas model to website delivery. These are Turnkey websites delivered automatically via WP multisite.

The focus of the business model is on scale and MRR (monthly recurring revenue). It’s low-cost for customers but also encourages a lot of DIY. Customers have a platform to build the way they want, while using the best tools. But above all, it’s niche-specific. You can be the best website platform for whichever industry you’re targeting.

Top Multisite Plugins according to Matthew Rodela #WCUS

WP Ultimo

WP Ultimo sells subsites on a subscription basis. It allows you to provision subsites to customers on a subscription. With pricing plans, you can limit how many posts you want customers to create per month, for example. Or by how much media they can upload – hosting costs. Certain themes can be available to certain plans. You can create starter content or the ideal site which customers can follow for their own.

KeyPress UI Manager

Rearrange, rename, hide and further modify all backend menus – Admin, Toolbar and Customizer. You can customize or style the dashboard. And soon, users of this plugin will also be able to edit other areas of the admin, like the Dashboard, Gutenberg  and branding.


With multisite you have hundreds using a website from one WP installation which is a bit scary. With this UpdraftPlus plugin, you can backup the entire multisite network, but also individual subsites, which not all plugins can do.

White label CMS

This tool lets you brand your dashboard so you can customize the login page, and add your branding and logo, for example.

Multisite Enhancements and Beyond Multisite

Both sprinkle elements of accessibility which ease Multisite wrangling, but they also:

  • Shows on which sites a plugin is active
  • Display blog and user IDs
  • Various time-saving enhancements

Hosts like WP Engine and Closte

Both are great with subtle differences. WP Engine is one of the more popular hosts. It works with WP Ultimo domain mapping, scales well and has in-built security and caching. It has one-click staging for testing. And with WP Engine, you can convert to multisite in one click. It only counts as one install.

Closte also works with WP Ultimo domain mapping and you get Auto-SSL with WP Ultimo too. However it;s more flexible and the pricing scales according to your usage.

Final tips for running a multisite platform

Many users opt for premium plugins instead of free ones mostly so that they can get premium support. So be picky about plugins offered. Use a managed WP host ideally. Remember image optimization is key to manage disk space bandwidth – WP Smush works well with multisite in this respect. This way you don’t end up killing load time by uploading too many images and so on.

For more info on this topic, check out our take on multisite, or you can follow Matthew’s work here.