This week’s post about a recommended plugin is really a two-in-one… we’re also announcing a new, free plugin that should be useful to everyone. It’s a new two-factor authentication plugin that we’ve just released on

Two factor authentication

What’s two-factor authentication (TFA)? Wikipedia’s article is here… but basically, it’s to do with securing your logins, so that there’s more than one link in the chain needing to be broken before an unwanted intruder can get in your website. By default, your WordPress accounts are protected by only one thing: your password. If that’s broken, then everything’s wide open.

Is this really important?

Rather than me blather on about this, just read this: Frighteningly easy for the attackers to erase his digital life, was it not?

WordPress solutions

There are various solutions on WordPress for securing your login. They’re all about lowering the percentages – minimising risk. Anything that lowers the percentage at all has some value. One that helps a lot is a previously recommended plugin, BruteProtect, which blocks any logins at all from known-to-be-bad IP addreses, using the power of the cloud. Others are in my personal view less useful – e.g. adding a captcha to your login form, or making the visitor answer a maths question. Every little helps, but some of these will only help until the attackers tool-up, and then you’re back to square one again.

To some extent, we’re always in an arms race. But genuine “two factor” security is about adding another layer entirely: not just inconvenience, not just the need to tool up, or attack from a new IP address, but something that the attacker can’t have. The most popular form of “two factor” is a security token of some sort (usually 6 numbers), that’s delivered to a device you have…. and which only lasts for a short amount of time (e.g. 30 seconds – after which, the device will display a new code). The only way then to log in legitimately whilst the plugin is active then becomes to physically get hold of the security token or mobile phone (as well as knowing the password).

We weren’t content with the existing solutions…

There are some decent two-factor WordPress plugins out there. We’ve used and recommended some. However, none of them hit all of the sweet spots that we wanted:

  • Protects the WooCommerce login form as well as the WordPress dashboard’s login form. (Plugins not supporting this form will fail in one of two ways: either effectively have no two-factor authentication, or will not allow anyone to log in).
  • Allow each user at a certain level (e.g. admin, editor, ordinary user) to decide for themselves whether to enable two-factor authentication.
  • Have a reasonably straighforward user interface
  • Allow the user to configure TFA on the front-end of the website – i.e. without them needing to be able to see the WordPress dashboard
  • Support standard protocols, allowing any TFA app to be used (e.g. Google Authenticator, Authy, or even… yes! … an app for my beloved Nokia).
  • Display graphical QR codes (i.e. codes that your phone can scan)
  • Have well-written code that follows WordPress standard practices (including security mechanisms). You’d be surprised how easy it is to find WP plugins for *security* that don’t do this. (Mistakes is one thing – we all make mistakes… but not using the mechanisms at all… that’s just nuts).

… so we made our own

So, what to do? Since this is WordPress, with the wonders of open source, we forked one that was decent enough, and made our own.

And here it is… “Two Factor Authentication”, free on the directory. We hope you like it – it’s just been launched. We recommend it to you all; there’s no good reason to not lock down your website, and in our view, TFA plus BruteProtect is the best straightforward way to do it in 2015.

Oh, and… you might by now have guessed where this is going. Two-factor authentication for customers will be coming to UpdraftPlus.Com!

David Anderson (founder, lead developer, UpdraftPlus).

Since yesterday, UpdraftPlus’s download counter at ticked over to two million. When we passed one million, we were the 51st plugin to do so; we’ve continued to accelerate, and are now the 30th plugin to reach 2,000,000. That’s a lot of backing up going on!

This feels great… but it gets better…

You may know that raw download numbers can be a bit misleading. They cover the plugin’s entire history, and depend not only upon popularity, but upon how often a plugin is updated. Every time someone updates, a fresh download is registered by To provide more meaningful data on popularity, the WordPress repository recently began displaying information about numbers of active installations. We can now see, for example, that BuddyPress has a 30% higher download count than UpdraftPlus despite UpdraftPlus having around 3 times as many users.

These “active install” numbers are shown to 1 significant figure only. Yesterday, UpdraftPlus was showing 300,000+ . But, overnight, not only has UD’s download counter ticked over to 2,000,000, its “active installations” counter has now bumped up to 400,000+. UpdraftPlus is now unambiguously the #1 most installed WordPress backup plugin. (There was one other plugin that also was showing 300,000+, and still is).

Being #1 is no longer our estimation based on deductions from imperfect figures, but a published fact on that everyone can see. 400,000+ websites use UpdraftPlus for their backups – we’re more trusted than any other solution.

We want to thank our users for this continuing vote of confidence. We’re also on schedule for another record month of sales; if you’ve not yet done so, then please do check out our flagship product, UpdraftPlus Premium – it’s got all the features, and personal support; we believe there’s no better backup/restore/clone solution on the market.

David Anderson (founder, lead developer, UpdraftPlus)

Stats tell us that most of you are using Google Chrome. Chrome’s web developer features are great for getting things done. However, I’ve recently switched back to Firefox for most use. Both are excellent browsers these days.

If you’re also on Firefox, and haven’t yet found this extension… then it might be the one you’ve been waiting for: “Disable Ctrl-Q Shortcut”.

Oh yes! It is quite irritating to be closing a tab or two with Control-W… and the finger accidentally slips a few millimetres over and BANG – Control Q – you’ve quit the whole browser. All your open tabs are now gone. Grrr!

This add-on is now one of my favourites: it does one useful job, and does it well!

Admittedly, Chrome made this a non-issue by making the “quit” shortcut to be Control-Shift-Q…

David Anderson (lead developer, founder, UpdraftPlus)

This is a bit of a minority interest… but if you provide plugins for others, then you might be interested in a new free plugin from our sister company.

It’s the “Simba Plugin Updates Manager”, available for free from here in the repository.

What does it do? It allows you to host updates for your own plugins. i.e. You can make your plugin available for download from your own website, and users can access updates that you make available from there – just like with plugins in Previously, this was quite difficult to do – you needed to build your own infrastructure. Now, you can just use your existing WordPress website, together with this plugin.

David Anderson (founder, lead developer, UpdraftPlus)

Did you know, that people are trying to break into your WordPress website basically all the time?

This comes as a shock to some – I’ve seen a few anxious requests for guidance from people who read their logs, and discovered that attacks were going on.

WordPress now runs around a quarter of all websites on the Internet. As such, it’s an attractive target for attackers – they can build tools which have a huge number of potential targets.

But, why do they want to do this anyway? Motives vary – there are indeed plenty of people who think that destroying things is fun. However, the main motive is a predictable one: profit. There’s money to be made.

This at first seems surprising – where’s the money to be made in my little blog, someone asks? After all, I don’t make any money from it myself – how can they?

Three main ways…

1. Computing power, “free” and anonymous

It’s not your website itself that the average attacker wants – they want the computer power of the webserver that it’s running on. They want the free electricity. This can be used to perform complex computations such as those used to “mine” digital currencies like Bitcoin – or simply to hide the hacker’s identity, whilst he uses a server that is not linked to his name, to perform other tasks.

2. Spam, spam, spam spam…

That computing power can also be used to churn out zillions of spam emails – again, for free (to the attacker), and in a way that’s hard to trace, since the emails will come from your server, not the attacker’s own computers. Since emails are quick and easy to send, often by the time it is spotted, the attacker has got his pay-off. Spam equals money – sadly, there are people who don’t immediately delete them, but who reward the evil business model. Website owners and hosting companies get to pay the bills, when the addresses of their servers get black-listed as spam sources, and time has to be invested in cleaning up.

Another way is to insert links into web pages, to websites selling things – like various pharmaceuticals. These links may not even be intended or visible for people to click on – they may be intended only to be visible to search engines, to help the destination websites move up the search rankings. Unscrupulous marketeers can find it much cheaper to buy space on a thousand hacked websites from shady operators, than to build up genuine interest in their products.

3. Serving up viruses

A hacked website can be modified to serve up viruses to its visitors – catching vulnerable visitors whose own security on their PC/Mac/etc. wasn’t up to date. Viruses then allow the visitor’s computer to be used for the same purposes – and some others. For example, some viruses will encrypt all your files, and decrypt them only upon payment of a ransom – i.e. “ransomware”. Or they may inject new adverts into every web page you visit, making money for either the sellers of advertising space, or the sellers of the advertised products. Or they may log clicks and key-presses on the computer, and capture valuable passwords by this method – e.g. online banking passwords.

Sadly, insecure websites are economically valuable. Weak passwords, un-updated plugins, etc., provide ways for the bad guys to use your computing resources, to make money. The costs of breaking in are less than the revenues they can make – so hacking is a profitable activity.

Conclusion: don’t say “my website’s not interesting to hackers – it’s just small, so I’m fine.” Much WordPress hacking is an automated activity. Other hacked websites are running code to try to automate the process of hacking yours, if you’re vulnerable. Everyone’s at risk, and everyone needs to keep on the ball. Future training articles will discuss how. But you won’t be surprised by rule number one: keep regular backups! ;-) Sadly, even if you follow all the rules, sometimes, hackers find a flaw before the good guys do, and begin taking over websites straight away. When that happens, you need a good backup. With a good backup, you can always recover: without one, you’re really in for a hard time to get back to where you once were.

David Anderson (founder, lead developer, UpdraftPlus).


This week, the plugins directory has started showing the approximate number of sites that currently have a plugin installed.

Until now, there was only indirect information on this. A download counter was shown – but this showed downloads of all versions of the plugin (including updates), so this number depended not only upon the number of active sites, but also upon the history of the plugin, and how often it released updated versions. used to be the go-to place to get estimates of a plugin’s install base – but we’d long suspected that their algorithm seriously under-counted the true figure (as well as producing figures that fluctuate wildly when a plugin update is released). This suspicion turns out to be correct.

The true figure can only come from – because is the place that a WordPress website sends back its “Hey – please can you tell me if there are any updates available for this plugin?” requests to.

A perfect count isn’t possible – not all sites will check for updates (some are behind firewalls), and not all sites are public Internet sites (some are private development ones). They’re also only showing figures to one significant figure – so, you can’t distinguish plugins with vaguely similar numbers of downloads. But, it’ll be pretty good – and, as I say, is the only place that can give an accurate figure that’s comparable between plugins.

The figure for UpdraftPlus’s free version is 300,000+ – over 3 times larger than’s estimation. Nobody’s yet produced an ordered ranking of most-installed plugins… this would be easy to do, just involving scraping the data from the relevant pages – we’ll be interested to see where this places UpdraftPlus when someone does that.

David Anderson (founder, lead developer, UpdraftPlus)

Want to sign up for the fortnightly UpdraftPlus newsletter? It contains a mix of UpdraftPlus news, useful training materials for WordPress developers and site-owners, and general WordPress news. If you want to give it a try (you can de-subscribe at any time), then please go here.

According to PluginTable.Com, UpdraftPlus is now in the top-30 of all-time plugin downloads for WordPress plugins, with over 1.9 million downloads.

Thanks again to everybody who’s made this possible. We’re not finished yet, God-willing… please keep downloading and recommending, and we’ll use that support to take it to another level. It needs a lot to climb once you’re in top 40 – but the next target is 2 million, and then after that eventually the top 25… stay tuned!

David Anderson (founder, lead developer, UpdraftPlus)

Next up in our occasional “recommended plugin” series is…  “Redirection”.

It does one thing, and does it well – something that always appeals to site builders looking to develop knowledge of a set of tools that can cover them in any common situation.

What does it do? Simply put, it redirects: users who click on a link (i.e. URL) can be sent to a different link instead.

For example, perhaps you have some old links,, that people are still clicking on, even though you no longer have content there. (e.g. An old marketing campaign, or previous version of your site). Do you want those people to just see a 404 page, or something that’ll keep them on the site?

The same can be achieved by editing a .htaccess file in your WordPress directory, but…

  • That only works if your webserver is Apache (around 90% of the time)
  • That requires you to learn about the .htaccess language
  • Using a plugin is portable – you won’t need to remember to copy your .htaccess file when moving hosting companies; it’s part of your WordPress install already
  • The plugin can also log redirections and give you statistics on what it’s been up to

“Redirection” is a mature plugin with 2.2 million downloads, so is well-tried and tested. The only issue we’ve ever had with it is too much logging – you’ll want to check your default settings to see what’s being logged, so that if you have a very high-volume site, then your database doesn’t begin to slow down due to unnecessary information.

With that many downloads, you can tell that it’s something that a lot of people often need to do. Keep this plugin in mind, and when you need to, you’ll be ready too!

David Anderson (founder, lead developer, UpdraftPlus)


UpdraftPlus is a trade mark of Simba Hosting Limited, UK registered company number: 8570611, VAT number: 202 1260 80

$0.000 items