WordPress

WordPress comes in two flavors:
  1. WordPress.com — a cloud service that runs on Wordpress.com's servers; and WordPress software from WordPress.org — a PHP-based CMS that you install and run yourself at your own web-hosting company (or on your own server).
WordPress.com is actually a pretty good service, and for a brief period in 2011, I used it for a blog. But you must suffer under some bizarre limitations. For instance, you can't upload MP3 files onto a free site. This isn't a space issue — even if you have plenty of space, you can't do it unless you start paying. I resent such arbitrary feature-crippling in principle, and in practice, I needed the ability because I'm blogging about music.

So I decided to set up a blog at my web host, www.nearlyfreespeech.net. Which meant that I had to pick a CMS.

Initially, I was going to go with Drupal 7. But I discovered that because of Drupal's complexity and the lack — at the time (2011) — of simple, attractive, easily edited themes, I wasn't likely to be able to get a site up quickly.

This led me to look again at WordPress software. WordPress now (in 2014) is my CMS of choice. I initially chose Wordpress for three main reasons:
  1. It was easy to migrate existing content from my WordPress.com site to my own WordPress installation;
  2. The software was easy to set up and highly functional; and
  3. WordPress has a lot of free, elegant, functional themes that need very little customization to look good right away.
Below, I walk through how I installed and customized WordPress. I'm not linking to my blog because I'm keeping it semi-anonymous.

Note well: 
  • These instructions assume some background knowledge of how web servers and databases work. If you're a total novice, these instructions may be confusing.
  • It's a good idea to test things out locally. See my page about XAMPP and the links there for more info.

Installation

Background

A WordPress site — like any site that runs on a CMS — is a combination of two things:
  1. The WordPress application files, i.e., a set of PHP, CSS, and (maybe) HTML files that, collectively, are the framework that delivers your web content; and
  2. A database that contains your web content. 
It follows that setting up a WordPress site involves two distinct steps:
  1. Creating a database to hold your web content; and
  2. Installing and configuring the WordPress application to interact with the database.
Once you've got a site up and running, you must do at least three things, one trivial and two not-so-trivial:
  1. Add content (trivial);
  2. Maintain the WordPress application by, at a minimum, installing patches and crucial upgrades (not-so-trivial); and
  3. Back your site up regularly (not-so-trivial).
Item 2 on this list — maintaining the WordPress application — is crucial for your site's security and stability. WordPress has built-in update functionality (you can use FTP or sFTP from within WordPress to install updates), but according to the folks at NearlyFreeSpeech.net, you run big security risks by using that functionality.

Rather than using WordPress's built-in, insecure tool for updating, you're better off upgrading from the command line, using Subversion. To do this easily, you must first install WordPress from the command line with Subversion. That's how I did it, and that's what I discuss below.

Note: WordPress offers its own instructions on installing via Subversion, but I prefer mine. The WordPress instructions also discuss how to convert an ordinary installation to a Subversion-based installation. It seems like a pain.

If you want to do an ordinary installation via FTP or sFTP, WordPress has detailed instructions for that.

Database setup

My web host offers the phpMyAdmin control panel for managing MySQL databases. Using that tool, create a database and a user. The user is not a real person; rather, it is a username used by the WordPress application.

In phpMyAdmin 3.5.2 and up, you can do this in two different ways: 
  1. create the user and database separately (they can have the same names or not, it makes no difference); or
  2. via the "users" tab of the control panel, simultaneously create a user and a database with the same name. 
    1. Note: in phpMyAdmin 3.4.10.1, the "users" interface is behind the "privileges" tab. Once you get to the "add new user" link, you can create a user and database with the same name, just as in phpMyAdmin 3.5.2+. 
    2. You create the user and database simultaneously by selecting the appropriate radio button in this area of the "add new user" interface:
Radio button in "add new user" interface for creating database simultaneously


Whichever method you follow, the database and user must each have the specifications described below.
  • Create database by specifying:
  1. Database name, e.g., mysite_wp
  2. Type: Collation
  3. Collation type: utf8_unicode_ci
    • This specifies the character set. I'm actually not sure there's a reason to pick this type, which specifies what I think of as a universal character set (unicode) over the default type, which is utf8_general_ci. But I've used unicode, and it works.
Visually, do something like this:

  • Create user under "Privileges" tab by selecting "Add New User" (or, in more-recent versions of phpMyAdmin, under "Users" tab).
  1. The username is arbitrary, but write it down.
  2. The password is also arbitrary and can be generated by phpMyAdmin (a good idea). Write it down (or, better yet, copy and paste it into a text file).
  3. Assign the user the necessary privileges.
    1. When you assign global privileges, you can assign:
      1. SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EXECUTE
      2. Put more simply:
        1. In terms of the phpMyAdmin interface for Global privileges, these privileges are:
          1. in "Data" box, all privileges but FILE
          2. in "Structure" box, all privileges
          3. in "Admin" box, no privileges.
    2. When you assign database-specific (i.e., non-global) privileges — which is a smaller set of possible privileges — you should assign:
      1. All privileges (not including the GRANT option).
    3. Note: These instructions are a hybrid of NearlyFreeSpeech.net's members-only instructions and WordPress's. For obscure reasons, NFS.net doesn't discuss assigning database-specific privileges. It's possible that there's a better way to do this than what I've described.
  • Make a note of your MySQL hostname
    • It might be "localhost" (as shown in the image from phpMyAdmin above). 
    • Or it might not (on NearlyFreeSpeech.net servers, it's the name of your MySQL process).

Installing WordPress application via Subversion

  1. Connect to your web host via SSH to get a command prompt. (I use PuTTY Portable for this.)
  2. Navigate to the directory where you plan to install WordPress.
    • If you plan to install it in a subdirectory of your site's main public directory, create that subdirectory (mkdir) and navigate (cd) to it.
    • Note: It's possible, if you're doing a single-site installation, to install WordPress a subdirectory but to make it appear to reside in your server's root directory. But you can't do this if you have a multi-site installation. See this section of the WP Codex.
  3. Grab WordPress (currently at version 3.9.1) from the WordPress.org Subversion server by running this command:
    • svn co http://core.svn.wordpress.org/tags/3.9.1 .
      • This means: "Checkout (co) via Subversion version 3.9.1 of WordPress into this directory."
      • If working locally using XAMPP or MAMP for development, you might be able to use TortoiseSVN to check out WordPress. 
    • Notes
      • You might want to check out the "trunk" version of WordPress, but I've seen conflicting advice on whether that's wise (it depends on how stable you think "trunk" is). To do so, you would run this command:
        • svn co http://core.svn.wordpress.org/trunk .
      • As long as you use the most-recent version number after "tags" in the Subversion command above, using "tags/version number" or "trunk" should install the identical version of WordPress. 
      • The WordPress Codex instructions use the "tags" version in their example code.
  4. Create needed directories and set proper permissions. While in the WordPress installation directory, execute these commands:
    • chgrp web index.php
    • cd wp-content
    • mkdir uploads
    • cd ..
    • chmod -R 775 wp-content
    • chgrp -R web wp-content
    • mkdir tmp
    • chgrp web tmp
    • chmod 775 tmp
  5. For more information, see references below

Configuring WordPress after installation

First, you need to marry your MySQL database to WordPress by creating a wp-config.php file that contains the relevant MySQL information. You can do this two ways:
  1. Manually, by editing wp-config.sample.php and saving it as wp-config.php
  2. Semi-automatically, by using WordPress's installation script to generate a wp-config.php file.
  • If you do it manually, you need to add the following values to the wp-config.php file:
    • DB_NAME: your database name
    • DB_USER: the user you created
    • DB_PASSWORD: the user's password
    • DB_HOST: the hostname, if it's not localhost
    • DB_CHARSET: utf8 (the default)
    • DB_COLLATE: if you followed my directions above, this is utf8_unicode_ci
      • You can probably leave this blank if you chose utf8_general_ci as your collation type.
    • Various authentication keys and "salts" that you should generate through WordPress and paste into the file.
    • Optionally (and preferably), an arbitrary "Database Table prefix" (e.g., "wp_")
      • If you plan to run multiple sites from the same code base, you need a table prefix. You might as well set one, because it doesn't hurt anything even if you only run a single site.
    • Add a line pointing to the temporary directory you created above. Toward the bottom of the file (above /* That's all, stop editing! Happy blogging. */), add:
      • define('WP_TEMP_DIR',ABSPATH.'tmp'); 
  • To do it semi-automatically:
    • Use your web browser to open the location where you installed WordPress (your site's root, or a subdirectory). This will pull up the setup-config.php file. 
      • You'll be warned that you might have to edit wp-config.php manually. You probably will, but continue anyway.
    • Click "Create a Configuration File," and enter all the requested information (database name, user, etc.), following the instructions.
    • At the end of this process, WordPress will probably complain that it can't write the config file. This is okay. It will generate text that you can save manually as wp-config.php.
      • You still need to manually edit the file generated by WordPress to make two changes:
        • If you chose utf8_general_ci as your collation type, define DB_COLLATE as this.
        • Toward the bottom of the file (above /* That's all, stop editing! Happy blogging. */), add:
          • define('WP_TEMP_DIR',ABSPATH.'tmp'); 
  • Whichever way you do it, you need to:
    • place the wp-config.php file in your site's directory; and
    • change permissions on the file by removing write permission from the group. From a command line in the directory holding the file, execute:
      • chmod 644 wp-config.php
Next, you need to initialize your site by running WordPress's installation script. If you used WordPress to generate your wp-config.php file, you simply click on "Run the install" to do this. 
  • Follow the prompts. Name your site and create an admin user with a strong password.
    • I like to create an admin user that is different from the username that I plan to post under.
  • Login, create another user if you like, delete the generic posts and comments, and you can begin posting.
I like to make at least three other tweaks:
  • Enable pretty permalinks. You must do two things:
    • Pick a structure for your permalinks in your site's dashboard, under Settings -> Permalinks.
    • Create the appropriate .htaccess file and upload it to your site. 
      • The WordPress admin panel will generate some of the rules that you need. 
      • Permissions should be 644: 
      • chmod 644 .htaccess
    • For more info, see the WordPress codex page about pretty permalinks.
    • (Historical note: pre-WP 3.3, there was a problem with certain structures, but it's been patched.)
  • Set a favicon. This is not just cosmetic; it can improve performance.
    • You can find free Creative Commons-licensed favicons at www.favicon.cc, or create one yourself.
    • When you have a favicon, do three things:
      • Upload favicon.ico into your site's root directory;
      • Upload it into the top-level directory of the theme you are using; and
      • Edit the theme's header.php file to reference the favicon. 
  • Consider creating a static robots.txt file. WordPress will generate a "virtual" robots.txt file for you, but you might prefer a static one. I discuss this below under "Other plugins."
You may be notified that some of the plugins (e.g., Akismet) need to be updated. If you want a secure site, don't update them from within WordPress; use Subversion instead. The next section deals with updating and installing plugins.

Updating an existing WordPress installation via Subversion

It's extremely easy to update WordPress using Subversion. But before you do, you should do at least three things:
    1. Backup your site (see WordPress Codex instructions); 
    2. Make sure your web server's PHP and MySQL versions meet the updated WordPress requirements; and
    3. Check to see if your plugins are compatible with the new version of WordPress.
      • If you are unsure, you can disable the plugins before updating WordPress. 
      • From Codex: You can easily disable your plugins by heading to the Manage Plugins page in the Dashboard, changing the "Bulk Actions" pull down menu to "Deactivate" and clicking "Apply".
    4. NOTE: When I updated from WordPress 3.1 to 3.2, the update trashed all my plugins. Fortunately, I had made a backup, so I knew which plugins I needed to reinstall.
    When you're ready to update:
    1. Connect to your web host via SSH to get a command prompt. (As I noted already, I use PuTTY Portable.)
    2. Navigate to the directory where you installed WordPress.
    3. Execute this command:
      • svn sw http://core.svn.wordpress.org/tags/3.9.1 .
        • This means: "Switch (sw) via Subversion to version 3.9.1 of WordPress in this directory."
      • Note: When I did this, Subversion notified me of a conflict related to the svn:externals file and Akismet.
        • I responded tc ("accept theirs for conflict"), meaning I let WordPress do what it wanted about the conflict. For further info, see my entry below about updating the Akismet plugin.
        • NOTE: I think that this was a mistake. It trashed all my plugins. It was pretty easy to get them back by using svn update, because the svn:externals file was not erased and thus could be edited, but it freaked me out to see them gone.
    4. Login to the admin panel of your site (i.e., the page at /wp-admin). 
      • WordPress will almost certainly tell you that a "database update" is required. 
      • Click the "Update WordPress database" button (which calls the page at [site]/wp-admin/upgrade.php). 

    Plugins

    In general: installing and updating plugins using Subversion

    You can browse the Subversion repositories of WordPress plugins here: http://plugins.svn.wordpress.org/. Any of them can be installed with Subversion, which is more secure than installing via FTP from within WordPress.

    To install a plugin using Subversion from the command line, after SSH-ing into your site:
    1. Navigate to the wp-content/plugins/ directory in your WordPress installation.
    2. Add the plugin to a Subversion configuration file as follows:
      1. At the command line, execute this (or something like it):
        1. svn propedit svn:externals --editor-cmd vi .
          1. This opens the Subversion "externals" property file in the Unix text editor vi. If you have a different text editor (e.g., emacs), substitute it for vi. Don't forget the trailing dot and period!
          2. (See this primer on vi commands if you need to. I mainly use A (insert at end of line), arrow keys, Esc to get in command mode, and :wq (i.e., "write-quit").)
          3. (See this man page for svn propedit if you're inclined.)
      2. In the file you just opened, add a line for the plugin you plan to install. For instance:
        1. To install a specific version of the WordPress Importer plugin, you'd browse the /tags/ directory for the plugin at http://plugins.svn.wordpress.org/ and find the highest version number. As of today, that's version 0.2, so you'd add this line:
          1. wordpress-importer http://plugins.svn.wordpress.org/wordpress-importer/tags/0.2/
        2. To install the "trunk" version of the WordPress Importer plugin — which should be the most-recent version — you would add the line:
          1. wordpress-importer http://plugins.svn.wordpress.org/wordpress-importer/trunk/
        3. In my experience, some plugin developers do not properly use Subversion and do not update "trunk" when they should. This means that you might be better off using the newest version in "tags." 
          1. If you use "tags/version #," you will need to edit the "externals" file whenever a version changes before you update to the new version.
      3. Note: If you ever want to entirely delete a plugin, you should remove the plugin's entry in your "externals" property file. Otherwise it will get re-downloaded every time you update your plugins.
    3. Install the plugin via Subversion. 
      1. At the command line, execute:
        1. svn update
      2. This will update everything listed in the "externals" property file, so it will simultaneously:
        1. Install your new plugin; and
        2. Update all existing plugins that you installed with Subversion and that are listed in the "externals" file.
    As the last instruction makes clear, updating plugins is easy:
    1. First, make sure that the Subversion "externals" property file points to either "trunk" or the latest "tags/version #" for each  plugin.
    2. Next, at the command line, execute:
      1. svn update
    3. That's it! All of your installed plugins will be updated (if updates are needed). 
      1. If WordPress doesn't seem to know the plugins are updated, click on the "Plugins" portion of the admin panel, which should refresh WordPress's information about your plugin versions.

    Preinstalled plugins

    WordPress 3.x comes with two preinstalled plugins: (1) Akismet, an anti-SPAM plugin, and (2) Hello Dolly. 

    To get Akismet working properly, you need to activate it. Get an API key from Akismet and insert it in the plugin. The plugin's directions in the WP admin panel are easy to follow.
    1. Historical information: With an older version of WordPress, I had a problem updating Akismet. Running svn update in the /wp-content/plugins directory didn't work. 
      1. I think that the problem was caused by how the svn:externals properties were set by WordPress itself when you I checked it out using Subversion. When you run svn propedit svn:externals --editor-cmd vi . in the /wp-content/plugins directory, you will see this line for Akismet:
        1. akismet -r319080 http://plugins.svn.wordpress.org/akismet/trunk/
      2. Even though the "trunk" designation should fetch the latest version, I think that "-r319080" prevents this from happening and instead causes you to get a specific revision number.
      3. I was able to update Akismet as follows:
        1. I navigated to the subdirectory /wp-content/plugins/akismet/
        2. In that directory, I ran svn update.
        3. The response message showed several files were updated, and the status message was "Updated to revision 335593" — a higher revision number than the one in the "externals" file.
      4. After doing this, I deleted "-r319080" from the "externals" file in the /wp-content/plugins/ directory. I believe that this will allow me to update Akismet along with every other plugin from the plugins directory.
      5. Followup: I got an error message related to Akismet when I updated to WordPress 3.2 using Subversion, and the rest of my plugins got screwed up as a result.
    As for Hello Dolly (the file hello.php in the plugins directory), I couldn't seem to remove it permanently. To delete it from within WordPress, you must use WordPress's insecure FTP update facility, which I won't do. And when I deleted it using an sFTP client, it reappeared as soon as I ran svn update in the plugins directory. Some part of WordPress really wants that plugin installed!

    Other plugins

    Apart from Akismet, I use (or have tried out) the following plugins:
    1. Add From Server (svn directory: http://plugins.svn.wordpress.org/add-from-server/): Last updated in 2013-May.
      1. This helpful plugin corrects some flaws in WordPress's design. If you want to link, say, an MP3 file in a post, WordPress expects you to use its built-in uploader, not sFTP. If you don't use the built-in uploader, the files don't show up in the WordPress Media Library. Further, WordPress's built-in uploader won't let you upload files over 10MB in size. That's silly, and it's a drag if you have lots of files to add. 
        1. For more info, see this cyberinnovation.com blog post (2010-Feb-12) about solving these problems with Add From Server.
        2. This WordPress forum post also discusses the problem.
      2. Once you install "Add From Server," you can bulk upload files with sFTP, and they will show up in your Media Library and be available to WordPress. If your site uses PHP Safe Mode, you might get an error message. As far as I can tell, you can ignore it. The message will look like this:
        1. Warning: set_time_limit() [function.set-time-limit]: Cannot set time limit in safe mode in /servername/public/wp-content/plugins/add-from-server/add-from-server.php on line 151
    2. MP3-jPlayer (svn directory: http://plugins.svn.wordpress.org/mp3-jplayer/): This is a simple, clean player for MP3 files with only a few quirks. Last updated in 2014-April. 
      1. These notes all relate to an older version of the plugin. They may or may not still be valid as of 2014-May!
      2. Use the /tags/version #/ directory in Subversion, not /trunk/, because the developer doesn't keep /trunk/ up to date.
      3. The default setting has "autoplay" ON. It should be OFF. To fix this, use shortcode like this:
        1. [mp3-jplayer autoplay="n"]
      4. The documentation is hard to find and to understand. You have to go into the player's settings to find the help.
      5. The player doesn't seem to show up right in "preview" mode, meaning you have to commit your changes to really test whether it's working.
      6. Other pointers:
        1. I had a hard time pointing to files stored elsewhere (on Amazon S3 storage). To make it work, I had to set the default URL to "http://s3.[etc.]" — otherwise, mp3-jplayer kept putting a slash in front of every file location that I tried to use.
        2. Files stored in your "library" (the "uploads" directory) seem to be available by filename to mp3-jplayer even if you set your default URL to something else.
        3. Use "custom field types" if you want to enter a whole series of tracks. It's easiest.
        4. The single-track player looks much different from the standard player and doesn't offer a download option.
    3. ServerBuddy (svn directory: http://plugins.svn.wordpress.org/serverbuddy-by-pluginbuddy/): This will run various diagnostic tests on your server, including checks of your security settings. Last updated 2013-December.
    4. WPtouch (developer; svn directory: http://plugins.svn.wordpress.org/wptouch/): A plugin that provides a specialized interface to users of iPhone-like devices. Regularly updated through 2014-May. Premium version available ($49/one site, $99 for five, etc.).
    5. WP Super Cache (svn directory: http://plugins.svn.wordpress.org/wp-super-cache/): Caching plugin. Last updated 2014-April. 5.7m downloads, 4.2 stars.
      • Had problems with it, 2014-May.
    6. W3 Total Cache: Recommended by Yoast. Found it fairly easy to set up.
    7. SEO plugins
      1. Yoast WordPress SEO Plugin (developer; svn: http://plugins.svn.wordpress.org/wordpress-seo/): Constantly updated, 10m downloads, 4.7 stars. Market leader. Premium $89
      2. Google Analytics for WordPress (from Yoast; svn: http://plugins.svn.wordpress.org/google-analytics-for-wordpress/): Popular.
      3. Robots.txt file: It's easy enough to create your own robots.txt file and place it in your site's root directory. 
    8. A backup plugin: UpdraftPlus (developer; svn directory: http://plugins.svn.wordpress.org/updraftplus/): Last updated 2014-May. It plays well with my Amazon S3 account.  
    9. WordPress Importer: (svn directory: http://plugins.svn.wordpress.org/wordpress-importer/): Essential for migrating a WordPress.com site over to your own WordPress site. Updated in 2014-January. Some notes:
      1. The interface for the importer asks you to upload a WXR file. In fact, it wants whatever XML file you exported from WordPress.com. For stupid branding reasons, WordPress decided to call that XML file a WXR file. There's no such thing.
      2. If your site uses PHP Safe Mode, you might get an error message. As far as I can tell, you can ignore it. The message will look like this:
        1. Warning: set_time_limit() [function.set-time-limit]: Cannot set time limit in safe mode in /f5/sitename/public/wp-content/plugins/wordpress-importer/wordpress-importer.php on line 86
    10. iThemes Security (formerly Better WP Security) (developer; svn directory: http://plugins.svn.wordpress.org/better-wp-security/): Regularly updated, over 2m downloads, 4.7 stars.
    11. Wordfence Security (developer; svn: http://plugins.svn.wordpress.org/wordfence/): 1.8m downloads, 4.9 stars
      • Replaces cache plugin. Scans for attacks. Not clear what control it gives over vulnerabilities.
    12. P3 (Plugin Performance Profiler) (svn: http://plugins.svn.wordpress.org/p3-profiler/): Regularly updated, 250k downloads, 4.6 stars. Developed by Godaddy.
    13. Breadcrumb NavXT (developer; svn: http://plugins.svn.wordpress.org/breadcrumb-navxt/): Regularly updated, 1.3m downloads, 4.5 stars. 
    14. Encyclopedia Pro: $30 or $40 - for creating a dictionary-type site within WordPress
    15. Slideshow (developer; svn: http://plugins.svn.wordpress.org/slideshow-jquery-image-gallery/trunk/): Regularly updated, 500k downloads, 4.9 stars. This guy uses trunk.
    16. Fast Secure Contact Form (developer; svn: http://plugins.svn.wordpress.org/si-contact-form/trunk/): Regularly updated, 4.6m downloads, 4.5 stars. Also uses trunk.
    17. PPM FAQ:
    18. Smart Donations (developer; svn: http://plugins.svn.wordpress.org/smart-donations/trunk/): Regularly updated, 30k downloads, 4.7 stars. Paid version available, $20 for one site. Uses trunk.
    19. Smart Forms (developer; svn: http://plugins.svn.wordpress.org/smart-forms/trunk/): From same developer as Smart Donations. 15k downloads, 5 stars.
    20. Seamless Donations (svn: http://plugins.svn.wordpress.org/seamless-donations/tags/3.2.3/): 21k downloads, 4.5 stars.
      • See post about how to create custom amounts: http://allendav.com/2014/03/06/how-to-customize-giving-levels-in-seamless-donations/
      • Developer has kind of abandoned it. It seems perfect, but it was not capturing employer and occupation info to the database, so I can't use it. Also, it's hard to avoid seeing the details of the transactions in the web interface, which is a little bit of a problem for my use case (judicial campaign).
      • Works great with Paypal Sandbox. Other plugins to consider: See RankWP for more info
    21. An all-in-one plugin: Jetpack (developer; svn directory: http://plugins.svn.wordpress.org/jetpack/): This is a Swiss-army-kinfe plugin from the folks behind WordPress.com. It's got over 2 million downloads, but only an average 3.9-star rating. It does a lot; perhaps too much.
      1. See this blog post about Jetpack (2012-May) at bit51.com, explaining why the author has come around to liking Jetpack.
      2. But many people don't like it: undated post at Jupiter Jim's
    22. A different backup plugin
      1. BackWPup Free (developer site; svn directory: http://plugins.svn.wordpress.org/backwpup/): Updated regularly, lots of downloads, high ratings. 
        1. Pro option ($75): BackWPUp Pro.
      2. Duplicator (developer site; svn directory: http://plugins.svn.wordpress.org/duplicator/): Updated in 2014-February, with over 540k downloads, average 4.9-star rating.
        1. The developer (Cory Lamie) has a blog post and video (2011-July) about using Duplicator to create a local test version of your site.
      3. XCloner (developer site; svn directory: http://plugins.svn.wordpress.org/xcloner-backup-and-restore/): Updated in 2014-May, with over 285k downloads, average 4.3-star rating.
      4. BackUpWordPress (svn: http://plugins.svn.wordpress.org/backupwordpress/): Updated 2014-May, over 1m downloads, average 4.6 stars.
      5. WordPress Backup to Dropbox (developer site; svn directory: http://plugins.svn.wordpress.org/wordpress-backup-to-dropbox/): Updated in 2014-May, almost 805k downloads, average 3.9-star rating.
      6. WP-DBManager (svn directory: http://plugins.svn.wordpress.org/wp-dbmanager/): Last updated in 2014-April, over 1m downloads, average 4-star rating.
      7. Not free: 
        1. BackupBuddy - minimum license fee $80 for 2 licenses; cost per licence drops as volume goes up.
        2. Vaultpress - $5/month for one site ("lite" plan)
        3. Blogvault - $9/month for one site
        4. myRepono Backup (developer; svn directory: http://plugins.svn.wordpress.org/myrepono-wordpress-backup-plugin/): Last updated 2014-May. Pay as you go for space in and transfers to the myRepono servers. I could not get it to work, but that was a long time ago.
    23. Mobile-friendly
      1. WP Mobile Detector (developer; svn directory:http://plugins.svn.wordpress.org/wp-mobile-detector/): Plugin for detecting mobile devices and changing themes. Premium version available ($50/one site). Last updated 2013-November.
        1. From same developer: WordPress Mobile Pack. Last updated 2012-July.
    24. Caching 
      1. Quick Cache (svn directory: http://plugins.svn.wordpress.org/quick-cache/). 2014-Jan, 675k, 4.3 stars.
        1. Pro version: $15
      2. W3 Total Cache (developer; svn directory: http://plugins.svn.wordpress.org/w3-total-cache/). Regularly updated, 3.5m, 4.5 stars.
    25. SEO or site-management
      1. Google XML Sitemaps (svn directory: http://plugins.svn.wordpress.org/google-sitemap-generator/): A plugin for generating a sitemap that helps your site get indexed. Updated through 2014-April.
        • Not needed if using Yoast SEO plugin
        • To make this work, I had to create dummy files and make them writable, like so:
          • Create blank sitemap.xml and sitemap.xml.gz files in Notepad, then upload to site root.
          • For my server, since WordPress runs as user web, I executed:
            • chgrp web sitemap*
          • Because the file permissions were (user -rw, group -rw, other -r), this made the sitemap files writable by WordPress.
      2. Broken Link Checker (svn directory: http://plugins.svn.wordpress.org/broken-link-checker/): A useful feature; Regularly updated, 2.5m, 4.1 stars.
      3. SEO Ultimate (developer site; svn directory: http://plugins.svn.wordpress.org/seo-ultimate/): Regularly updated, 1m, 4.2 stars.
      4. All-in-one SEO Pack (svn directory: http://plugins.svn.wordpress.org/all-in-one-seo-pack/): Adds search-engine-optimization features. Regularly updated, 18m downloads, 3.9 stars.
        1. Premium version: $40 or $80
      5. BuddyPress (developer site; svn directory: http://plugins.svn.wordpress.org/buddypress/): A set of plugins that allow you to create your own social network. Some of the plugins are probably useful on their own, even if you don't want to create a social network. Regularly updated, 2m downloads, 4 stars.
    26. Social sharing
      1. Sharebuttons by AddToAny (developer; svn: http://plugins.svn.wordpress.org/add-to-any/): Regularly updated, 3m downloads
    27. Translation:
      1. Multilingual Press (developer; svn: ): Newish, 58k, 4.6 stars. Pro version: $75.
      2. WPML (WordPress Multilingual): Paid - $30 or $80. Market leader.
    28. A contact form or different anti-spam plugin:
      1. Anti-Spam (svn directory: http://plugins.svn.wordpress.org/anti-spam/): Captcha-less spam blocker. Updated 2014-April, 190k downloads, 4.7 stars. 
      2. Fast Secure Contact Form (svn directory: http://plugins.svn.wordpress.org/si-contact-form/). Updated 2012-August; 2.9m downloads, 4.4 stars.
      3. Spam Free WordPress (developer site; svn directory: http://plugins.svn.wordpress.org/spam-free-wordpress/) Updated 2012-September. 240k downloads, 4.4 stars.
      4. SI CAPTCHA Anti-Spam (svn directory: http://plugins.svn.wordpress.org/si-captcha-for-wordpress/): Forces commenters to complete a CAPTCHA. Updated 2012-April; 1.3m downloads, 3.8 stars.
    29. Security
      1. Better WP Security (developer site; svn directory: http://plugins.svn.wordpress.org/better-wp-security/): Updated 2012-August; 216k downloads, 4.8 stars.
      2. Ultimate Security Checker (svn directory: http://plugins.svn.wordpress.org/ultimate-security-checker/): Updated 2012-July; 70k downloads, 4.3 stars.
      3. Theme Authenticity Checker (svn directory: http://plugins.svn.wordpress.org/tac/): Updated 2012-June; 125k downloads, 4.8 stars.
      4. Exploit Scanner (developer site; svn directory: http://plugins.svn.wordpress.org/exploit-scanner/): Updated 2012-July; 367k downloads, 4.3 stars.
    30. Miscellaneous
      1. SZ Google for WordPress (developer; svn: http://plugins.svn.wordpress.org/sz-google/): Newish plugin to integrate Google and Google+ tools into WP blog.
      2. WP PageNavi
      3. Wiki plugin from WPMUDev ($19): Gives WordPress some mediaWiki-like capabilities
      4. Wow Slider (developer; svn: http://plugins.svn.wordpress.org/wow-slider/): Regularly updated, 270k downloads, only 3.3 stars.
      5. Recommended plugins per WooThemes
      6. Google Calendar Widget
      7. All-in-One Event Calendar
      8. Google Calendar Events (developer site; svn directory: http://plugins.svn.wordpress.org/google-calendar-events/): Parses Google Calendar feeds to pull events into WordPress (e.g., into an "events" listing in your sidebar). Moribund since 2012-December; 117k downloads, 4.8 stars
    31. Commerce
      1. Free
        1. Ready! Ecommerce shopping cart (developer; svn directory: http://plugins.svn.wordpress.org/ready-ecommerce/) Regularly updated, 616k, 4.7 stars
        2. eShop (developer; svn directory: http://plugins.svn.wordpress.org/eshop/): Updated 2013-August, 577k, 3.8 stars
        3. Ecwid shopping cart (developerdeveloper WordPress help; svn directory: http://plugins.svn.wordpress.org/ecwid-shopping-cart/): Regularly updated; 180k downloads, 4.3 stars.
        4. WordPress Simple PayPal Shopping Cart (developer site; svn directory: http://plugins.svn.wordpress.org/wordpress-simple-paypal-shopping-cart/): Regularly updated,420k downloads, 4.3 stars. 
        5. WooCommerce (developer; svn: http://plugins.svn.wordpress.org/woocommerce/): Regularly updated, 3.2m downloads, 4.2 stars. 
        6. WP online store (svn: http://plugins.svn.wordpress.org/wp-online-store/): Updated 2013-September; 92k downloads, 4.4 stars.
      2. Paid (or freemium)
        1. Cashie Commerce (developer; svn: http://plugins.svn.wordpress.org/cashie-commerce/): Regularly updated, 160k downloads, 3.7 stars. Charges 1% of transaction, on top of PayPal fees, and $9 per month.
        2. WordPress eStore - $50. Specially designed for selling digital goods.From developer of WP Simple PayPal Shopping Cart
        3. Shopp - $75 per site
      3. Donations
        1. From developer of Simple PayPal Shopping Cart
          1. WordPress Easy PayPal Donation or Payment Accept (developer; svn: http://plugins.svn.wordpress.org/wordpress-easy-paypal-payment-or-donation-accept-plugin/): Regularly updated, 70k, 3.9 stars.
          2. WordPress PayPal Donation Plugin (developer). Not hosted at WordPress.org.
        2. PayPal Donations (svn directory: http://plugins.svn.wordpress.org/paypal-donations/) - Regularly updated, 250k, 4.7 stars
        3. Seamless Donations (svn directory: http://plugins.svn.wordpress.org/seamless-donations/): Updated 2014-April, 20k, 4.4 stars.
    32. Premium plugin providers
      1. WPMUDev: lots of plugins for $19/each. Aimed at developers and resellers. Subscription required for updates.
      2. ManageWP.com — paid service for managing multiple sites (backing up and updating)

    Themes — see separate page

    Note: free themes can be a security risk (WMPU.org, 2011-January)

    References

    General

    The WordPress Codex — the official documentation wiki.
    Ottopress.com — a blog by a WordPress expert.
    WordPress Planet  aggregator of blogs about WordPress
    Planet WordPress Canada — like WordPress Planet, but colder
    Yoast.com  WordPress developer that has lots of plugins as well as tutorials
    Advanced WP tweaks — undated, at askapache.com
    Master the WordPress Loop (.net magazine, 2012-July)
    Build a Multilingual Site with WordPress (.net magazine, 2011-September)
    36 Useful Free Plugins (WPMU.org, 2012-September)
    100 top WordPress Plugins (WPMU.org, 2012-March)

    Blogs about WordPress:

    Subversion and WordPress

    WordPress Security

    WordPress Commerce

    Responsive design

    Cloud hosting

    Good-looking sites

    Subpages (1): Calendar integration
    Comments