FeaturedWordPress
How to Change a WordPress Password
Four reliable ways to change a WordPress password: admin dashboard, WP-CLI, directly in the database with the correct phpass or bcrypt hash, and the lost-password email reset.
Topic · WordPress
WordPress
Building, hardening, and unbreaking WordPress without losing weekends to plugin updates.
135 articlesWritten by Ishan Karunaratne
More in WordPress
How Hosting Choices Affect Agency Profitability
Hosting is one of the most leveraged decisions an agency makes for margin. The honest math: hosting markup as recurring revenue, operational time as hidden cost, the per-client profit comparison across the four hosting tiers.
A WordPress Hosting Decision Tree for Agencies
Hosting choices for WordPress agency clients are operational decisions, not pricing decisions. The decision tree by traffic tier and workload type: shared, managed WordPress, managed VPS, self-managed VPS. Plus the agency-side implications of each.
When Agencies Should Self-Host WordPress (and When They Should Not)
Self-hosting WordPress as an agency is one of the most consequential operational decisions you can make. The four conditions under which self-hosting is the right call, the four under which it is a mistake, and the honest math on the long-term cost.
Managed WordPress Hosting vs VPS for Agencies
Managed WordPress hosting buys you operational simplicity at a per-site price premium. VPS buys you flexibility and lower per-resource cost at the price of in-house sysadmin time. The honest comparison and the agency-side break-even math.
Rank Math vs Yoast SEO: Which WordPress SEO Plugin to Use in 2026
Rank Math's free tier covers roughly what Yoast Premium does, schema support is broader, and the plugin is lighter on resources. Yoast still has brand recognition and a more guided editor flow. The honest agency comparison, by feature, performance, schema, pricing, and migration cost.
Rocket.net for WordPress Agencies: Honest Review
Rocket.net is the newer managed WordPress entrant that has gained agency mindshare for performance and Cloudflare Enterprise inclusion. The honest take on speed, pricing, the developer experience, and where Rocket.net wins or loses against the established hosts.
WordPress wp-config.php Malware (gsyndication / googlesyndication): Remove It and Stop the Reinfection
Remove the gsyndication malware (sync.gsyndication.com and async.gsyndication.com) that injects a script into wp-config.php, find the hidden process, cron, and database entries that keep reinfecting it, and clean it for good.
The Exact Stack I'd Use to Run a Small WordPress Agency Today
If I were starting a small WordPress agency today: the page builders, plugins, hosting, forms, SEO, backups, image optimization, and AI tooling I'd actually choose, with the reasoning behind each pick.
WP Engine for WordPress Agencies: Honest Review
WP Engine is the most-recognized managed WordPress host and the default pick for many agencies. The honest take on performance, support, the agency partner program, the recent ACF acquisition implications, and where WP Engine wins or loses against alternatives.
The Fake Cloudflare Verification Attack on WordPress (ClickFix): What It Is and How to Remove It
Visitors to your WordPress site see a fake 'Cloudflare verification' page telling them to paste a command into Windows Run or Terminal. That's ClickFix, the social-engineering campaign that first appeared in early 2024 and exploded across compromised WordPress sites by autumn. What it does, where the injection lives in your site, and how to clean it without missing the persistence.
Kinsta for WordPress Agencies: Honest Review
Kinsta is the premium managed WordPress host most agencies eventually consider. The honest take: where the value justifies the price, where it does not, the agency partner program math, and the alternatives at each tier.
How to Start a WordPress Agency in 2026 Without Burning Yourself Out
What I'd actually do if I were starting a WordPress agency today: client acquisition, recurring revenue, hosting, maintenance, outsourcing, AI workflows, and the operational mistakes that kill small shops.
Bluehost for WordPress: Honest Take for Small Sites
Bluehost has the WordPress.org recommendation and the lowest entry-tier price in mainstream hosting. The honest take on where Bluehost legitimately fits in 2026, the real operational ceiling, and the migration path for sites that outgrow it.
Cloudways for WordPress Agencies: Honest Review
Cloudways is the agency host that gives you VPS flexibility with managed-WordPress simplicity, at a per-site price closer to shared hosting. The honest take on what that hybrid actually means in practice, plus the DigitalOcean acquisition implications.
Why I Wouldn't Build Fully Custom WordPress Themes for Most Clients in 2026
I am a custom-development-first engineer. But for most agency client work in 2026, fully custom themes are the wrong economic choice. The honest case for picking reusable systems over from-scratch builds.
Pull GA4 Data Into WordPress With a Service Account
Read your own GA4 metrics server-side from WordPress: a Google Cloud service account, the google/analytics-data PHP client, a te_ga4_run_report() wrapper around runReport, plus caching and credential hygiene.
Why Many Agencies Still Prefer ACF Over Gutenberg
ACF and Gutenberg are not competing for the same job. The honest agency take: where Gutenberg wins, where ACF Flexible Content still wins, and how to decide for a fresh project in 2026.
Divi vs Elementor for Agency Workflows
Divi and Elementor are both legitimate agency picks. The honest comparison: workflow speed, ecosystem depth, hiring availability, client handoff, performance, lock-in, and which fits which agency shape.
Why Divi Still Makes Sense for WordPress Agencies in 2026
I do not reach for Divi by default, but I have watched small teams ship 40-page sites in a week with it. The operational case for Divi in 2026: speed, ecosystem, hiring, client handoff, and the criticisms that have aged poorly.
How to Optimize WooCommerce: Why It's Slow and How to Fix It
A WooCommerce store slows down for specific, structural reasons. Here is the layered fix: hosting, page caching, object caching, the database, search, and the front end, and why one layer alone is never enough.
Bulk-Edit WordPress SEO Titles and Meta Descriptions From a Google Sheet
Maintain SEO titles and meta descriptions in a Google Sheet and have a WP-CLI command write them into Yoast or Rank Math. Pull model, change-only, dry-run by default. No opening each post in the editor.
Do I Need ElasticPress? An Honest Decision Checklist
ElasticPress is powerful and, for most WordPress sites, unnecessary. Here is a straight checklist: the signals that mean you genuinely need it, the hidden costs, and the cheaper options to try first.
Generate a Static XML Sitemap for Large WordPress Sites (WP-CLI)
On a WordPress site with hundreds of thousands of URLs, building the sitemap on every request is expensive. Generate static sitemap files with a WP-CLI command instead: chunked to 50,000 URLs, written to disk, and regenerated on a schedule.
ElasticPress vs MySQL FULLTEXT: Which WordPress Search to Use
MySQL FULLTEXT search is built in and free of moving parts. ElasticPress adds a real search engine. Here is a practitioner comparison: relevance, typo tolerance, faceting, scale, and the cost each one carries.
Populate a WordPress Events Calendar From a Google Sheet
Keep events (title, dates, venue, sold-out flag, ticket URL) in a Google Sheet and have WordPress pull them into an event CPT on a cron. Dates stored as sortable Y-m-d H:i:s, change-only, dry-run by default, so the calendar maintains itself.
Elasticsearch vs OpenSearch for ElasticPress: Which to Run
ElasticPress officially supports Elasticsearch, not OpenSearch. OpenSearch can be coaxed into basic functionality, but 10up does not recommend it for production. Here is the real status and what to run.
Build a Dynamic Gutenberg Block (Server-Rendered with render_callback)
How to build a dynamic Gutenberg block: render the front-end markup in PHP at request time with render_callback (or the block.json render property), return null from save, and preview it in the editor with ServerSideRender.
Update a WordPress Business Directory From a Google Sheet
Keep a directory of thousands of listings in sync with a Google Sheet a non-dev maintains: a WP-CLI pull command that reconciles each listing change-only, parses structured hours, and flips permanently-closed places to a closed status instead of deleting them.
Register a Custom Gutenberg Block with block.json
The modern way to register a custom Gutenberg block: a block.json metadata file, register_block_type( __DIR__ . '/build/callout' ) on the init hook, and a @wordpress/scripts build step. One source of truth for PHP and JS.
Use a .env File for WordPress Config and Secrets
Keep API keys, database credentials, and SMTP secrets out of wp-config.php and out of git by loading them from a .env file with vlucas/phpdotenv, fed into define() where WordPress expects constants.
Common ACF Performance Problems on Large WordPress Sites
ACF performance problems at scale almost always trace to one of six things: missing object cache, oversized Repeaters, deeply nested Flexible Content, meta_query usage on ACF fields, too many fields per post type, or the field-key reference overhead. Here is what to look for and fix in each.
Manage a Restaurant Menu in WordPress From a Google Sheet
Let the kitchen edit a Google Sheet (prices, sections, daily specials, an 86'd flag) and have WordPress reconcile a menu_item post type to it on a schedule. A WP-CLI pull command, change-only, dry-run, and a sold-out flag that hides instead of deletes.
Refresh Posts When a Taxonomy Term Changes (saved_term Hook)
Editing a taxonomy term does not refresh the posts that cache term-derived data. Hook saved_term, re-save the attached posts, and bust the stale output, carefully and at scale.
Build a Filterable CTA System in WordPress With Hooks
Render every call-to-action through one helper whose phone, label, URL, and visibility are all WordPress filters, so you change a CTA per context from a must-use plugin without touching the theme.
Disable jQuery Migrate in WordPress
How to disable jQuery Migrate in WordPress: remove the jquery-migrate dependency on the front end so the compatibility shim stops loading, plus the testing step that tells you whether it is safe.
Why Your ACF Checkbox Field Returns an Array
ACF Checkbox fields return arrays because they support multiple selections. The shape varies by Return Format. Here's what each option returns, the patterns for rendering and querying, and when to switch to a Select or Radio field instead.
Embed a Lazy-Loaded, Privacy-Friendly Google Map in WordPress
Embed a Google map in WordPress without tanking your load time: the free Maps Embed API iframe with loading="lazy", a te_map shortcode that escapes its output, an HTTP-referrer-locked API key, and a click-to-load consent pattern.
Securing a WordPress REST API Write Endpoint
A custom write endpoint accepts changes from the open internet. Harden it step by step: header secret, constant-time compare, HMAC signatures, replay protection, rate limiting, secret out of the repo, and a hidden route.
Override Rank Math's Title and Meta Description Programmatically
How to override Rank Math's SEO title and meta description in PHP using the rank_math/frontend/title and rank_math/frontend/description filters, plus the canonical and Open Graph filters, with conditional per-context overrides for rewrite-driven pages.
Why Deeply Nested ACF Flexible Content Layouts Become a Maintenance Nightmare
Nesting Flexible Content layouts more than two levels deep creates performance, debugging, and editor-experience problems that compound fast. Here is where the cost shows up and the alternatives that scale better.
Build Service-Area Landing Page URLs in WordPress (/service/city/)
How to build /service/city/ landing page URLs in WordPress with add_rewrite_rule and a custom template, plus the honest E-E-A-T warning about when this crosses into doorway pages Google penalizes.
Too Many ACF Fields? Here is When WordPress Starts Struggling
WordPress handles 30 ACF fields per post type comfortably, 60 with care, and 100+ usually indicates an architecture problem. Here is what breaks at each tier and the patterns for splitting an oversized field group into something maintainable.
Send WordPress Email Through SendGrid
Route WordPress email through SendGrid's SMTP relay with the phpmailer_init hook, keep the API key in wp-config.php, and stop transactional mail landing in spam.
Large ACF Repeater Fields Slowing Down WordPress? Here is Why
Large ACF Repeaters (100+ rows) slow down WordPress because each sub-field is a separate wp_postmeta row. The fixes: persistent object cache, fewer reads, direct-meta count, or moving the data out of Repeater into a custom table or separate post type.
Clean Up wp_head in WordPress: Remove the Header Bloat
What WordPress prints in wp_head by default, which tags and scripts are safe to remove, and one must-use plugin that strips the emoji, shortlink, feed, oEmbed, and version bloat in one place.
Add a Custom Sitemap to Yoast SEO (wpseo_sitemap_index)
How to add a custom sitemap to Yoast SEO so rewrite-driven pages with no WordPress post still get indexed: append a <sitemap> to the index with wpseo_sitemap_index, register a named sitemap, and generate its <url> entries.
Build Make / Model / Year URLs in WordPress (Catalog and Directory Sites)
How to build three-level /make/model/year/ URLs in WordPress with add_rewrite_rule, custom query vars, and a vehicle CPT, plus the static-prefix collision that breaks the naive rule. Works the same on a catalog of brand/series/model or category/sub/sku.
Using ACF with Divi for Dynamic Content
Divi's Dynamic Content lets editors bind ACF field values to module properties without leaving the visual builder. The setup, the patterns that work for Text and Image fields, the limits for Repeater and Flexible Content, and the custom-shortcode escape hatch.
Structure a Real Must-Use Plugin: Subdirectory and Composer Autoloading
WordPress only loads top-level PHP files in mu-plugins, with no activation hooks. Use a one-file loader that requires a Composer-autoloaded, PSR-4 namespaced plugin from a subdirectory.
Bulk-Create WooCommerce Products From a CSV or Google Sheet With a Script
When the built-in CSV importer is not enough, a WP-CLI command reads a sheet or CSV and creates WooCommerce products through the CRUD. Idempotent by SKU, dry-run by default, so re-running the same file never duplicates.
Off-Server WordPress Backups (3-2-1) With Verified Restores
The backup plugin running inside WordPress is the same WordPress the attacker just compromised. A 3-2-1 backup strategy with restic or borg, stored outside the trust boundary, and verified by monthly test restores. Configuration, retention, and the exact restore sequence after a compromise.
How to Use ElasticPress with WP_Query
Wire ElasticPress to WP_Query so WordPress queries hit Elasticsearch instead of MySQL. Covers installation, indexable post types, ep_integrate, the wp-cli index command, faceted search with aggregations, and when ES actually beats MySQL FULLTEXT.
Override Your SEO Plugin's Title and Meta Description (Yoast, Rank Math, or Core)
Hooking pre_get_document_title does nothing once Yoast or Rank Math is active: the plugin owns the title and meta description tags. Here is which filter to hook for Yoast, Rank Math, and core, plus a portable helper that detects the active plugin.
A Cleaner Way to Render ACF Flexible Content Layouts Using Template Parts
The template-parts pattern for ACF Flexible Content: one PHP partial per layout, one dispatcher loop, zero switch statements. The directory structure, the loop, the data-passing, and the agency-scale benefits.
Remove the wp-block-library CSS in WordPress (Carefully)
How to dequeue the wp-block-library CSS in WordPress, and the one big caveat: do it only on a site whose front end uses no block markup, or you break your layout.
WordPress File Integrity Monitoring That Can't Be Disabled from Inside the Server
Wordfence, Sucuri, and every in-WordPress security plugin can be disabled by malware running with the same privileges. The fix is monitoring at a layer the attacker can't touch: AIDE, maldet, or a custom cron-driven script running as root. With working configurations for each.
Add a Custom REST API Endpoint in WordPress (register_rest_route)
How to add a custom WordPress REST API endpoint with register_rest_route: the namespace convention, methods, the required permission_callback, args validation and sanitization, and returning WP_REST_Response or WP_Error.
Build a Custom Product URL Structure in WordPress (Remove /product/ and /shop/)
How to build a custom product URL structure in WooCommerce: change or remove the /product/ and /shop/ bases from Settings > Permalinks, do it in code with a permalink filter plus add_rewrite_rule, and avoid the 404 collisions that come from a base-less product slug.
Proper Responsive Images with ACF Image Fields
The cleanest pattern for responsive images from an ACF Image field: ID return format plus wp_get_attachment_image, which produces a complete srcset and sizes attribute from registered image sizes. Plus the manual srcset pattern when you need control.
Set WordPress Featured Images From a Spreadsheet of URLs
A sheet of post_id and image_url, a WP-CLI command that sideloads each URL into the media library and sets it as the post's featured image. Change-only, dry-run by default, and it skips posts that already have a thumbnail so re-running never duplicates.
Disable WordPress oEmbed (Discovery Links, wp-embed.js, and /embed/)
How to disable WordPress oEmbed: stop the discovery links, the wp-embed.js script, the oEmbed REST route, and the /embed/ URLs, while keeping the YouTube-style embeds you paste in posts working.
Why Your First ACF Repeater Row Appears Empty
An ACF Repeater where the first row's data looks blank is almost always one of three things: missing the_row(), incorrect sub-field name, or accidental data overwrite via update_field with the wrong field reference.
Using ACF Repeater Fields Inside Flexible Content Layouts
A Repeater inside a Flexible Content layout is the canonical two-level nesting pattern. Here is how to register it, the nested loop pattern that works correctly, common bugs, and when the structure is the wrong choice.
Catch and Route Your Own 404s in WordPress
Intercept requests that would 404 in WordPress on template_redirect, then resolve them to real content with status_header(200), 301 to the right URL with wp_safe_redirect(), or let them fall through. A fallback router for dynamic and legacy slugs you cannot enumerate.
Add a Custom WP-CLI Command in WordPress
How to register a custom WP-CLI command: guard it with defined('WP_CLI'), wire it up with WP_CLI::add_command(), turn class methods into subcommands, document args with @synopsis, and show progress with make_progress_bar().
Sending Gravity Forms Data Into ACF Repeater Fields
Gravity Forms does not natively submit Repeater-shaped data, but three patterns handle the common cases: append-per-submission, single submission with grouped sections, and a custom JSON-encoded field. Here is each with code.
Build a WordPress Table of Contents from Your Headings (No Plugin)
Generate a WordPress table of contents from your post headings with no plugin: a the_content filter that injects heading ids, builds a nav of anchor links, scrolls smoothly with CSS, and caches the result in a transient.
Sync WooCommerce Stock and Inventory From a Supplier Google Sheet
Have WordPress pull a supplier's stock feed from a Google Sheet on a nightly cron and apply it through the WooCommerce CRUD: resolve by SKU, set quantity and status, write only the rows that moved.
Useful Things You Can Do with acf/save_post
acf/save_post is the hook that fires after ACF saves a post's custom fields. Useful patterns: derived field computation, taxonomy sync, search-index refresh, ACF-to-meta mirroring, validation, audit logging. Plus the gotchas.
WordPress Rewrite Rules Not Working? The Checklist
A diagnostic checklist for WordPress rewrite rules that won't fire: forgetting to flush, an unregistered query var, rule order, regex anchors, and how to inspect reality with wp rewrite list and parse_request.
Disable Dashicons on the WordPress Front End
How to disable Dashicons on the WordPress front end: dequeue the dashicons stylesheet for logged-out visitors only, so the admin icon font stops loading on pages that never use it.
Using ACF with Elementor Dynamic Fields
Elementor Pro's Dynamic Tags integration with ACF is the mature reference for binding custom field values to widget properties. Coverage for every field type, including Repeater via the Loop widget, and the Theme Builder integration for archive templates.
Add Google Tag Manager to WordPress Without a Plugin
Install Google Tag Manager on WordPress with no plugin: the script in wp_head, the noscript iframe in wp_body_open (WP 5.2+), and the container ID stored once. The body snippet is the part people get wrong.
Why Wordfence (or Any Security Plugin) Keeps Getting Silently Disabled
WordPress security plugins running inside WordPress can be disabled by anything that runs inside WordPress, including the malware they're supposed to catch. The four mechanisms attackers use to silently turn off Wordfence, Sucuri, Jetpack, WP Activity Log, and similar tools, plus the server-side monitoring layer that doesn't depend on WordPress being trustworthy.
How to Get the Current ACF Flexible Content Layout Name
get_row_layout() returns the current layout's name inside an ACF Flexible Content loop. Plus the canonical dispatch pattern using template parts, the switch-based pattern, and what to do when get_row_layout returns nothing.
Manage Multiple WordPress Sites From One Google Sheet
Run a fleet of WordPress installs from a single Google Sheet: a website column per row, a small controller that groups the rows by site and pushes each batch to that site's endpoint, and partial-failure handling so one dead site never blocks the rest.
Using ACF Like a Lightweight Component System
ACF Flexible Content plus template parts plus a shared component library is effectively a lightweight component system for WordPress. The patterns: one component per layout, props via sub-fields, composition over inheritance, and how it compares to React-based alternatives.
Inline CSS in WordPress Instead of Enqueuing a Stylesheet
Two ways to inline CSS in WordPress: attach it to an enqueued handle with wp_add_inline_style, or echo a minified <style> block on wp_head. When inlining critical CSS helps, and when it just bloats every page.
Build State and City Location URLs in WordPress (from the Root)
Serve geographic URLs like /california/ and /california/los-angeles/ from the WordPress root: a location CPT, a state/city taxonomy, two add_rewrite_rule patterns mapping path segments to query vars, and pre_get_posts to load the right listings without thin pages.
How to Get ALT Text from an ACF Image Field
Getting alt text from an ACF Image field depends on the field's Return Format. Image Array gives you the alt directly. ID and URL formats need a wp_get_attachment helper. Plus the cleanest pattern for always-correct alt output.
Schedule a Recurring Task with WP-Cron (and When to Use a Real Cron)
How to schedule a recurring task in WordPress with wp_schedule_event(), add a custom interval via the cron_schedules filter, guard it with wp_next_scheduled(), and when to ditch WP-Cron for a real system cron.
Point a WordPress URL at a Different Page or Post (No Redirect)
How to make one fixed WordPress URL serve the content of a different page or post with no 301 redirect, so the address never changes. Uses add_rewrite_rule (or the request filter) plus the canonical handling you must not skip.
Bulk Schedule WooCommerce Sale Prices From a Google Sheet
Run a site-wide or category sale from a sheet of sku, sale_price, start and end dates. A WP-CLI command reads the sheet, sets scheduled sale dates through the WooCommerce CRUD, and lets WooCommerce flip and unflip the price on its own. Dry-run and change-only.
ACF Field Naming Conventions That Actually Scale
A few naming conventions for ACF field groups, field names, and field keys keep a multi-year codebase navigable: snake_case names, hierarchy-encoded keys, post-type prefixes, sub-field consistency. The cost is zero; the benefit compounds.
How to Use Git with WordPress
How to put a WordPress project under Git: what to track vs ignore, a ready .gitignore, version-controlling just your theme or plugin, and deploy options.
Remove WordPress Feed Links (and the /feed/ URLs)
How to remove WordPress feed links from the head with remove_action, plus the deeper step most guides skip: killing the /feed/ rewrite rules and redirecting the URLs so they stop getting crawled.
A Hardened wp-config.php Template (with Comments on Every Choice)
wp-config.php is the first PHP file WordPress loads. The defaults from the stock installation are minimal; the hardened defaults take five minutes to apply and close most of the attack surface that lives below the plugin layer. A complete annotated template covering disabled file editing, forced HTTPS, secure salt rotation, debug behavior, and the file permissions that matter.
Discovered vs Crawled - Currently Not Indexed in Search Console
What 'Discovered - currently not indexed' and 'Crawled - currently not indexed' actually mean in Google Search Console, why they are usually normal, and why spamming Request Indexing does nothing.
ACF Flexible Content Loop Not Working? Here's the Fix
ACF Flexible Content loops fail silently in five predictable ways: missing have_rows, wrong context, missing the_row inside the loop, post ID confusion, and nested loops. Here's the fix for each.
Create Virtual Pages in WordPress (Pages Without a Post in the Database)
Serve a fully working page at a URL with no post in the database: an add_rewrite_rule routed to a query var, rendered on template_redirect with status_header(200) so WordPress does not 404 it.
Two-Way Sync Between WordPress and a Google Sheet
Keep a Google Sheet and WordPress in step in both directions: WordPress writes its current state back into the sheet, and edits in the sheet flow back to WordPress. The plumbing is easy. The hard part is deciding which side wins, and this is how to decide it on purpose instead of by accident.
Simple Related Posts System Using ACF Relationship Fields
An editor-curated related posts system on ACF Relationship is three pieces: a field group, a render partial, and an optional fallback to algorithmic related posts when the editor hasn't picked any. Here is the working template.
Bulk-Update WooCommerce Products (Prices, Stock) From a Google Sheet
Pull a supplier sheet of SKU, price, and stock into WooCommerce and apply each row through the product CRUD. A WP-CLI command with a service account, change-only writes, and a dry run, plus why writing _price directly is the bug that bites you later.
Serve WordPress Pages from the Root (Remove the Parent Slug from the URL)
Drop the /docs/ section slug and serve a custom post type from the site root: the post_type_link filter to render the short URL, the add_rewrite_rule that resolves it, a 301 for old paths, and the collision caveat nobody warns you about.
How to Set Default Values in ACF Select Fields
ACF Select fields have a Default Value setting in the field group editor that handles the simple case. For dynamic defaults (computed from another field, role-based, or per-post-type), the acf/load_value filter is the right tool.
replytocom URLs in Google Search Console: Why They Are Harmless
Thousands of ?replytocom= URLs in Search Console come from WordPress comment reply links. Why they are already nofollow and canonicalized, and why blocking them in robots.txt is the one fix that backfires.
How to Update ACF Fields Programmatically
update_field() is the canonical way to write ACF data programmatically: the function signature, how to write to Repeater and Flexible Content fields, when to use field keys instead of names, options pages and user meta, and the gotchas that bite.
How to Find the Original Entry Point in a WordPress Compromise (Access-Log Forensics)
A cleanup that doesn't identify the entry point is temporary. The methodical access-log analysis that finds exactly which plugin CVE, credential vector, or upload path got the attacker in, with the grep one-liners, the timestamp correlation against file modification times, and the cases where the entry is in a log other than the access log.
WP_Query at Scale: Performance and Memory
Why a WP_Query over thousands of posts balloons on memory and queries, and the exact knobs (fields => ids, no_found_rows, cache priming, batching, flush-in-loop) that fix it, each one measured before and after.
Add Custom Endpoints to WordPress URLs (add_rewrite_endpoint)
How add_rewrite_endpoint() bolts a /reviews/ segment onto the end of an existing WordPress permalink, what the EP_* masks scope it to, and how to read the value without tripping the empty-string gotcha.
How to Populate ACF Fields from Gravity Forms
Gravity Forms can create WordPress posts on submission, but mapping form fields to ACF fields requires a hook. The canonical pattern uses gform_after_submission to call update_field. Plus the dedicated Gravity Forms + ACF plugin path.
get_field() Returning Nothing? Here's What Usually Causes It
ACF's get_field() returning empty or false has eight common causes. The diagnostic order: field name typo, post context, location rules, field group not assigned, sub-field confusion, get vs the, caching, permissions.
Remove the WordPress Shortlink (rel=shortlink) from the Head
How to remove the WordPress rel=shortlink: a small remove_action snippet that strips the <link rel='shortlink'> from the head and the matching Link: HTTP header.
How to Count Rows in an ACF Repeater Field
Counting ACF Repeater rows is three short patterns: count() on the raw field, get_field_count() inside a loop, and a faster meta-only count that skips loading the rows. Each has its right use case.
Push a Google Sheet Edit to WordPress With onEdit
Fire a WordPress update the moment a cell changes: an installable onEdit Apps Script trigger that pushes the edited row to a REST endpoint, filters hard on the column, and paints the status cell red on failure.
How to Detect and Remove Fake WordPress Admin Users (Hidden Backdoor Accounts)
Fake administrator accounts that appear in wp_users without anyone creating them are one of the most common signs of a WordPress compromise. The detection SQL, the SQL that finds the mechanism that's creating them, and the cleanup that has to happen at both the user level and the persistence level for the account creation to stop.
Why ACF True/False Fields Sometimes Behave Unexpectedly
ACF True/False fields store 1 or 0 in the database but appear as booleans in PHP. Loose-comparison bugs, empty-row defaults, conditional logic visibility, and meta_query gotchas are the four causes of unexpected behavior. Here is the fix for each.
Override Yoast SEO's Title and Meta Description Programmatically
Override Yoast SEO's title, meta description, canonical, and Open Graph/Twitter tags in PHP using the wpseo_title and wpseo_metadesc filters, with per-context conditionals for dynamic and rewrite-driven pages Yoast cannot edit in its UI.
wordfence_lh URLs in Google Search Console: The Right Fix
Thousands of ?wordfence_lh=1&hid= URLs in Google Search Console come from Wordfence's Live Traffic feature. The setting that stops them, the check to run first, and why robots.txt is the wrong fix.
Remove the WordPress Version Number (Generator Tag and Asset Query Strings)
How to remove the WordPress version number: drop the generator meta tag (and the version from feeds), why hiding it is housekeeping not security, and how to handle the ?ver= query string on core assets without breaking cache-busting.
Safely Bulk-Update Custom Fields in WordPress
A bulk custom-field update with no undo is one typo away from wrecking thousands of posts. Here is a safe pattern (and a downloadable WP-CLI command) with a dry run, a backup gate, a change-only changelog, and idempotent writes.
Create a Custom URL Structure with Query Variables in WordPress
Turn an ugly query-string URL like /?destination=paris&type=hotel into a clean /hotels/paris/ path: a multi-segment add_rewrite_rule, the query_vars filter, get_query_var, and a custom query.
ACF Options Page Not Showing Up? Check These Things
An ACF Options Page that does not appear in wp-admin almost always traces to one of four things: missing acf_add_options_page() call, ACF Pro vs free version, location rules, or current_user_can capability mismatch.
Reading a Google Sheet in PHP: CSV vs the API
Two ways to read a Google Sheet from PHP: publish-to-web CSV (trivial, but public to anyone with the URL) or the Sheets API with a service account (private, scoped). The security trade-off, shown.
Why WordPress Malware Keeps Coming Back: A Field Guide to Persistence Mechanisms
WordPress malware that survives cleanups isn't stronger malware; it's malware with persistence. A complete catalog of where attackers hide the re-infection logic, wp_options autoload, WP-Cron, server crontab, .htaccess auto_prepend, mu-plugins, drop-ins, custom REST endpoints, and modified wp-config, with detection scripts for each.
Using ACF Options Pages for Global Site Settings
ACF Options Pages are the right home for site-wide settings: header CTAs, footer links, social profiles, contact info, global announcements. Registration, reading patterns, parent/child structure, and the cache-busting trick for high-traffic sites.
How to Filter ACF Relationship Fields by Post Type
ACF Relationship fields let editors pick from any post type by default. The Post Type filter in the field group editor restricts the choice list. For dynamic filtering (taxonomy, status, ACF field), the acf/fields/relationship/query filter is the right tool.
Disable WordPress Emojis to Speed Up Your Site
How to disable WordPress emojis: a small functions.php snippet that strips the wp-emoji-release.min.js script, the inline detection JS, and the emoji styles from every page.
ACF Image Field Returning an Array Instead of a URL?
ACF Image fields can return an array, a URL string, or just the attachment ID. The return format is a per-field setting. Here's what each option returns, when to pick which, and the cleanest pattern for responsive images.
admin-ajax.php High Traffic: Attack or Normal?
Thousands of hits to wp-admin/admin-ajax.php are almost always your own site: WordPress Heartbeat and plugins, not a DDoS. How to read the action parameter, when it is a real attack, and why blocking the file breaks your site.
Bulk-Update WordPress Custom Fields From a Google Sheet
The pull model: have WordPress read a Google Sheet itself with a service account and apply each row to a custom field. A WP-CLI command, no Apps Script, no button, dry-run and change-only built in.
Why ACF Relationship Fields Lose Their Selected Order
ACF Relationship fields preserve order in the editor and in the stored array, but lose it when you pass the IDs to WP_Query. The fix: post__in plus orderby=post__in, every time. Plus when ACF returns objects vs IDs.
Cross-Site Contamination on Shared WordPress Hosting (Why Cleaning One Site Isn't Enough)
If one site in a shared hosting account gets compromised, every other site under the same Linux user is at risk. Cleaning a single site without addressing the shared file system leaves the door open for reinfection from any sibling site. The structural problem and the realistic fixes, open_basedir, suEXEC, isolated users, and when to move hosts.
ACF Fields vs Native Post Meta in WordPress
ACF and native post meta both write to the same wp_postmeta table. Here is what register_post_meta gives you, what ACF adds on top, and the read/write rules so a bulk script and a content editor never fight over the same field.
How to Add a Custom Rewrite Rule in WordPress (add_rewrite_rule)
How to add a custom rewrite rule in WordPress with add_rewrite_rule: the regex, the index.php query target, registering the query var so it actually populates, loading a template, and flushing once without flushing on every request.
WordPress: Sending HTML Formatted Emails Using the wp_mail() Function
How to send HTML emails from WordPress with wp_mail and the wp_mail_content_type filter. Covers SMTP setup, deliverability with SPF, DKIM, and DMARC, and modern transactional providers like SendGrid, Postmark, and Resend.
Fix "Briefly Unavailable for Scheduled Maintenance" in WordPress
WordPress stuck on "Briefly unavailable for scheduled maintenance" means a .maintenance file got left behind by an interrupted update. Delete it and the site comes back.
Update WordPress From a Google Sheet With a REST Endpoint
Edit posts in a Google Sheet, press a button, and have the changes land in WordPress. A one-file MU-plugin REST endpoint plus a small Apps Script, with the auth done properly.
WordPress: Moderate Comments Using Regular Expressions
Use the built-in WordPress comment-moderation regex fields and the pre_comment_approved filter to approve, hold, spam, or trash comments based on PCRE patterns.
Run Bulk Scripts in WordPress With WP-CLI (eval-file)
The right way to run a one-off bulk operation across thousands of WordPress posts: a wp eval-file script with caches suspended, queries batched, and the object cache flushed in the loop so memory doesn't blow up.
How to Remove WordPress Malware: The Practitioner's Playbook
A step-by-step methodology for finding and removing malware from a compromised WordPress site, written by a Security+ certified engineer who's been cleaning sites since the early WordPress 2.x era. Covers every attack vector: file backdoors, database injections, .htaccess hijacks, wp-config tampering, and recurring reinfection. Originally written in 2016, updated regularly as new patterns emerge.
WordPress AMP: Enable Automattic's AMP Plugin for Custom Post Types (CPT)
How to add AMP support to WordPress custom post types using the official Automattic AMP plugin, with a 2026 reality check on whether AMP is still worth the engineering investment.
wp_insert_post Consuming Large Amounts of Memory: How I Actually Fix It
Fix wp_insert_post OOMs during bulk imports: chunk in batches, flush the object cache, defer term/comment counting, suspend cache invalidation, disable revisions, and (where appropriate) bypass the WordPress API with direct $wpdb writes.
Fix 'Call to undefined function get_option()' in WordPress
How to fix the 'Call to undefined function get_option()' fatal error in WordPress. Covers premature WP function calls, the wp-load.php bootstrap, the modern WP-CLI alternative, and the plugin-developer checklist.