Disable session cookies in Pods

We were having trouble on a site that has a lot of traffic, with PHP timing out, and the web server not recovering. It was odd, because the site doesn’t have very much interactive parts, and in mostly served from the cache… except it wasn’t being cached at all!

The site makes heavy use of Pods for custom post-types, and that is hardly an issue, but in this case Pods was setting a session ID via cookie, which of course meant each time a page is visited it is “new”, and bypasses the cache. Suddenly our high volume of traffic is hitting the database and rendering each page on every load, and honestly I was surprised it survived for as long as it had.

My research turned up two issues that were relevant: Replace all session and session_id usage #2237 and 2.4.3 prevents browser caching #2542.

#2237 refers to a change that could possibly fix this issue, but is ongoing. #2542 contains the fix, though I wasn’t able to track where it came from, as it wasn’t provided in the referenced conversation.

define('PODS_SESSION_AUTO_START', false);

Because I couldn’t source this seemingly undocumented config, I hopped on the Pods Slack instance, where Jim True and Bernhard Gronau verified that it was exactly for this use case. Pods has a feature I don’t use, wherein one can produce a front-end form to submit content directly into a Pods-created post-type, and the sessions are a security feature.

Turning off the sessions did the trick, and soon the site was being delivered from the cache.

Bonus tip

In discussing the Pods forms, I mentioned I used Gravity Forms, with the Gravity Forms + Custom Post Types plugin. They recommended Pods Gravity Forms Add-On. When I asked about the difference, they explained the Pods add-on can handle relationship fields. That is very cool! ^_^

WordPress 4.6 Beta 1 and feature freeze

Hey! WordPress 4.6 is cranking along, and a feature freeze and beta has dropped.

There are two big sub-projects in this release: Font Natively and Shiny Updates.

Font Natively reverses what I’ve always considered the mistake of linking to Google Fonts in the WordPress admin pages. One of my essential plugins has always been either Remove Google Fonts References or Disable Google Fonts, to remove those links. I am very happy this embarrassing mistake is being fixed.

Shiny Updates make the experience of updating themes, plugins and WordPress core a more enjoyable and straightforward process, in line with expectations for modern software. This is polish, follows WordPress’ principles of “designing for the majority, and striving for simplicity”. It will also make it a slightly better experience for those of us that run updates habitually (though I’ve largely moved to using Advanced Automatic Updates or WP-CLI myself).

This will be a fun update! Do you have any wish(list)s for future WordPress releases? I am always curious what folks are looking for. ^_^

WordPress Theme Review Team revising review process

WordPress is an amazing volunteer project, with real bodies working to keep the Theme and Plugin repositories online, as well as the support forums humming along. With so many users on the web using WordPress, it is a big job.

The Theme Review Team knows they are behind in reviewing new themes, and have a (action!) plan to reduce the queue. There is a revised workflow presented, as well as a plan to develop a theme check plugin on GitHub.

I am very grateful for this work to be done, and I’ve considered joining the theme review team myself. I’ve heard it is a good way to learn decent theme coding standards, and I intend to release a theme to the public repo (eventually, no timeline for that!).

If you are interested in theme development and how the WordPress infrastructure supports it, follow the Theme Review Team make blog. ^_^

Recommendations for WordPress hosting

The WordPress Web Hosting page has been updated (and not without its own drama). I’ve used all of the hosts on there, so I figured I would weigh in with my experience.

I want to note up front that I also do WordPress hosting, specifically for small businesses and larger orgs, and also some that would be categorized as “bloggers”, but they get a lot of traffic. I feel that the hosting page is for folks first coming to WordPress, or website hosting in general. If you want to talk about hosting for performance and building up traffic, get in touch. ^_^

First I will make my recommendation, and then I will describe each service.

For the best value, ease of use and access, go with DreamHost (but with caveats). If you build sites (front- or back-end) for other people and aren’t very interested in the hosting part, Flywheel is pretty good. Bluehost and SiteGround are meh, and you pay for what you get, which is not very much.

Highlights

Bluehost – Nothing stands out as particularly bad about this service, but the dashboard isn’t neither pleasant nor straightforward for a lot of the features you need to use when administering your site.

DreamHost – I’ve had a lot of issues with DreamHost over the years, but in the decade since I had stopped using them, they put a lot of effort in two areas that I work: cloud computing and WordPress hosting. Their dedicated WordPress hosting is a solid web stack, and if you need to host a site that will ramp up traffic quickly (such as a small business about to launch, or a community project), I recommend that. However, if you are just starting, and will be blogging or not updating your site often, I would opt for their shared hosting instead. They even have a one-click installer that makes it pretty easy to up and running in no time.

Flywheel – Flywheel has perhaps the prettiest dashboard of any hosts, but then they go after designers and front-end developers. I considered Flywheel for some of my managed sites, but their traffic calculations didn’t work for me (see my note below). However, for staging a site and working with others, they have some interesting tools, including a neat login/site alias alternative to standard SFTP. One hopes they don’t need to use SFTP, of course.

SiteGround – Very similar to Bluehost, except even uglier on the backend. It is just CPanel that look so awful, and despite this being my career choice, I’ve surprisingly had little need to use CPanel. But that means I know how limiting it is, and SiteGround’s services are very limiting. I was unable to fully vet their service because I got caught in customer support limbo, but that is a very important part of your hosting company. They consistently get good ratings from hosting directories, but my experience was pretty awful.

What to look for in a web hosting service?

Some WordPress hosting plans are hyper-focused on WordPress, and others are treat it as just another PHP app. And nearly all hosting companies will try to up/cross-sell you on their other services, such as domain registration and email hosting. Here are my opinionated thoughts regarding the details of your hosting plan.

Be wary of domain registration! Some places register domains in a particular way that makes it difficult to resolve an issue if one arises (such as the gawd-awful scenario that someone tries to social engineer one away from ya). This is compounded by the fact that most hosting companies will imply that they need to host your DNS records in order to host your website. I’ve never known a host that needed to host your DNS in order to host your site. Instead, pick a domain registrar with clear guidelines and a decent reputation. I recommend Gandi.

Most web hosting companies are not going to do email well. Why? Because email hosting is a full-time job, and requires a lot of methods and technologies that websites do not. But when a person is starting out, they don’t want to go to another company for email, so it is a natural fit for upsells or inclusion in a base service. You will be sad if you use the email from your web host. For people email (meaning you personally correspond with other humans) I recommend FastMail if you want your own domain, or ProtonMail if you want to be all secure and private. Statistically, you are probably using Gmail, and they have a paid tier for custom domains.

Security certificates are hot! You should have one as soon as possible, and your web host should provide an easy, clear way to set that up. Some certificates are paid, while others are provided for free by Let’s Encrypt. DreamHost does this, with the click of a checkbox! That is a big deal, and I am irritated that many hosts not only charge a fee per site, but also make it monthly. We should all endeavor to make web traffic secure, so either avoid hosts that charge monthly fees, or write to them about Let’s Encrypt.

Web hosting should be fun!

I know there is a lot of stuff to consider when hosting your WordPress site. I didn’t even get into caching and CDNs, or accessibility and responsive design. And each of the caveats I did bring up have many books written on each topic. But keep in mind that starting a blog or small site should be fun, and most hosts won’t get in the way of that. But if you have questions or doubts, drop me a line and we’ll see if we can’t make it a bit easier to get through. ^_^