Charlie Clemmer is a portrait and event photographer out of Texas. He and Scott met up at Out of Chicago Photography Conference to talk WordPress in a Q&A format.
This episode was recorded outside on a terrace within The Loop, so you will hear trains going by every so often.
- WordPress to Buffer Pro
- The Youngrens
- iThemes Security
- Bulletproof Security
Where to find Charlie:
Scott: Welcome to episode 42 of the WordPress Photography Podcast. My name is Scott Wyden Kivowitz, and I am with ...
Charlie: Charlie Clemmer.
Scott: We're in Chicago at the Out of Chicago Photography Conference. We are on the ...
Charlie: On the roof.
Scott: Almost the roof ... Sort of a rooftop, where the conference is. We're very close to train tracks, so if you hear the train tracks, that is why. So, we are here to talk a little bit about WordPress. I'll answer a couple questions that you might have, but first, before we do that, tell everybody more about you. First of all, we've been talking on Twitter now for a few months.
Charlie: Yeah. Yeah.
Scott: Something like that.
Charlie: Actually, this is how I found out about this conference.
Scott: Oh, really?
Charlie: You posting that you were gonna be here. Knowing you through the podcast, and was actually hoping that you would have a WordPress related ... We talked about that.
Charlie: A WordPress related topic to present on, but ended up doing your introverted street photographer piece instead, and my wife actually guessed what was the cross between an introvert and an extrovert. She got it off the top of her head.
Charlie: She's probably an ambivert. Okay, she didn't like my joke either.
Scott: There's the train again.
Charlie: There's the train again, which made a great picture too. We took a model out, let the train go behind her at one of the sessions during the conference.
Scott: Who is the leader of that one?
Charlie: Steve Nelson.
Scott: Nice. Sweet.
Charlie: That was a good session.
Scott: That was with off-camera flash?
Charlie: Off-camera flash.
Scott: Nice, I like it.
Charlie: I've been following you there. I'm out of Dallas, Texas, and do mostly event photography, a little bit of weddings. So, using the WordPress blog and why I moved from a couple of different things early on, but moved on from Zenfolio, and then had tried doing some stuff there, and ended up moving over to WordPress and trying to do all of my event photography there using NextGEN Gallery, and all that good stuff as my way to sell prints and all that good stuff.
Scott: Nice. Yeah, and pretty soon you'll have that print fulfillment back, which is nice.
Scott: Automated print fulfillment, instead of manual print fulfillment. What type of photography do you do mostly?
Charlie: Mostly event photography.
Scott: Mostly event.
Charlie: So, like I said, it's been a couple weddings, mostly family events, so anniversaries, 50th anniversaries, those kinds of things, or fundraiser type of events. The open bar, you'll have a band going. Night-time photography, just a lot of candid stuff, we'll mix in some portraits, that kind of stuff, as part of it.
Scott: Nice. How are you using WordPress other than NextGEN Gallery? What theme are you using? What other kind of plugins are you using?
Charlie: Yup, yup. It's been a learning process for me. I come from an IT background, you mentioned coming up from an IT background or a little bit of the IT security side, so I did a little bit of web posting before, and am looking at it. I'm also using an Imagely theme. I've used the Ansel theme right now. Looking at a different ... I don't remember which one it is off the top of my head for my wife. She's got a health coaching business, so it's worked out well. I can play on my site, and go from there. And then working up through more of the social media side of it, and what I want to use there. Things like Social Warfare, that I found out because of your podcast, and driving from there. I'm just now starting to get into more of the, "How can I do lead gen capture."
Charlie: I do work with Toby on the back end for a lot of my studio management piece, so using gravity forms to capture information, pull it in and go from there, but really trying to automate it, do more lead capture or opt-in type stuff, so doing the newsletter opt-ins and stuff.
Scott: Anybody who is listening or watching, if you also want to learn about lead generation, contact the people at WPPI and PPE, and tell them to have me come speak because they already have my idea that I want to teach there.
Charlie: There you go.
Scott: It's all lead generation. All lead generation. Okay. So, you're using Social Worker right now for some social sharing?
Scott: What about promotion of your content? Are you manually promoting that everything you publish something?
Charlie: That's, for me, trying to find an easy way to get content out there and have it shared across multiple channels. A long time ago, maybe a year and a half ago, it jumped in on Hootsuite, just trying to manage more Twitter traffic. Hootsuite can do some of the blog pieces, and so that's where I've gone back and forth, and I'm name blanking because the camera is rolling on what the plugin was.
Charlie: You talked about it recently.
Scott: WordPress to Buffer Pro?
Charlie: Yes, CoSchedule.
Charlie: I looked at CoSchedule and-
Scott: Their price just went up.
Charlie: And just because I have just renewed Hootsuite again, automatically, so I'm going to hold off on CoSchedule until I can work my way out of the Hootsuite piece.
Scott: So, I actually recently stopped using CoSchedule.
Scott: I love CoSchedule, and if I was pushing my photography more than just as a freelance, if I was pushing as a full time, I'd be paying for CoSchedule, no doubt about it. Even with their increased prices. However, because of how high they went, I switched to 100% Buffer.
Scott: So, Buffer gives you a big queue of your channel, and you set your schedule, and then at that specific time, it sends out whatever's next. And there's a Chrome extension, a Safari extension, Firefox and so on. There's also a Mac app, there's a IOS and Android app, so it's so easy to always add content. You can also do Instagram.
Scott: But what's really great is there's a plugin called WordPress to Buffer Pro. And in this plugin, you basically connect your blog post and your pages, anything new that you create, to your account, and you can set specific schedules for when things are added to your Buffer queue, or publish directly through Buffer. So I am basically scheduled like, forty, fifty-something days out from when a new blog is published, it's pushed across everything a bunch of times.
Charlie: So one of the things I liked with Hootsuite, and I don't know if CoSchedule has it or Buffer has it, was the ability to go back and say, I'm trying to establish my name as a leader in certain areas, and so I can go find topics or suggestions, and it would propose them into my editorial calendar to post to Twitter. Now, that's purely more on the social side, and that's what I was focused on, on the social side. I don't know if there's a component that makes sense, not necessarily for a pure photographer piece, unless it was around, "I want to do seminars, I want to ... I've got presentations that I'm trying to do for WPPI, or for Out of Chicago," to get yourself kind of shown in that light. I don't know if Buffer has something similar to that.
Scott: So are you talking about content that somebody else has created that you just want to re-share?
Charlie: Right, right.
Scott: So, Buffer doesn't do that. They used to.
Scott: They used to have that built-in. They stopped doing that and, instead, somebody integrated with them, it's called Sugggest and it's three Gs.
Scott: I don't know why.
Charlie: [crosstalk 00:07:13] suggestions or something like that.
Scott: Yeah, yeah. So there's Sugggest, which basically gives you all your different Buffer queues, and a column that has all the suggestion content that you can switch by topic, and you just drag it into each queue that you want, and it takes care of the rest. It's pretty neat. And that's free right now, which is nice.
Charlie: Very nice.
Scott: Okay, so what kind of questions do you have about WordPress?
Charlie: The fun thing for me, in having followed you in Imagely, I self-host all of WordPress right now, so it's on my own VPS, and I've started looking at, you know, is that really the right way? I've done some tweaking, trying to get my speed up, and from a network security side, I feel like I can do better control of it, while it's there. I know Imagely, you guys have got phenomenal hosting and being able to do that. I'm trying to find, is there an appropriate middle level where you go with somebody, not like a HostGator, maybe like a HostGator, share hosting?
But then, I've been burned in the past with security things where somebody corrupts, or somehow infects that share host, and now your data's not secure anymore, or they have other bad things that go through there. So, defining the fine lines between it, is an IT type person wanting to have that ability to have some control, and at the same time not wanting to be in the web hosting business. So where's the happy medium?
Scott: So, if you want that much control, the way to go is actually a dedicated server, which is not-
Scott: Yeah, it's pricey. It's basically like having your own server, except it's not in your house.
Charlie: Right, right.
Scott: It's in a secure facility, that's air-cooled and all of that stuff.
Charlie: And when it breaks, you've got to call yourself to fix it.
Scott: It depends. There are managed dedicated hosts that ... Liquid Web has one, and even SiteGround has one, Cloudways. Basically, you have a person that manages your dedicated server. If there is an issue that is beyond you, you open a ticket, they handle it for you. But it is pricey. I think they're like $200 a month.
Charlie: Oh, wow.
Scott: Right? So, it adds up. There's so many choices in hosting companies, and really, the only way to get something that is on the less expensive end is giving up control.
Scott: And letting other people just do it for you. And, if you want to go really inexpensive, it's going to a shared host, which obviously, as you said, has its vulnerabilities.
Charlie: And the speed impacts too.
Scott: Oh, big speed impact, yeah. On a shared host, if one site slows down, every site on that shared host is going to slow down, for whatever reason, if there's a plugin, or a thing that's really resource-use intensive, then every site's being impacted by that. Or, if one gets hacked, it opens up a backdoor to others.
When we migrated the Youngrens website over to our hosting platform, we found out that they were on a BlueHost plan, same company as HostGator and many of the other companies that IEG owns, and not only was their website, the Youngrens hacked, and BlueHost had no clue, but every site on the server was hacked.
Scott: So, during every migration, it had to be cleaned, and that gets expensive. So, share hosting has its vulnerabilities, in different ways.
Charlie: What about on the security side? So, I know you've talked about WordFence before ... I don't recall whether I found out about them through you or another way, but, as far as a way to look at and ... I know WordFence can go back and look to see if your file's been changed. Do they match what's in the current archive, that kind of stuff?
Charlie: Does that buy you any comfort, maybe not on a real commodity sharing [inaudible 00:11:08] I don't know if there is such a thing as a lesser-shared model. Or, maybe to ask the question a different way, is there ever a time when you wouldn't use something like a WordFence, if you were on your own private server? What's the game for putting that ... It sounds like there's a bit of performance load that goes into using something like that. It's a risk reward, so-
Scott: Yeah. So, there's basically two types of security plugins that you install on the site. Of course, there's security things you can do on your server itself, but, the two are either a WordFence [dial 00:11:38], which is dynamic, it's constantly running, it's constantly doing its protection, it's checking against its own security measures, kind of like what an AntiVirus would do on a Windows computer. It's always calling home, to see, "Hey, what has changed?" and, "What IPs are now bad?" It's always doing this. So, it does have a little bit of a performance impact.
On WordFence, they're getting better and better at reducing its performance overload. And so, I barely see a difference when I install WordFence these days. But, I turn off live scanning. If you have live scanning where it's literally following every person on your site, seeing every little bit they do, instead of just tracking, doing scans on a regular basis. It's literally scanning everybody, so that would be super resource intensive. So, if you're on a dedicated server, sure, turn it on. If you're not, leave that feature off, let it do regular scans, and you should be okay.
The other type of security plugin is like iTheme Security or SecuPress, BulletProof Security. There's a bunch of these. And they hardcode security changes into the files. And there's a downside to that, because hardcoding changes can break a server, it can break a theme, and it can break a plugin. So, with that you can be very careful. And the problem, the extended problem, is that if you do have an issue and you're now locked out of your site, you now need to know how to manually reverse the hardcoded change. So, I usually recommend, for photographers, mostly, to not touch any security plugin that does that.
Scott: But, for somebody who's more technical, I might recommend doing that, because it's less resource intensive, and will give you the ability to still recover if something was incompatible.
Charlie: Right, right.
Scott: Right. And SecuPress is made by the same people who make WP Rocket cache, and Imagify. It's great. I was testing it during its beta stages. I just prefer WordFence because I'm, personally, not a fan of having to readjust hardcoded changes manually. So, yeah.
Charlie: Okay. And that helps, because I got into, what is it, BackupBuddy, which I think is also mashed up with iThemes. And I started trying to debate, well, one I've already got WordFence installed, so do I do WordFence and iThemes, or do they conflict with each other?
Scott: They would conflict. I mean, it's sort of like having two antivirus on the computer.
Scott: They're both scanning for each other. You're not really-
Charlie: They might notice each other's behavior.
Scott: Yeah, yeah. "This plugin's doing something that's very odd, why does it have this here?" Because WordFence ... iThemes security is going to add .htaccess files in various places. WordFence is going to say, "That doesn't belong. That's not in WordPress Core." And then it's going to want to remove it, and they're going to battle.
Charlie: And that's a good topic, too, that I don't know if that goes too technical. One of the things I'd considered doing too was doing some sort of .htacceess block on my WP admin directory.
Scott: Which a lot of security plugins do.
Scott: Yeah. It's actually just a-
Charlie: Just to try to keep people from doing [brute force 00:14:52]
Scott: So, a good thing to do is ... WordFence has this, the iThemes security does, SecuPress, two-factor authentication.
Scott: There's multiple ways to do that, and I don't like the way that WordFence does it, so I don't use it from them. I just use Google Authenticator. Very basic, but it does the job. Basically, depending on which one ... SecuPress is text message-based, or no, it was email-based. So, you would go to log in, and then after you log in, it says, "Okay, now what's the code that you got from the email?" And you'd go to your email, check the code, put the code, put the PIN in, done. I think iThemes Security uses the Twilio text message API, so you get a text message whenever you try to log in.
WordFence is text message, but doesn't give you application passwords. And what I mean by that, two factor authentication, you have a PIN that's dynamic, it expires. So, it expires usually within one to five minutes after getting it. And, again, email, it's text message, or it's in an app like Google Authenticator or in 1Password, anything like that. And, application passwords are really good for, if you use Adobe Lightroom to publish your website, you can't do a dynamic PIN, you can't. You need an application password that bypasses the authentication. WordFence does not have that currently, and they couldn't give me an answer of when that's coming. So I don't use it from them.
Charlie: Or then you have to take a step and try to set a different class. I do all my picture uploads maybe as a contributor, and I do all my administration as so I'm going to do the two factor authentication on my administrator, but not on the contributor account, and hope that I'm safe that way, [crosstalk 00:16:36]
Scott: Exactly, yeah. You'd have to give up on some roles or users, and things. There are ways around it, but to each his own. The beauty about WordPress is there are so many different ways to do pretty much everything.
Scott: Yeah. Any other questions?
Charlie: I think that's it. I think we went a little more security than I was thinking originally in my head.
Scott: Yeah. THat's a topic that so many photographers struggle with, like, "How do I keep my site safe?" And the majority of photographers are on shared hosting, so it's crucial for there to be security measures in place, one way or another.
Charlie: That's a good way to look back on. You mentioned the one website that you were migrating, the Youngrens. Is there a way, outside of a security plugin, like WordFence or iThemes or somebody else, to let you know that your site's been hacked? I think you talked about it with Rachel before, that a lot of times the hack might take place, but then you don't notice it because the content doesn't change until much, much later.
Scott: Yeah, because it gives somebody a backdoor to then just push scripts out to do whatever. So, a plugin like WordFence is going to email you every day if something changes. Since I've been here, I've been getting emails that this plugin has to be updated, this plugin has to be updated, and I can't do it. I don't like doing that remotely. So I'm not doing it.
Charlie: Even with 1Password you don't like doing it remotely?
Scott: Oh, yeah. I would rather be at home with my laptop, because I didn't bring my laptop on this trip, so I'd rather be home with my laptop with good internet, then if something goes wrong on a plugin update, I can quickly revert, however I need to. But, yeah. WordFence will email you all the time, if there's something that looks strange. By default, it only looks at WordPress folders, with one click of a button you can have it scan your entire server. Takes longer, more performance, because the scan has to go longer. But you can actually scan folders outside of where WordPress [crosstalk 00:18:28]
Charlie: On a share hosted site, is it going to try and scan the entire shared host, or is it only scanning your portion of it?
Scott: Your site will only have access to your fragment of the ... Or partition, maybe, is the way to put it. So, yeah. It'll only scan you, but if you're on a shared host, you probably have access to multiple sites on that shared host. So it might scan everything that you have access to. It's possible. But, yeah.
Charlie: So, if I'm hosting my own, or my wife's website on the same shared hosting account, then one could actually scan both of them?
Scott: Potentially, yeah. I would say you have to test it.
Scott: Because I don't know if WordFence will actually go into the other folder. But that would be really interesting to see. Put a text file somewhere and see what happens. That would be really interesting to see.
Charlie: I will do that.
Scott: That would be good, because then you could actually have WordFence running on one site.
Charlie: And not have it run on multiple-
Scott: Well, you can have your wife scan only her WordPress, and have yours scan everything, so only one is more resource intensive for the scans.
Charlie: All right, yeah.
Scott: I'd be interested to see what happens with that test.
Charlie: I'll give it a try, see what it does.
Scott: So, thank you so much for joining this episode. As I said, in episode 41, things are going to be changing now that Rachel is no longer a co-host. I don't know what's going to happen, but this is kind of fun, here at Out of Chicago Photography Conference. So, hopefully I'll be able to do more of this kind of stuff, doing sort of spontaneous episodes while walking around.
Charlie: Very cool.
Scott: Yeah. See you in the next episode.