Hi Reader

“I think my website got hacked.”

These are words that none of us wants to hear from a client.

But that’s what my client Alain was telling me back in May 2023.

The website in question was for a local sports club. It was one of these small projects that was supposed to be a “launch and forget”.

I used a default theme with light customizations, a few reliable plugins, and set everything to auto-update. And the website had been running without any issues for years.

Until that day.

With my client Alain on the phone, and my panic level rising, I logged into the website. Nothing looked off, so I just randomly clicked around, on the watch for anything suspicious.

I asked “How can you tell the website was hacked?”

Alain answered “There are weird images in there that I never added.”

I checked the media library. Nothing. Clicked through a bunch of posts and pages. Nothing.

"I can't see anything weird" I responded to Alain. "Where are these images?"

My client proceeded to walk me through the process of finding them:

1. Go to Posts > Add New Post.
2. Click on the Plus icon.
3. Go to Media.
4. Click on OpenVerse.

🙈 If you're facepalming right now, good. That's what I did as well.

A wake up call

I repeated these steps while writing this newsletter. Look at these "weird images" WordPress suggests:

So I can definitely see why my client Alain thought that someone had messed with his website.

Because this site got launched on WordPress version 5.2. And while WordPress kept adding features, none of them seemed to worry my client.

Except when WordPress 6.2 added the OpenVerse integration, right into the editor.

Now I don't like wasting time. But what I like even less is if somebody or something else wastes my time.

And here, WordPress clearly wasted my time by adding features that don't make sense for the overwhelming majority of websites.

And this served as an important lesson to me: I need to remove all the features which my clients don’t use.

Improving default WordPress

I’ve talked about this before in various emails, usually in the context of “client-proofing” WordPress.

Because the common question that I hear from freelancers and agencies is “how can I prevent my clients from breaking their website?”

And that is definitely part of my approach. But I also strive to simplify WordPress as much as possible.

With modern WordPress, users have access to so many tools. But they rarely need all of them.

In this case, all this sports club needs is the ability to publish news, and to maintain a few key pages like the members of the administration committee for compliance reasons.

All the rest my client Alain didn't need. So I got rid of it all.

Time for code!

Removing directories is the first thing I do on all WordPress projects. Which includes the:

• OpenVerse media directory
• Block plugins directory
• Patterns directory

Right now I'm working on a plugin that makes this as easy as clicking a toggle and a button:

But until that is done, these three snippets will have to suffice:

• ​Disable OpenVerse​
• ​Disable Block Plugins​
• ​Disable WordPress.org Patterns​

Now these are just a few lines of code. But they will save you a lot of headaches.

Cheers,
Fränk