Developers: please read this article before installing any security, backup, or caching plugins for your AccessAlly membership site.
If you’re looking for hosting for your AccessAlly site see our recommendations.
Security, backups, and caching are all extremely important functions for a membership site. Unfortunately, it can be difficult to choose between using a plugin or your server’s built-in capabilities.
Since not all plugins and servers are built the same, what’s considered “good practice” for one server might be frowned on by another. And, while using the server’s functionality is usually recommended over a plugin, this is not always the case (some servers, for example, have notoriously bad caching. In this case, a caching plugin would be preferable).
Just be aware of the warning signs that appear when your business has outgrown the security tools you’re using.
ARTICLE CONTENT:
Evaluation Criteria
To help in your decision, use the following as your evaluation criteria:
- PERFORMANCE: Does it slow down the site? (This is especially important for backups – when a backup operation is underway, does the site slow down?)
- STORAGE: Does the plugin you’re using clog up the site with junk? Does it duplicate files on your server (taking up valuable storage)? Here, you’ll want to look for the “free space” measure on your server.
- CONSISTENCY: Does the tool always perform as required, or does it fail sometimes?
- FLEXIBILITY: Does the tool allow customization? Well-built tools know the world is full of exceptions, so they allow for certain files / use cases to be whitelisted.
- DISCONNECT: Does the tool block communication from CRM to server, which results in missed signals and can restrict users’ access to your site?
Use these criteria when determining the best course of action for the following functions:
Website Backups
Ideally, site backups should be done on the server level by your host. Please confirm with your host on the following items:
- The frequency of backups
- How to restore backups
If your host does recommend a secondary backup plugin, be selective with the solutions you choose. Evaluate the options against the following considerations:
- Ease of use: Backups are most needed when bad things happen. The restore must be easy (can be done without complicated operations) and complete (full revert to the restore point, including files and database). The Gold standard here is the WPEngine backup points.
- Flexibility: A backup can be triggered when needed. It’s also good to have the option to backup / restore only file or database.
Backup & Caching Plugins to avoid:
- Updraft (older versions)
- WP DB Backup
- WP DB Manager
- BackupWordPress
Recommended backup plugins:
- VaultPress
- BackupBuddy
- Updraft Plus
Anti-Spam Plugins
- CleanTalk – the custom contact form protection feature causes issues with AccessAlly order form fields and AccessAlly coupon codes. We recommend turning custom contact form protection off if using CleanTalk.
Caching Plugins
Most hosts have built in caching at the server level, so the use of a caching plugin may not be required.
Please check with your host on your cache settings. Two specific settings to know include:
- How frequently your cache is cleared by the host (it may be on a schedule)
- Whether it is possible for you to clear manually in the event you are making real time changes
Some caching plugins can cause issues with versioning of the site and display items inaccurately.
If your host suggests that you DO use a plugin to assist with site caching, be sure to exclude AccessAlly. Then, remember to clear your plugin cache and server cache when you are making changes that you want to view/make live immediately.
If using Flywheel hosting it may block tracking cookies. You’ll need to contact Flywheel and ask them to add paths to your caching exclusions (ignore the extra characters)
^/~access/*
^/accessallyref/*
Anything falling after those paths on your site will not be cached after this. It takes about 5 minutes to ask for this via Flywheel chat.
If you’re experiencing issues and you have hosting through WPEngine our best recommendation is to reach out to them to ask them to turn off the cache site-wide.
Caching Specifics for Your Membership Site
There are a couple different considerations for caching a membership site built with AccessAlly:
When styling is updated in AccessAlly / PopupAlly Pro, it is recommended to manually flush / clear the cache. If clients prefer not to do that, then they should whitelist the styling files:
- AccessAlly: all files in /wp-content/uploads/accessally-scripts/
- ProgressAlly: all files in /wp-content/progressally-css/
- PopupAlly Pro: all files in /wp-content/popupally-pro-scripts/
Page cache: some pages just shouldn’t be cached
- When users are logged in, no page is cached. This is usually the case, but there are some hosts that do not always do this properly (GoDaddy is one well-known example).
- Page with timers / countdowns should be excluded from the cache.
Some Caching plugins to avoid:
- WP Super Cache
- W3 Total Cache
- WP Cache
- WP Cachecom
- WP Fast Cache / WP Fastest Cache
- WP File Cache
- WP Rocket
- Hummingbird – the javascript modification settings may cause issues with buttons on AccessAlly order forms.
Recommended caching plugins:
- Check with your host to see if they offer caching at the server level
Security Plugins
Always approach security plugins with caution. Most hosts will have plugin recommendations that match their server settings and they can recommend the best solution for you.
After choosing a security plugin, always look to whitelist or make exceptions for the CRM system and server to communicate.
Also, know that security plugins should be regularly updated as vulnerabilities are often patched and pushed out.
Security plugins to avoid:
- All in One WP Security & Firewall
- Wordfence
- Sucuri
- All SSL Plugins – this should be installed on the server level by your host. Please confirm with them on the process to get that installed.**
- CDN powered by Fastly
Security plugins to consider
- iThemes Security
- Cloudflare
NOTE: You will need to review the plugin settings to allow the CRM to communicate with the server and back to the CRM. This may require you to whitelist IPs of these tools within the security plugin as the communication must be permitted to run a membership site:
Captcha Login Plugins
While it may be tempting to install a WordPress captcha login plugin, which asks people to enter numbers and letters or show that they’re not a robot, these plugins can interfere with AccessAlly.
It can create a poor login experience for clients when you install a captcha login plugin, which is why we don’t recommend them. Captcha plugins also don’t increase the security of your site enough to warrant the poor user experience they can cause. Here are a few ways that these plugins can prevent clients from accessing their courses:
- On-demand custom operations may not work
- The login form password reset functionality may not work
Please consider these issues before installing a captcha plugin!