Tim McGiven's Blog, page 2

We hear you. You love your WordPress.com Personal or Premium plan, but there’s that one plugin — or two — you’ve been itching to try. Normally, plugins are only available on Business and Commerce plans. From August 12 to August 25, 2025, new customers and users upgrading from free plans can now use plugins on all new Personal and Premium plans.

Explore plugins nowWhat can you do with plugins?

With plugins, you can go beyond the basics and unlock powerful features for your sites:

Boost your visibility with advanced SEO tools like schema markup, redirect management, and fine-tune how your content appears in search engine results.Add niche features such as recipe cards, event calendar, booking tools, and more without coding.Design with more freedom with additional blocks, page builders, and styling controls.Streamline your workflow by adding editorial calendars, role editors, and custom content types specific to your site’s needs.Sell products or services with e-commerce plugins and many more.

Think about that one feature you’ve been missing; now you can try it out for yourself.

Why now?

Plugins open the door to even more ways to customize your site and bring your ideas to life. On our Business and Commerce plans, we offer these tools along with the extra support and flexibility they require to run your site smoothly. Many of you have asked for the chance to try plugins on Personal and Premium plans, so we’re making it happen for a limited time.

This window from August 12 to August 25 is your chance to explore plugins on all paid plans that usually don’t include them.

After August 25, plugin access returns to WordPress.com Business and Commerce plans only. Customers who have bought during the two-week promotion period will be able to keep plugin access as long as they keep their original plan.

Who’s this for?

This offer is for anyone ready to start something new on WordPress.com — whether it’s your first site or your next one. If you purchase a new Personal or Premium plan during this two‑week window, you’ll unlock plugin access for that site.

New sites signing up for WordPress.com Personal or Premium plans during the offerFree plan users upgrading to WordPress.com Personal or Premium plans

If you already have a paid Personal or Premium plan, this offer doesn’t apply, but you can upgrade to a WordPress.com Business or Commerce plan anytime to get plugins. Offer is not applicable for downgrades and renewals at this time.

Ready to try that plugin you’ve been eyeing?

This is your chance to try WordPress.com without limits. Grab a new Personal or Premium plan by August 25, 2025, and unlock plugins for that site — forever — and build the site you’ve been dreaming about.

Explore plugins now

We’re excited to experiment with this alongside you and see what you create. This is a chance for us to learn together, discover what you build, and explore how plugins can help you achieve your goals. We look forward to hearing your thoughts and feedback as you try new things, share what works, and tell us what you would like to see next.

This offer ends on August 26 at 7 a.m. (UTC).

WordPress.com is a proud sponsor of WordCamp US this year. Some WordPress.com staff members and I will be heading to Portland, Oregon from August 26th – 29th to connect with the community and contribute to the open source WordPress project. If you’re there, and you see one of us — please stop and say hi! I’d love to hear your feedback about WordPress.com directly.

I’m really looking forward to this year’s WordCamp US. It’s always such a great opportunity to learn from the people who use and shape WordPress every day.

Events like WordCamp US also help ensure we’re building in the right direction, as we work to make WordPress.com the go-to place for WordPress, for anyone, anywhere, at any scale.

Why go to WordCamp US?

WordCamp US is one of the largest WordPress gatherings each year, bringing together developers, designers, bloggers, business owners, creators, and contributors from around the world. 

Whether you build with WordPress, publish with it, or help shape the software itself, WCUS is where conversations happen, ideas are initiated, and the community connects over a shared desire to push WordPress and the open web forward.

With so much progress happening in the WordPress ecosystem, the WCUS agenda reads like a front-row seat to what’s next. I’m personally excited about checking out Amy Sample Ward’s talk on changemaking, James LePage’s presentation on AI, and, as always, the Keynote. 

Come visit the WordPress.com booth

The WordCamp sponsor area is always a source of good conversation, connection, and (of course) swag. So why visit the WordPress.com booth at WordCamp US this year? 

A look at the WordPress.com booth at WordCamp US 2024.Demos and answers to your questions

You’re probably aware that WordPress.com offers professional WordPress hosting. But do you know just how much value we pack into our hosting plans?

Our team will be at the WordPress.com booth all week, ready to answer your questions and showcase what WordPress.com can do for you today. Whether you’re curious about our hosting features, our AI website builder, our developer tools, or WordPress Studio, visiting the WordPress.com booth is a great chance to get a hands-on look and share your feedback directly with the people building and supporting the products.

Some serious swag

Of course, no WordCamp is ever complete without great swag. 

This year, you can expect limited-edition pins, stickers, totes, hats, and more at the WordPress.com booth, and you’ll even have a chance to be entered to win some premium swag from all of the Automattic booths. 

Premium swag awaits you here.

And if you’re a developer or site builder, be sure to find someone from the WordPress Studio team for a chance to snag some exclusive Studio-branded swag.

Will we see you there?

If so, we’d love to see you at the WordPress.com booth. If you haven’t grabbed your ticket yet, use code wpcom25 at checkout for 25% off.

We’re building WordPress.com to help more people do more with WordPress, and your ideas and feedback play a big part in that. We’d love to chat.

See you in Portland!

Despite Google’s official claim that it treats subdomains and subdirectories equally in indexing, website owners sometimes report substantial traffic gains after switching from the former to the latter.

The reality? It’s far more nuanced than these site owners suggest.

In order to make smart decisions about when to use subdomain or subdirectory, you need to evaluate your goals, technical capacity, and projected website growth.

That’s what this guide covers. You’ll learn the key differences between a subdomain and a subdirectory, when to use each, and how to choose the right one for your specific needs.

What is a subdomain?

A subdomain is a label that appears before your main (e.g., blog.example.com, shop.example.com, support.example.com). 

Contrary to what people think, a subdomain doesn’t always function as a separate website hosted elsewhere. A subdomain can point to the:

Same content (e.g., www. as a subdomain).Different content on the same hosting (e.g., fr.support.wordpress.com for localized content, a type of web content adapted to a specific language or region).Different hosting and content (e.g., hosting blog.example.com on a server completely separate from example.com).

Businesses with diverse product offerings often use subdomains to organize content hierarchy and ensure easy navigation.

Take Google, for instance. It deploys its business apps and solutions through separate subdomains, such as mail.google.com, drive.google.com, and docs.google.com, improving the user experience.

When should you use a subdomain?

Though requiring more technical setup (which we’ll walk you through later), subdomains excel at organizing distinctly different sections of your content.

Use them when you want to:

Host client portals

Hosting dedicated portals on subdomains helps you manage each client’s project deliverables, digital assets, and legal documents in a centralized space. Depending on your web hosting provider, it can also improve security by limiting access to sensitive data.

Set up a staging environment

A staging environment is an isolated testing ground where you test updates, redesigns, and new features before deploying them to a live website. Technically, they can be created on a subdirectory instead (and we’ll cover what those are in a bit), but using a subdomain is widely considered best practice.

A staging environment hosted on a subdomain provides an isolated space where you can implement and refine changes without risking your main website. Just be sure to secure it with a password to prevent unauthorized access.

Tip: Want to set up a staging environment for your WordPress website? Start here.

Build authority in a new niche

Search engines treat subdomains as independent entities — the backlinks and authority from your main domain won’t transfer over. This creates a fresh foundation to establish dominance in your new niche or market segment.

Imagine you’re an entrepreneur with three revenue streams: a baking membership community, a copywriting course, and a series of business ebooks.

These offerings target different customer segments with unique search behaviors. Instead of lumping your three business lines together on one domain — which risks confusing visitors and diluting your site’s authority — create subdomains with each strategically positioned to build targeted authority.

Creating distinct site subsections

There may be other instances where you need to add a section to your site that has its own distinct branding and functionality.

One example is WordPress Playground, a platform for users to build and experiment with WordPress on any device, all within a web browser. Note the subdomain in the URL address bar. 

The URL field in this screenshot reads playground.wordpress.net.How to connect a subdomain

For WordPress sites, creating a subdomain requires more technical steps than a subdirectory.

Your process primarily involves your DNS management system (like Cloudflare) rather than your web host. To begin, locate its support documentation and complete the step-by-step instructions for a smooth setup.

Next, follow these steps to connect your subdomain with your WordPress.com site.

First, log in to your account and go to the WordPress dashboard of the site you want to use with your subdomain.

If you’re using WP Admin, navigate to Hosting → Domains (or Upgrades → Domains if you’re using Default View). On the top right, click the down arrow of the “Add a domain” button and select “Use a Domain I own.”

Enter your desired subdomain (e.g., subdomain.example.com) and click the “Continue” button.

In the “Connect your domain” section, click the “Select” button.

Congratulations! You’ve created your subdomain.

Since your website uses WordPress.com name servers, the DNS records for your subdomain should automatically configure. Test your new subdomain URL in a web browser to see if it’s working.

What is a subdirectory?

A subdirectory is a subfolder within your main website. It appears as a page after the root domain (e.g., example.com/blog, example.com/shop, example.com/about) and is preferred by SEO professionals running smaller websites.

When should you use a subdirectory?

Subdomains are overkill for smaller websites, as they unnecessarily fragment your SEO efforts. If you’re managing a smaller web presence, subdirectories offer a more practical solution.

Use them when you want to:

Simplify SEO tracking

Analyzing SEO data across multiple subdomains creates unnecessary complexity.

Unlike subdirectories, subdomains require technical overhead like configuring cross-domain tracking and modifying session cookies. If you prefer to streamline your analytics tracking under one roof, opt for subdirectories.

Organize related content for better SEO

Since search engines treat subdomains as separate sites, backlinks pointing to your main website won’t transfer SEO value to them.

Subdirectories, on the other hand, consolidate your SEO equity within a single domain and amplify your overall search visibility. This makes them the preferred choice for most SEO specialists.

To illustrate how subdirectories work in practice, consider this example. If you’re a freelance writer for B2B marketing and sales companies, you could organize your website with subdirectories targeting these keywords:

Homepage: Freelance [SEO/marketing/SaaS] content writer.Blog posts: How to increase leads, conversion content, and research competitor keywords.Services: Content writing services in [country], [ebook/white paper/B2B] content writing services.

By interconnecting these pages under your main domain, you create a content cluster that shares SEO equity. The “backlink juice” from other sites that link to your pages flows throughout your entire website and fuels it as a whole.

Eventually, this leads to higher domain authority, better search rankings, and increased organic traffic.

Maintain brand consistency

Consistent branding boosts revenue by up to 20% — and subdirectories play a small part in achieving it. They can provide better continuity in user experience and a cohesive brand presence, boosting recognition and trust.

How to create a subdirectory

Creating a subdirectory is easier than setting up a subdomain. You can whip one up in seconds with any website builder.

If you’re hosting on WordPress.com, here’s how it works:

Log in to your account.Go to the dashboard, click Pages → Add Page. Build and format the rest of your page as desired.Customize the URL subdirectory in the right sidebar menu.Click Publish.

Tip: You can add more subdirectories under the page you created. This step is particularly useful if you want to organize different topics on your blog (e.g., a food blog might add the following child pages: breakfast, lunch, and dinner under a Recipes parent page). 

Go back to the dashboard:

Click Pages → Add Page.Click None next to Parent.Choose the parent page previously created.Build and format the rest of the page accordingly.Click Publish.

WordPress.com runs the same WordPress software trusted by over 40% of the web. Easily create new subdirectories — and leave the hosting, security, performance, and maintenance to us.

Your first year of annual hosting includes a free domain name. Register your domain today.

Differences between subdomains and subdirectories

The debate between subdomains and subdirectories never ends. Here’s a snapshot of their differences to help you choose the right option for your website.

First, let’s start with the fundamental structural differences.

URL structure

A subdomain appears before the primary domain and is separated by a period. It looks like shop.example.com or portal.example.com.

Whereas a subdirectory appears after the main domain and is separated by a slash. It looks like example.com/shop or example.com/portal.

Maintenance

Subdomains demand more technical maintenance and resources.

Often, there are more DNS records, SSL certificates, and duplicate content to manage. Depending on your business and site setup, you may also need different content management systems (CMSs) to run each subdomain, increasing technical complexity and resources.

Subdirectories, conversely, are easier to manage. With all content in a single website architecture, you reduce technical overhead and streamline maintenance.

For example, if you run an ecommerce store with a blog, you can manage both sections through a single WordPress.com dashboard. When you update your plugins or theme, these changes apply to the entire site automatically. There’s no need to implement the same updates across multiple platforms.

Indexing and ranking

Subdirectories usually see higher rankings and traffic.

Despite Google’s official stance that both receive equal treatment, many SEO professionals report substantial traffic gains after migrating from subdomains to subdirectories.

The HotPads blog is one example — it saw a 98% traffic increase after the shift.

@johnandrews we moved the HotPads blog from blog. subdomain to /blog subfolder. Replatformed TypePad -> WP. 98% increase in G organic in 2mo

— John Doherty (@dohertyjf) February 7, 2015

Take these results with a grain of salt, as the reality is a lot more complicated.

During HotPads’ migration to subdirectories, it simultaneously upgraded from Typepad to WordPress. This suggests multiple factors influence SEO performance beyond domain structure.

In HotPads’ case, it could also be the CMS, hosting environment, and internal links.

Which is better: a subdomain or a subdirectory?

For most bloggers, creatives, and small business owners, subdirectories will work just fine.

That’s because subdomains create more work.

Managing additional DNS records and SSL certificates creates potential technical hurdles for non-tech-savvy users, and that’s just the tip of the iceberg. Without dedicated technical support, subdomains can become overwhelming quickly.

Moreover, subdomains excel specifically for enterprise-scale content or specialized sections that operate independently from the primary website. Smaller sites usually don’t reach the content volume threshold where subdomains become necessary.

Unless you’re managing thousands of pages needing intuitive navigation — and aiming to improve the user experience that search engines prioritize in rankings — you can get by with subdirectories.

Ultimately, it depends on three factors: your business, bandwidth, and current and projected website scale. If you’re still stuck, here’s a simple decision flowchart to help you decide which is right for you.

WordPress.com functions as a domain registrar and hosting platform (and website builder!). Manage your domain and host your website in one place.

Final thoughts: subdomain vs subdirectory

Use subdomains to separate content experiences from your primary site. Client portals, staging environments, and specialized sections targeting new market segments benefit from this approach, giving visitors a distinctive experience.

Choose subdirectories if you prefer to leverage your SEO benefits within your main site. Your hard-won “backlink juice” will beef it up as a whole.

Whether you want to connect multiple subdomains or create new pages, WordPress.com can do it all with a few clicks. We handle everything from hosting and security to performance and maintenance.

Save immediately with a free domain name included in your first year of annual hosting.

Buy a domain from WordPress.com

Imagine waking up in the morning, checking your site, and it’s an absolute mess. Your browser flashes a malware warning, your homepage is advertising questionable hair-growth pills, and your website logo has been replaced by a dancing raccoon.

Meanwhile, your inbox is exploding with emails from customers asking if the “crypto investment opportunity” sent by your “company representative” is real or not.

This might sound exaggerated, but the threats behind it are very real. If you don’t take security seriously, any one of them could hit your website sooner rather than later. Here’s how to keep your website secure against common threats.

What is website security?

Website security refers to the steps you take to protect your website from cyber threats and unauthorized access. It involves every level of website architecture, from the server and website files to login credentials and user privacy.

Strong website security builds trust with visitors, keeps your site online, and protects you from potential legal action and other negative outcomes.

What are some common website security threats?

The first step in protecting your site is understanding what you are trying to prevent. Threats include:

Password breaches: This often happens through brute force, where hackers automatically try out username and password combinations until they gain access to your site.Defacement: This is the online form of vandalism. An attacker changes the appearance of your website, often with a message that you’ve been hacked.Ransomware: This blocks access to your website and encrypts your files until you pay the attacker.Data breaches: Hackers steal confidential information saved on your site to sell on the black market or use for their own purposes.Malware infection: Malicious software is injected into your site to spread to visitors, for example, to hijack their computers.Denial of service attacks: DoS or DDoS attacks aim to overload your server with traffic or large amounts of data in order to make your website slow or completely inaccessible.Cross-site scripting (XSS): Malicious scripts are inserted into web pages so attackers can harvest login credentials and other information from user browsers.SQL injections: Code to run database commands and change, delete, or steal data is injected into a site. This may include creating a new user with administrator rights to your website.Spam: Filling your website with unwanted ads and malicious links.Phishing: Fake login or input forms designed to trick users into entering personal information.Botnet recruitment: Hijacking your site and server resources as part of a larger network of compromised sites to carry out attacks.

The scope and variety of online threats make security an issue even for basic websites.

Why does this matter?

The possible outcomes of having your website compromised include:

Loss of revenue: Downtime, ransom demands, or an otherwise non-functional website can immediately impact your income, especially for e-commerce websites. Plus, recovery usually comes with a price tag.Reputation damage: A website that has been defaced, contains spam links, or fails to protect customer data erodes visitor trust and can permanently damage your brand.SEO damage: Search engines may lose trust in your site as well, blocking it and tanking your search rankings and traffic in the process.Legal problems and fines: Exposing sensitive user data may violate data protection laws like GDPR or HIPAA, leading to potentially hefty fines. People whose personal information was stolen may also sue you.

Lack of website security can greatly damage your business and income — sometimes to the point of no return. And don’t think your site being small means you’re safe. Most hacks are automated, aimed at gaining access over stealing data, and a matter of opportunity, not targeted action.

How to secure your website

Once you understand the risks, the next step is to protect your site. Website security is all about layering protections, not single fixes. Secure your site with these simple steps:

1. Change default CMS settings

Many attacks against WordPress target its default configuration. Therefore, an easy step to make your website safer is to change them. For example:

Avoid using the username “admin” during setup.Use a unique database table prefix instead of the default “wp”.Customize your login URL to reduce automated login attempts.2. Use a secure hosting provider

Your hosting provider is your website’s first line of defense. For that reason, you want to pick one that prioritizes security.

Choose the right type of web hosting for your purpose and skill level. For example, shared hosting runs a greater risk of cross-contamination from other sites on the same server that get hacked. With isolated site infrastructure such as that on WordPress.com Business and Commerce plans, this isn’t an issue.

In traditional hosting, most of managing website security is your responsibility; your hosting provider only takes care of the server. A managed WordPress hosting provider, on the other hand, is much more involved in securing your website. For example, when you host your site on WordPress.com, you benefit from:

Server environments optimized for WordPressAutomatic software updatesDomains with domain privacyDowntime monitoringA dedicated security teamExpert WordPress support

Plus, if you host your website on WordPress.com and it gets hacked, we will clean it up for free.

3. Use SSL/HTTPS

HTTPS encrypts the data transferred between your website and visitors’ browsers. This is an effective way to protect sensitive information against cross-site scripting (XSS), man-in-the-middle, or similar attacks. It also displays as a secure padlock icon in the browser and is a sign of trust for your audience.

To enable HTTPS encryption, you need an SSL certificate, which is usually easiest to obtain from your hosting provider. For example, SSL is included by default on all WordPress.com sites, with no setup needed.

4. Configure file permissions correctly

File permissions define who can modify which files on your server. They help prevent unauthorized users or scripts from modifying core files. You can modify file permissions with SFTP/SSH.

On WordPress.com, permissions are set to the above settings by default and should only be changed if it’s absolutely necessary and you know what you’re doing.

On WordPress, files should typically be set to permission level 644 and directories to 755. This balances functionality and security. Avoid setting anything to 777, which allows full read, write, and execute access.

5. Set up security headers

Security headers add an extra layer of protection by controlling how browsers handle your site’s content. They can help prevent vulnerabilities like cross-site scripting and clickjacking, and are an important part of every website.

This topic is very technical, so it’s best to read up on security headers in depth. You can find out if your site is already using them with a security headers scanner. If they’re missing, options to enable them include:

Using a firewallUsing some CDNsUsing WordPress pluginsEditing server files6. Implement a web application firewall

A web application firewall (WAF) has the ability to filter and block malicious traffic before it reaches your website. This helps defend against common threats like SQL injections and brute force attacks.

You can get a firewall through your hosting provider, plugins, or external providers. On WordPress.com, Business and Commerce plans include a built-in, managed firewall.

7. Use a content delivery network

A content delivery network (CDN) distributes your website’s content across multiple servers worldwide.

This reduces server load and is often a tool used to improve performance. It helps mitigate DDoS attacks by adding a layer between attackers and your origin server that can absorb some of the excess traffic. Cloudflare is a popular option.

WordPress.com includes CDN functionality powered by more than 28 data centers across six continents.

8. Force strong usernames and passwords

Weak login credentials are one of the most common ways hackers gain access to websites. 

Here are some best practices to prevent that from happening:

Avoid predictable usernames like “admin” or “user.”Use strong passwords with a mix of letters, numbers, and symbols for all entry points to your website, including your FTP, database, and hosting account. You can generate them with the help of a password generator.Require the same for all users with access to your site, if necessary with a plugin like Password Policy Manager.Consider using separate accounts for site administration and content creation, so as not to display the admin username on your site.Be sure to balance safety and usability .

To keep your login pages safe, WordPress.com offers out-of-the-box brute force protection and single sign-on (SSO).

9. Set up multi-factor authentication

Multi-factor authentication (MFA) adds an extra layer of protection to site logins. It requires a second verification step, such as inputting a code from an app or text message. This makes it much harder for attackers to log in, even with stolen credentials.

You can add this functionality to your WordPress site using MFA plugins. WordPress.com supports two-step authentication for all users by default.

10. Apply sensible user roles and permissions

WordPress offers several user roles with clearly defined permissions. These let you control who has access to your site and what they can do on it. Here is the full list:

Administrator: Full access to all site features and settings.Editor: Can manage all content, including posts, pages, comments, categories, tags, and media.Author: Can create, edit, upload media to, and publish their own posts.Contributor: Can write and edit their own posts but cannot publish or upload media.Viewer: Can read and comment on private site content.Subscriber: Follows your site and receives updates.

It’s a good idea to use the principle of least privilege when assigning roles, which restricts user access to only the functions needed for each job. This reduces the risk of someone breaking something by accident and provides extra protection if an account gets hacked.

You can upgrade permissions temporarily if needed, but be sure to review and update user roles regularly, especially after team changes.

11. Install a security plugin

Security plugins provide extra safety with features like malware scanning, firewalls, and security headers. 

For self-hosted WordPress sites, security plugins cover gaps not managed by your hosting provider. Popular choices are:

WordfenceReally Simple SecurityAll-in-One Security

Plugin-enabled sites on WordPress.com don’t require a security plugin, because they come with Jetpack and many other protections built in. Installing a separate security plugin on these sites would likely lead to conflicts.

12. Use trustworthy extensions

Plugins and themes allow you to use WordPress for any purpose and use case, from blogs to personal websites to one-page sites.

At the same time, they can also be a security risk. Poorly coded or abandoned extensions can introduce serious vulnerabilities. In addition, plugins from untrustworthy sources can contain malware, back doors and other unpleasant surprises.

To avoid this, only install plugins and themes from reputable sources, like official WordPress directories. Everything you find there goes through a thorough vetting process before it can be installed on websites. Read reviews, check the update history, and confirm compatibility with your WordPress version before installing.

13. Delete unused plugins and themes

Even inactive plugins and themes can create security risks if they’re outdated or vulnerable. You should deactivate and fully delete anything you’re not actively using.

You should also regularly audit your installed extensions for what you can get rid of. Fewer extensions mean fewer potential points of attack.

14. Keep your website up to date

Updates to WordPress and its plugins and themes often include patches for known security vulnerabilities. For that reason, it’s a good idea to regularly apply them on your site.

As a managed hosting provider, WordPress.com automatically handles core updates and provides tools to update plugins and themes either automatically or manually. You can test updates on a staging site before publishing updates.

15. Set up automatic backups

Backups are one of the most central tools for website security. If you have a recent working version of your site saved somewhere safe, you can restore it to mitigate problems.

For that reason, you should regularly back up both your site files and database, preferably with an automated solution. Be sure to store backups in a secure, off-site location like cloud storage or a separate server.

On WordPress.com, real-time backups and one-click restores are included in the Business and Commerce plans.

16. Limit personal and sensitive data saved on your site

You can’t lose what you don’t have. If your website gets hacked, attackers can only gain access to data that’s stored there. For that reason, be sure to only collect and store the information you need from your users, and follow data protection laws like GDPR when handling personal information.

17. Use an anti-spam plugin

Comment spam is an inconvenience every website owner has to live with. But if you’re not adept at recognizing it, you might inadvertently post links to malicious websites or software on your site, creating legal and SEO risks.

Akismet is an anti-spam plugin that automatically filters out the majority of spam submissions using machine learning and AI. It is included on all WordPress.com plans with no extra setup.

18. Log website activity

Activity logs track user actions and changes made on your site. They make it easier to trace what happened in the event of a breach or other problems.

There are many plugin options to add them to your site and WordPress.com also offers built-in activity logs.

19. Stay informed on current threats

Security threats constantly evolve, so staying informed is essential in order to respond and strengthen your defenses quickly.

Two good resources for the latest vulnerabilities and best practices are:

US Cybersecurity and Infrastructure Security Agency (CISA)Open Web Application Security Project (OWASP) (for developers)

In addition, sign up for security newsletters or alerts from your hosting provider or plugin vendors.

20. Educate and train all website users

Your website security is only as strong as your least-informed user. For that reason, make sure all team members understand security best practices. Train them to recognize phishing attempts and suspicious activity, use strong passwords and MFA, and to not share accounts and reuse credentials.

Keep in mind that website safety includes device security, so be sure to implement malware scans and other security measures on your team’s computers.

21. Scan your site regularly

Scanning your website helps catch vulnerabilities, malware, or suspicious changes early. It lets you know if there is a problem in real-time and prevents threats from going undetected on your site.

You can use automated tools or services to schedule scans daily or weekly. OWASP has a detailed list of options.

On WordPress.com, Jetpack Scan checks every site daily for dangerous plugins, themes, malware, and other vulnerabilities. On higher-tier plans, you also get access to a history of threats identified on your site.

22. Have a recovery plan

No matter how diligent you are, the risk to your website is never zero. If the worst-case scenario happens, advanced preparation will help you stay calm and mitigate the potential damage. 

Put together a recovery plan with information such as:

Step-by-step instructions for different scenariosWho to contact in case of emergency and howHow to let customers know what’s happeningLegal requirements for reporting security breaches

Practicing your recovery process ahead of time can save hours or even days during a real incident. And remember, with a WordPress.com plan, site recovery is free.

An ounce of prevention is worth a pound of cure

Investing in security measures for your website is essential for protecting your content, users, and reputation. Threats are real, common, and often automated, and everyone is a target. Fortunately, many of the most effective protections are simple to implement. If you use a high-quality managed hosting provider like WordPress.com, you’re already ahead of the game.

Just keep in mind that security is not a one-time task, but an ongoing process. Regularly review your systems and processes to continue staying safe. If a breach happens, don’t panic, just recover, analyze, and make sure it can’t happen again.

In April, we launched our AI website builder, opening the door for anyone to turn their ideas into a WordPress.com website — no expertise required. We’ve been listening to your feedback and regularly rolling out improvements and new features that put more creative power in your hands.

Whether you’re dreaming up a business, building your portfolio, or sharing your passion, our goal is to make website creation inspiring, personal, and truly yours — with all the flexibility and ownership WordPress.com is known for. Here’s a quick look at what’s new — so you can spend less time building, and more time growing your ideas

Improved color palettes and font pairings

You asked for more customization, so we delivered! The AI website builder now offers an expanded range of color palettes and designer-curated font pairings — instantly generated to fit your vibe, style, or brand. Personalizing your site is faster and easier, whether you want bold, minimal, playful, or classic — all without any design experience.

Hero sections that stand out

Your homepage hero area is your website’s first impression — and now, our AI website builder creates even more modern, eye-catching hero areas. Instantly get modern layouts, bold headers, flexible intros, and cover images that help your homepage make a strong first impression.

Smarter, custom logos

Site logos just got a big upgrade. Our AI website builder now generates cleaner, more customizable site logos using the latest AI models — including playful cartoon styles, niche aesthetics, bold typography, or anything in between. Just describe the vibe you want, and you’ll get a logo that’s truly yours.

Better images

No more scrambling for the right photo. Now you can whip up fresh images, cover photos, or hero backgrounds for your site in seconds — just by describing what you want (“a cozy café at sunset” or “vibrant tech workspace”), and the AI helps you find or create visuals that fit your vibe.

Edit more, in more places

You can now use the AI website builder to edit your site’s templates — not just individual pages. That means you can easily update your homepage, about page, or any template, and make global changes to layouts, colors, or fonts — all from one place, without jumping between menus. With full template editing, you get even more flexibility and creative control across your whole site — no extra steps required.

What’s next?

We’re committed to making our AI website builder even better. That means regular bug fixes, smarter intelligence, better taste, and an even smoother experience, all designed to help you go from idea to live website with minimal effort. Have a feature you’d love to see? Let us know — your voice shapes where we go next.

Curious? Get started with our AI website builder today.

WordPress powers over 40% of the web, and much of its flexibility comes from plugins. Plugins are self-contained bundles of PHP, JavaScript, and other assets that extend what WordPress can do—powering everything from simple tweaks to complex business features. If you’re a developer new to WordPress, learning how to build plugins is the gateway to customizing and scaling the platform for any need.

In this guide, you’ll learn the essentials of plugin development, set up a local environment using WordPress Studio, and build a fully functional example plugin. By the end, you’ll understand the anatomy of a plugin, how hooks work, and best practices for a maintainable and secure code.

Table of ContentsSetting up a local development environmentCreating your first pluginUnderstanding hooks: actions and filtersLoading assets the WordPress wayOptional: Adding a settings screenComplete plugin codeBest practices for plugin developmentNext steps and resourcesYour plugin journey starts hereSetting up a local development environment

Before you write a single line of code, you need a local WordPress environment. WordPress Studio is the fastest way to get started. Studio is open source, maintained by Automattic, and designed for seamless WordPress development.

Follow these steps:

Step 1: Download and install Studio

Visit developer.wordpress.com/studio and download the installer for macOS or Windows.

Step 2: Create your first local site

To create a local site, launch Studio and click Add Site. You’ll see a simple window where you can name your new site. After entering a name and clicking Add Site, Studio automatically configures a complete WordPress environment for you—no command line knowledge needed. Once complete, your new site appears in Studio’s sidebar, providing convenient links to view it in your browser or access the WordPress admin dashboard.

Step 3: Open your WordPress site and its admin section

Click the “Open site” link to open your site in the browser. You can also click the “WP Admin” button in Studio to access your site’s dashboard at /wp-admin. You’ll be automatically logged in as an Administrator. This is where you’ll manage plugins, test functionality, and configure settings.

Step 4: Open the code in your IDE

Studio provides convenient “Open in…” buttons that detect your installed code editor (like Visual Code or Cursor) and let you open your project in your preferred editor. You can configure your default code editor in Studio’s settings. Once opened in your code editor, you’ll have complete access to browse, edit, and debug the WordPress installation files.

Once you have your local environment for WordPress development set up and running, locate the plugins folder . In your project root, navigate to:

wp-content/ └── plugins/

This is where all plugins live. To build your own, create a new folder (e.g., quick-reading-time) and add your plugin files there. Studio’s server instantly reflects changes when you reload your local site.

Creating your first plugin

Every plugin starts as a folder with at least one PHP file. Let’s build a minimal “Hello World” plugin to demystify the process.

In wp-content/plugins/, create a folder called quick-reading-time.Inside that folder, create a file named quick-reading-time.php.

Your file structure should look like this:

wp-content/ └── plugins/ └── quick-reading-time/ └── quick-reading-time.php

Add the following code to quick-reading-time.php:

This header is a PHP comment, but WordPress scans it to list your plugin in Plugins → Installed Plugins. Activate it—nothing happens yet (that’s good; nothing is broken).

Tip: Each header field has a purpose. For example, Text Domain enables translation, and License is required for distribution in the Plugin Directory. Learn more in the Plugin Developer Handbook.

Understanding hooks: actions and filters

WordPress plugins interact with core events using hooks. There are two types:

Actions : Triggered when WordPress does something (e.g., loading scripts, saving posts). Filters : Allow you to modify data before it’s displayed or saved.

Let’s add a reading-time badge using the the_content filter:

function qrt_add_reading_time( $content ) { // Only on single posts in the main loop if ( ! is_singular( 'post' ) || ! in_the_loop() || ! is_main_query() ) { return $content; } // 1. Strip HTML/shortcodes, count words $plain = wp_strip_all_tags( strip_shortcodes( get_post()->post_content ) ); $words = str_word_count( $plain ); // 2. Estimate: 200 words per minute $minutes = max( 1, ceil( $words / 200 ) ); // 3. Build the badge $badge = sprintf( '

%s

', esc_attr__( 'Estimated reading time', 'quick-reading-time' ), /* translators: %s = minutes */ esc_html( sprintf( _n( '%s min read', '%s mins read', $minutes, 'quick-reading-time' ), $minutes ) ) ); return $badge . $content;}add_filter( 'the_content', 'qrt_add_reading_time' );

This snippet adds a reading time badge to post content using the the_content filter. It checks context with is_singular(), in_the_loop(), and is_main_query() to ensure the badge only appears on single posts in the main loop.

The code strips HTML and shortcodes using wp_strip_all_tags() and strip_shortcodes(), counts words, and estimates reading time. Output is localized with esc_attr__() and _n(). The function is registered with add_filter().

With this plugin activated, each post will now also display the reading time:

Loading assets the WordPress way

To style your badge, enqueue a stylesheet using the wp_enqueue_scripts action:

function qrt_enqueue_assets() { wp_enqueue_style( 'qrt-style', plugin_dir_url( __FILE__ ) . 'style.css', array(), '1.0' );}add_action( 'wp_enqueue_scripts', 'qrt_enqueue_assets' );

Create a style.css file in the same folder:

.qrt-badge span { margin: 0 0 1rem; padding: 0.25rem 0.5rem; display: inline-block; background: #f5f5f5; color: #555; font-size: 0.85em; border-radius: 4px;}

Best practice: Only load assets when needed (e.g., on the front end or specific post types) for better performance.

With this change, the reading time info on each post should look like this:

Optional: Adding a settings screen

To make the average reading speed configurable, let’s add a settings page and connect it to our plugin logic. We’ll store the user’s preferred words-per-minute (WPM) value in the WordPress options table and use it in our reading time calculation.

Step 1: Register the setting

Add this code to your plugin file to register a new option and settings field:

// Register the setting during admin_init.function qrt_register_settings() { register_setting( 'qrt_settings_group', 'qrt_wpm', array( 'type' => 'integer', 'sanitize_callback' => 'qrt_sanitize_wpm', 'default' => 200, ) );}add_action( 'admin_init', 'qrt_register_settings' );// Sanitize the WPM value.function qrt_sanitize_wpm( $value ) { $value = absint( $value ); return ( $value > 0 ) ? $value : 200;}

This code registers a plugin option (qrt_wpm) for words-per-minute, using register_setting() on the admin_init hook. The value is sanitized with a custom callback using absint() to ensure it’s a positive integer.

Step 2: Add the settings page

Add a new page under Settings in the WordPress admin:

function qrt_register_settings_page() { add_options_page( 'Quick Reading Time', 'Quick Reading Time', 'manage_options', 'qrt-settings', 'qrt_render_settings_page' );}add_action( 'admin_menu', 'qrt_register_settings_page' );

This code adds a settings page for your plugin under the WordPress admin “Settings” menu. It uses add_options_page() to register the page, and hooks the function to admin_menu so it appears in the dashboard. The callback (qrt_render_settings_page) will output the page’s content.

Step 3: Render the settings page

Display a form for the WPM value and save it using the Settings API:

function qrt_render_settings_page() { if ( ! current_user_can( 'manage_options' ) ) { return; } ?>

This function renders the plugin’s settings page, displaying a form to update the WPM value. It checks user permissions with current_user_can(), outputs the form using settings_fields(), do_settings_sections(), and retrieves the saved value with get_option(). The form submits to the WordPress options system for secure saving.

Step 4: Use the setting in your plugin logic

Update your reading time calculation to use the saved WPM value:

function qrt_add_reading_time( $content ) { if ( ! is_singular( 'post' ) || ! in_the_loop() || ! is_main_query() ) { return $content; } $plain = wp_strip_all_tags( strip_shortcodes( get_post()->post_content ) ); $words = str_word_count( $plain ); $wpm = (int) get_option( 'qrt_wpm', 200 ); $minutes = max( 1, ceil( $words / $wpm ) ); $badge = sprintf( '

%s

', esc_attr__( 'Estimated reading time', 'quick-reading-time' ), esc_html( sprintf( _n( '%s min read', '%s mins read', $minutes, 'quick-reading-time' ), $minutes ) ) ); return $badge . $content;}

This function adds a reading time badge to post content. It checks context with is_singular(), in_the_loop(), and is_main_query() to ensure it runs only on single posts in the main loop. It strips HTML and shortcodes using wp_strip_all_tags() and strip_shortcodes()), counts words, and retrieves the WPM value with get_option(). The badge is output with proper escaping and localization using esc_attr__(), esc_html(), and _n()).

With these changes, your plugin now provides a user-friendly settings page under Settings → Quick Reading Time. Site administrators can set the average reading speed for their audience, and your plugin will use this value to calculate and display the estimated reading time for each post.

Complete plugin code

Before we wrap up with best practices, let’s review the complete code for the “Quick Reading Time” plugin you built in this guide. This section brings together all the concepts covered—plugin headers, hooks, asset loading, and settings—into a single, cohesive example. Reviewing the full code helps solidify your understanding and provides a reference for your own projects.

At this stage, you should have a folder named quick-reading-time inside your wp-content/plugins/ directory, and a file called quick-reading-time.php with the following content:

'integer', 'sanitize_callback' => 'qrt_sanitize_wpm', 'default' => 200, ) );}add_action( 'admin_init', 'qrt_register_settings' );// Sanitize the WPM value.function qrt_sanitize_wpm( $value ) { $value = absint( $value ); return ( $value > 0 ) ? $value : 200;}// Add a settings page under Settings.function qrt_register_settings_page() { add_options_page( 'Quick Reading Time', 'Quick Reading Time', 'manage_options', 'qrt-settings', 'qrt_render_settings_page' );}add_action( 'admin_menu', 'qrt_register_settings_page' );// Render the settings page.function qrt_render_settings_page() { if ( ! current_user_can( 'manage_options' ) ) { return; } ?>

post_content ) ); $words = str_word_count( $plain ); $wpm = (int) get_option( 'qrt_wpm', 200 ); $minutes = max( 1, ceil( $words / $wpm ) ); $badge = sprintf( '

%s

', esc_attr__( 'Estimated reading time', 'quick-reading-time' ), esc_html( sprintf( _n( '%s min read', '%s mins read', $minutes, 'quick-reading-time' ), $minutes ) ) ); return $badge . $content;}add_filter( 'the_content', 'qrt_add_reading_time' );// Enqueue the plugin stylesheet.function qrt_enqueue_assets() { wp_enqueue_style( 'qrt-style', plugin_dir_url( __FILE__ ) . 'style.css', array(), '1.0' );}add_action( 'wp_enqueue_scripts', 'qrt_enqueue_assets' );

You should also have a style.css file in the same folder with the following content to style the badge:

.qrt-badge span { margin: 0 0 1rem; padding: 0.25rem 0.5rem; display: inline-block; background: #f5f5f5; color: #555; font-size: 0.85em; border-radius: 4px;}

This plugin demonstrates several foundational concepts in WordPress development:

Plugin Header: The block comment at the top registers your plugin with WordPress, making it discoverable and manageable from the admin dashboard.Hooks: The plugin uses both actions (admin_init, admin_menu, wp_enqueue_scripts) and a filter (the_content) to integrate with WordPress at the right moments.Settings API: By registering a custom option and rendering a settings page, the plugin allows site administrators to configure the average reading speed, making the feature flexible and user-friendly.Sanitization and Security: All user input is sanitized, and output is escaped, following best practices to prevent security vulnerabilities.Asset Loading: Styles are loaded using WordPress’s enqueue system, ensuring compatibility and performance.Internationalization: All user-facing strings are wrapped in translation functions, making the plugin ready for localization.

By bringing these elements together, you have a robust, maintainable, and extensible plugin foundation. Use this as a template for your own ideas, and continue exploring the WordPress Plugin Developer Handbook for deeper knowledge.

Best practices for plugin development

Building a WordPress plugin is more than just making something work—it’s about creating code that is robust, secure, and maintainable for years to come. As your plugin grows or is shared with others, following best practices becomes essential to avoid pitfalls that can lead to bugs, security vulnerabilities, or compatibility issues. The habits you form early in your development journey will shape the quality and reputation of your work.

Let’s explore the foundational principles that set apart professional WordPress plugin development.

Prefix everything (e.g., qrt_) to avoid name collisions. WordPress is a global namespace, so unique prefixes for functions, classes, and even option names help prevent conflicts with other plugins or themes.Escape and sanitize all output and input to prevent XSS and security issues. Always validate and clean data before saving it to the database or displaying it in the browser. Use functions like esc_html(), esc_attr(), and sanitize_text_field() to keep your plugin safe.Translate strings using __(), and _n() for localization. Internationalization (i18n) ensures your plugin is accessible to users worldwide. Wrap all user-facing text in translation functions and provide a text domain.Use version control (Git) and WP-CLI helpers (wp scaffold plugin, wp i18n make-pot). Version control is your safety net, allowing you to track changes, collaborate, and roll back mistakes. WP-CLI tools can automate repetitive tasks and enforce consistency.Ship a readme.txt for the Plugin Directory and changelog. A well-written readme helps users understand your plugin’s features, installation steps, and update history. It’s also required for distribution on WordPress.org.Debugging: Enable WP_DEBUG and use tools like Query Monitor for troubleshooting. Proactive debugging surfaces issues early, making them easier to fix and improving your plugin’s reliability.Follow the Plugin Developer Handbook and WordPress Coding Standards . These resources are the gold standard for WordPress development, offering guidance on everything from code style to security.

Tip: Adopt these habits early—retrofitting best practices later is much harder. By making them part of your workflow from the start, you’ll save time, reduce stress, and build plugins you can be proud of.

Next steps and resources

You now have a working plugin that demonstrates the three “golden” hooks:

the_content – injects the badge.wp_enqueue_scripts – loads the stylesheet.admin_menu – (optionally) adds a settings page.

Where you go next is up to you—try adding custom post types (init), REST API endpoints (rest_api_init), scheduled events, or Gutenberg blocks (register_block_type). The mental model is the same: find the hook, write a callback, let WordPress run it.

Your plugin journey starts here

Every plugin—whether 40 KB or 40 MB—starts with a folder, a header, and a hook. Master that foundation, and the rest of the WordPress ecosystem opens wide. Experiment locally, keep your code readable and secure, and iterate in small steps. With practice, the leap from “I wish WordPress could…” to “WordPress does” becomes second nature.

Ready to build your own plugin? Try the steps above, share your results in the comments, or explore more advanced topics in our developer blog . Happy coding!

How do you stop a distributed denial-of-service (DDoS) attack? Through a mix of proactive prevention and a solid plan for the worst-case scenario.

DDoS attacks are a growing problem in their frequency, size, and sophistication. According to Statista, the worldwide number of attacks almost doubled from early 2023 to late 2024, peaking at more than half a million in a quarter — that’s almost 5,600 attacks per day.

Source: statista.com

These attacks don’t just hit government sites or major corporations — even small websites can be targeted. That’s why, as a professional in charge of maintaining a website’s uptime and performance, understanding how to prevent and stop a DDoS attack is critical.

This article covers how DDoS attacks work, how to recognize them, and what to do before, during, and after an attack.

What is a DDoS attack and how does it work?

A DDoS attack against a website or internet service sends overwhelming amounts of traffic to the underlying server or network to make it slow or unavailable. The “distributed” part of DDoS refers to the fact that the attack is carried out by multiple devices at once, usually from different areas of the world.

The devices employed in a DDoS attack are often part of a botnet — a network of machines infected with malware that allow them to be controlled remotely. They can include anything from routers and laptops to home appliances with online capabilities. In 2025, researchers discovered a botnet made of an estimated 30,000 webcams and video recorders.

The spread-out nature of DDoS attacks makes them difficult to trace and fight. The source of the malicious traffic is harder to identify, and distributed attacks can send more requests than single-source assaults. Carrying out such attacks is also increasingly easy with DDoS tools and botnets-for-hire available on the dark web.

The good news is that, due to the effort and cost involved with a DDoS attack, most of them don’t last long. According to Netscout, about 70% of DDoS attacks don’t exceed 15 minutes, and 90% are shorter than an hour.

Types of DDoS attacks

There are three broad types of DDoS attacks that each target different parts of a website’s infrastructure:

Volumetric attacks: This is the most common type. It aims to consume all available bandwidth by flooding the network with massive amounts of traffic.Application layer attacks: A type of attack that overwhelms your website’s server and network with repeated HTTP or database requests.Protocol attacks: Also called state-exhaustion attacks, they target network equipment and infrastructure like load balancers and firewalls.

Attackers may also combine several types to make fighting off the attack more difficult.

Why do websites become targets?

Common reasons for being on the receiving end of a DDoS attack are:

Ideological reasons: Some attacks are politically motivated and target government websites or institutions aligned with causes that the perpetrators don’t agree with.Hacktivism: Hacktivist groups have been known to use DDoS attacks to protest war, censorship, or foreign policy decisions.Extortion: Criminals may launch attacks to extort money in exchange for stopping the disruption.Cyberwarfare: Attacks also happen between countries to disrupt each other’s essential services during a conflict.Business competition: Competitors may try to knock rival businesses offline during a key sale or launch.Experimentation: Inexperienced hackers might carry out DDoS attacks “for fun” or to test their skills.Opportunity: Many attacks are automated and simply happen because a website is vulnerable. It’s random and can even happen to a personal website.Potential consequences of being attacked

When your website becomes suddenly unavailable to visitors, it can have many negative effects:

Loss of sales, leads, ad revenue, and other sources of incomeDamaged customer trust, loyalty, and confidence in your productLowered rankings in search resultsExpensive post-attack cleanup and hosting bandwidth fees

Some attackers use DDoS as a smokescreen for other malicious activity, like hacking your site.

A real-world DDoS example

To give you a better idea of what these types of attacks look like, let’s look at some examples.

The largest attack ever reported was a 5.6-Tbps DDoS attack in 2024. At its peak, it was sending 666 million packets per second and lasted 80 seconds. The attack happened as part of a larger campaign of cyber attacks occurring during that period.

How to detect a DDoS attack

The first step in fighting a DDoS attack on your website is spotting it. Here are some telltale signs to watch for:

Your website or parts of it become extremely slow to load or stop responding altogether, accompanied by error messages and timeoutsA sudden and sustained spike in traffic, especially from unusual locations and IP addressesServer resource usage suddenly maxes out without a corresponding increase in legitimate visitorsYour hosting provider, monitoring tools, and other parts of your DDoS prevention setup alert you to unusual activity or downtimeEffective DDoS prevention strategies

Stopping a DDoS attack on your website requires a two-pronged approach: setting up a multi-layered defense system that makes these types of assaults difficult and preparing a response plan.

1. Use a hosting provider equipped to deal with DDoS attacks

Your hosting provider is your website’s first line of defense. It’s in charge of the architecture targeted by DDoS attacks. If your host crumbles, your site goes down with it.

The right type of web hosting plays an important role. Unlike traditional, single-server hosting, cloud hosting like WP Cloud can dynamically add computing resources, helping to mitigate DDoS traffic.

In addition, look for hosting features that actively help prevent a DDoS attack. For example, all WordPress.com plans come with built-in DDoS mitigation. They don’t have traffic or visitor limits, so you don’t have to worry about extra costs in the aftermath of a DDoS attack.

2. Invest in website security

Keeping your website secure helps protect against a DDoS attack, as well as being a best practice.

To secure your site, do the following:

Use strong passwords and credentials for all site users.Implement brute-force protection.Set sensible user roles and permissions.Encrypt website traffic using SSL/HTTPS.Perform regular malware scans.Keep WordPress updated, as well as updating all plugins and themes (if you’re a WordPress.com customer, all updates are handled automatically).Perform regular backups, preferably automated and with one-click restore.

These options are all available with a managed hosting provider like WordPress.com. Best of all, if your site still ends up hacked, cleanup is free.

3. Optimize website performance

Another factor in DDoS mitigation is site performance. A well-optimized site can better withstand unexpected traffic surges. While that won’t stop the attack itself, it can help your site remain partially usable and responsive.

A helpful first step is to test your website with something like WordPress.com’s Website Speed Test Tool and follow the recommendations to improve your site’s performance.

Common ways to make your website more optimized are:

Compressing imagesUsing a fast-loading themeKeeping plugins to a minimumImplementing cachingUsing a content delivery network (CDN)

Hosting is also a performance factor. On WordPress.com, performance features include servers with high-frequency CPUs and a global edge cache and CDN with 28+ locations, as well as high burst capacity. On Commerce and Business plans, you can activate the Site Accelerator CDN to deliver images and static files more quickly. More information is available in the site performance docs.

4. Monitor network traffic and uptime

You can only identify a DDoS attack when you have the data to spot the signs of one.

An uptime monitoring service sends you alerts via email, SMS, or push notification when your site becomes unresponsive or goes offline. In addition, connecting your site to Google Analytics or a similar solution will help you understand traffic patterns and notice sudden spikes from single countries, IP ranges, or unknown referral sources.

If possible, you may also monitor server performance metrics like CPU load, memory usage, and bandwidth consumption for warning signs.

5. Use a CDN

A CDN is not just a great tool for improving website performance, but also a good countermeasure to DDoS attacks. It’s able to absorb some of the malicious traffic and continue serving site visitors even when another region or the main server is under attack. Cybersecurity experts on Reddit agree that it’s one of the most effective methods.

Look for a provider with an anycast network. This is a setup with one IP address shared across servers in different locations, which allows malicious traffic to be spread out (or diffused) throughout it. This greatly reduces the risk of downtime because no single machine bears the full brunt of the attack.

Cloudflare is a popular CDN provider and it helped stop the record-breaking DDoS attack mentioned earlier in this article. Sites hosted on WordPress.com benefit from integrated Cloudflare features that don’t require extra setup.

6. Set up a web application firewall

A web application firewall (WAF) acts as a gatekeeper between your website and incoming traffic. It can filter requests before they reach your site and thus block common DDoS vectors and diffuse attacks early.

Firewall plugins are one way of adding a WAF to your site. Many security plugins and CDNsinclude a WAF as part of their service.

Finally, your hosting provider can also set up a firewall for you. For example, WordPress.com includes a powerful firewall in every plan, which it manages and updates for you.

7. Apply rate limiting

Rate limiting controls the number of requests a single user or IP address can make to your server in a given time. During a DDoS attack, it acts as a throttle to reduce the impact of malicious traffic without completely blocking legitimate users. This buys time for other defenses to respond and is often part of a firewall.

Rate limiting can apply to login attempts (such as those covered by brute-force protection on WordPress.com), API requests, visits to specific URLs, or other levels of the network.

Use allowlists to exclude known legitimate IP numbers from rate limiting to allow yourself and other website users to continue taking action against an ongoing attack. Use blocklists to keep away repeat offenders or known botnets.

8. Develop a response plan

Even with solid defenses in place, no site is fully immune to DDoS attacks. Creating a clear plan for the worst-case scenario will help you quickly identify, mitigate, and recover from an attack. Do the following:

Define team roles and responsibilities, for example, who is responsible for monitoring your alarm systems so you can discover attacks quickly.Document key contacts, communication channels, and login credentials, like your hosting provider’s emergency support.Create a checklist of steps to follow when you suspect a DDoS attack is happening, including how to enable emergency WAF/CDN settings.Plan out your customer communication strategy in case your site becomes unavailable.Practice the response plan with your team along with training for general security practices.How to deal with a DDoS attack in progress

These steps will help you weather a DDoS attack:

1. Stay calm

Remember, a DDoS attack is more of an inconvenience than it is a real danger to your site. In most cases, your data is safe. Plus, DDoS attacks are usually short-lived and survivable with proper action.

So, take a deep breath, avoid rushed decisions, and start implementing your response plan.

2. Confirm you’re actually dealing with an attack

Not every site slowdown or outage is caused by a DDoS attack. There are other possible reasons, like plugin errors, server misconfiguration, a hosting outage, or sudden traffic increases due to a blog post going viral.

Confirm the cause so you can respond appropriately. Look for warning signs such as:

Sudden and unusual spikes in visits or requests in traffic logs or analyticsRepeated requests to the same page or endpoint, like “wp-login.php”A flood of requests from a small number of IP ranges or geographic regionsMessages or alerts from your WAF or CDN provider3. Contact your hosting provider

Your hosting provider can and should be your strongest ally to stop a DDoS attack. They have the tools, infrastructure, and expertise to help mitigate the impact.

Reach out to your provider’s support team as soon as you suspect a DDoS attack. They can check whether they see the same thing on their end, and may already be taking action behind the scenes.

4. Set your WAF and CDN to emergency mode

Most firewalls and CDNs offer special settings for high-threat situations to keep your site online. For example, on WordPress.com you can enable defensive mode to activate an automated browser challenge for visitors in order to filter out automatic bot traffic.

5. Keep website visitors informed

During a DDoS attack, communication is key to maintaining customer and visitor trust. Use your social media profiles or a status page hosted on another service to share updates and reassure your audience.

Inform users that you’re aware of the issue and are actively working to resolve it. Let customers know which services are affected, especially if you run an e-commerce or membership site. Provide estimated timelines if possible, but avoid making promises you can’t keep.

6. Be patient

DDoS attacks are scary but mostly short-lived. Once your mitigation measures are in place, the best course of action is to simply wait it out.

Focus on monitoring your systems and adjusting filters rather than overreacting or making major changes. Keep an eye on traffic patterns so you know when the attack ends. Then, slowly go back to business as usual but stay vigilant for other threats, like a compromised site or a second wave of attacks.

7. Conduct a post-mortem

After the attack, evaluate its impact and how well your defenses worked. Check which assets were targeted, as well as which parts of your strategy worked and which didn’t. Use the knowledge you gather to improve existing systems and strengthen your site fortifications.

Equip yourself against DDoS attacks on your website

The defense against DDoS attacks starts long before one hits your site. By combining smart infrastructure choices, proactive security practices, and a clear response plan, you can dramatically reduce the risk and impact of an attack.

Looking for hosting with built-in DDoS protection and expert support? Choose WordPress.com and focus on growing your site, not defending it.

WordPress.com just made coding from your WordPress admin more powerful and enjoyable. Whether you’re an everyday user or a developer, you’ll have access to modern features like syntax highlighting, autocomplete, and search and replace when you reach for the code editor.

Launched in the last week, we’re bringing enhanced code editors to two aspects of the WordPress.com experience:

Post and site code editorsAdditional CSS input box

Let’s dive into what this upgraded experience looks like.

Customize block code in the post and site editors

Have you ever opened the Code editor from the block or site editor and been presented with a mass block of nearly unreadable text with no syntax highlighting?

You’ve probably wished for something a tiny bit more sophisticated. Maybe even something that would help you type faster, spot errors easily, or just simply make the code easier to read.

Until now, that didn’t exist unless you installed a custom or third-party plugin to handle it.

Welcome to a new improved experience—now available to everyone:

As you can already see when comparing this screenshot to the previous one, the code is much more readable.

Beautiful CSS in additional CSS code boxes

Writing custom CSS just got a lot better, too. The post and site editors were a welcome improvement, but you’re more likely to actually touch code when writing custom CSS under the Styles panel in the Site Editor.

In the past, you would see something like the following when adding code in the Additional CSS box under the Styles panel:

Now — just like the post and site code editors — you can see your CSS in all its glory, just like it was meant to be:

What features are included?

Some features included in the new code editors are:

Syntax Highlighting: View your code colorized according to the language, which makes it much easier to understand the structure at a glance and even write your own code.Autocomplete: Save keystrokes, prevent errors, and speed up your workflow with a simple autocomplete feature.Intelligent Formatting: Enjoy features like line numbers, auto-indentation, and bracket pairing for a smoother experience.Language Support: The new editors detect and highlight both HTML and CSS—no more “plain text” boxes for your code!

Oh, and there’s search and replace support too. When viewing inside a code editor, type `Command + F` on Mac or `Ctrl + F` on Windows to pull up search/replace panel at the bottom of editor:

The search/replace feature includes matching by:

Case (exact match of uppercase and lowercase letters)Regular expressionsWhole word

You can also replace individual occurrences of found matches or all of them in one go.

What’s coming in the future?

With syntax highlighting, autocomplete, and other standard code editing features, WordPress.com bridges the gap between a basic CMS and a powerful code-friendly platform. This is a step forward for developers, power users, and anyone who needs to tinker with code once in a while — without ever leaving the editor.

But this is merely a first iteration of improved code editing across the platform. So I’ll leave the question to you: How would you like to see code editing evolve over time to make your experience more empowering?

Personally, I’d like to see the new features applied to the Code and HTML blocks. Maybe I’ll even have some luck convincing the team to implement one or both.

Regardless, the future is exciting whether you like to tinker with code once in a while or dive into it every day. For now, go try out the new editors and let us know what you think!

If you’re looking to start a newsletter, you’ve likely encountered two major options: Substack and WordPress. While both can help you reach your audience, they represent fundamentally different approaches to building your online presence. One locks you into a single platform with limited growth potential, while the other provides a foundation you can build on for decades.

In this concise guide, we’ll compare WordPress vs. Substack to help you choose the platform that aligns with your long-term goals as a creator.

Substack: Simple but limited

Substack invented itself as a newsletter-first platform, offering creators a straightforward way to write, publish, and monetize newsletter content.

Substack’s strengths:

Simple setup: Launch a newsletter quickly with minimal technical knowledge.Built-in discovery: Potential exposure through Substack’s recommendation system.Integrated monetization: Easy paid subscription setup.

Substack’s limitations:

Platform dependency: Your entire business exists within Substack’s ecosystem. If they make changes you don’t like—whether to pricing, features, or policies—you’re forced to accept them or start over completely on another platform. Unsustainable revenue sharing: Substack takes 10% of your subscription revenue forever. This becomes extremely expensive as you scale. A creator earning $5,000 pays Substack $500 per month.Limited customization: Substack offers minimal branding and design options. Your newsletter looks like everyone else’s, making it difficult to establish a unique brand identity.Growth ceiling: While Substack has expanded beyond newsletters to include podcasts and video, it remains limited to basic communication mediums. You can’t easily sell products, courses, or memberships without using separate platforms.Platform evolution: Substack has increasingly focused on social features like tweets and shorts. This shift toward chasing cheap engagement rather than fostering meaningful creator-audience relationships contradicts why many chose newsletters in the first place.WordPress: Built for ownership and growth

WordPress powers over 40% of all websites because it offers something Substack can’t: complete ownership and unlimited potential for growth. As the world’s most popular website software that’s endured for decades, WordPress provides the foundation for creators who want to build something lasting.

With WordPress, you can build a beautiful web and newsletter presence to truly stand out.

WordPress’ strengths:

Complete ownership: With WordPress, you own your content, data, and audience without being locked into any single company’s platform. Your website, subscriber list, and content remain under your control regardless of what happens to hosting companies or service providers.Unlimited customization: WordPress offers thousands of themes and plugins, allowing you to create exactly the newsletter and website experience you envision. Want specific colors, fonts, layouts, or functionality? WordPress makes it possible through extensive customization options.Platform Independence: WordPress is portable. You can move your site between hosting providers, change themes, or modify functionality without losing your content or starting over. This flexibility ensures you’re never trapped by a single company’s decisions or policy changes.Superior SEO capabilities: WordPress sites consistently rank higher in search engines thanks to clean code structure, SEO plugins like Yoast and RankMath, and complete control over technical optimization. This means new audiences can discover your content organically.Unlimited growth potential: Start with a newsletter and seamlessly expand:Full websiteSell productsOnline courses and membership areasPodcasts and multimedia contentCommunity forums

WordPress’ limitations:

Technical knowledge: Self-hosted WordPress requires a basic understanding of web hosting, domain management, and website maintenance. While many hosting providers offer one-click WordPress installation, you’ll still need to handle updates, backups, and security measures. But there are hosts like WordPress.com that can handle all of that for you.Plugin and theme management: With thousands of plugins and themes available, choosing the right combination can be overwhelming. Some plugins may conflict with each other or slow down your site, requiring careful selection and testing.WordPress.com Newsletter: Best of both worlds

WordPress.com Newsletter offers the same benefits of WordPress while removing the complexities of WordPress behind the scenes. It’s easy to start a newsletter or a full website, grow your audience, and build meaningful connections.

WordPress.com’s strengths

All the benefits of WordPress listed aboveCreator-first pricing: Start completely free with unlimited subscribers and sends. Upgrade your plan to reduce fees, all the way down to 0%. This can add up to thousands of dollars in savings as you grow your subscriber list.The calm platform: For those that are trying to leave “always-on” social media platforms, WordPress.com offers a thoughtful platform focused on meaningful creator-audience relationships without the anxiety of chasing trends or social media metrics.Built for growth: Transform your newsletter into a full website, add e-commerce functionality, create membership areas, or expand into any direction your creativity takes you—all without changing platforms.

WordPress.com’s limitations

Discovery ecosystem: While WordPress.com offers the Reader and other discovery features, it isn’t as strong as Substack’s recommendation system. Building your initial audience may require more active promotion and SEO efforts.Head-to-Head comparisonFeatureWordPress.com NewsletterWordPressSubstackSetup DifficultyEasyModerateVery easyOwnershipCompleteCompleteLimitedCustomizationExtensiveExtensiveLimitedSEO CapabilitiesStrong built-in SEOStrong built-in SEOLimitedMonetization Fees0-10% (decreases with paid plan)Depends on plugin10% of everythingGrowth PotentialUnlimitedUnlimitedCommunication mediums onlyTechnical RequirementsNoneHosting, pluginsNoneContent PortabilityCompleteCompleteCan export, will need new platformDiscovery OptionsWordPress Reader, SEO, socialSEO, socialSubstack network onlyWhen to choose each platform

Choose Substack if:

You want the fastest possible setupYou’re comfortable with permanent platform dependencyYou don’t mind paying 10% of your revenue indefinitelyYou have no plans to expand into e-commerce, courses, or forumsYou’re willing to accept limited customization and branding options

Choose WordPress if:

You want to own your platform and audience completelyYou value long-term cost savings over short-term convenienceYou plan to grow beyond newsletters into a full online businessYou want superior SEO and organic discovery capabilitiesYou prefer maximum customization and branding controlYou want the security of platform independenceYou’re comfortable with some technical maintenance

Specifically Choose WordPress.com Newsletter if:

You want WordPress without technical complexityYou need professional newsletter features with creator-friendly pricingYou want to start free and scale affordablyYou value a calm platform, free from social media style tweets and shortsYou value having your online presence integrated under one platformSetting up your newsletter with WordPress

Option 1: WordPress.com Newsletter (recommended for most creators)

Visit WordPress.com/newsletter and select “Start my newsletter”Go through the onboarding checklist to finish setting up your newsletter

Option 2: WordPress + Jetpack Newsletter

Choose a WordPress hosting provider like Pressable or BluehostInstall WordPress (most hosts offer one-click installation)Install and activate a Jetpack, which is made by the people behind WordPress.com, and offers all of the same benefits as WordPress.com NewsletterConfigure Jetpack Newsletter settings

Option 3: Add Newsletter to an existing WordPress.com site

Add a Subscribe Block or Newsletter Subscription Pattern to your existing siteUpdate Newsletter settings to your liking.Importing from Substack to WordPress.com

If you’re ready to make the move from Substack, migrating to WordPress.com is straightforward:

Export your Substack content and subscribersVisit the content importer by visiting Tools -> ImportImport your content to WordPress.comImport your subscribers to WordPress.comUpdate your Newsletter settingsYour questions answered

How much does WordPress.com Newsletter cost compared to Substack? WordPress.com Newsletter starts free with unlimited subscribers and sends. Paid plans offer lower transaction fees (down to 0%) compared to Substack’s permanent 10% revenue share. See our detailed cost comparison to understand potential savings.

What does “owning your content and subscriber list” actually mean? It means your content and audience data belong to you, not the platform. You can export everything at any time, switch to different hosting, or change platforms entirely. With Substack, your audience relationship is mediated through their platform—if they change policies or shut down, rebuilding becomes much more difficult.

Can I customize my WordPress newsletter’s appearance? Yes, extensively. WordPress.com offers numerous themes, color schemes, custom fonts, logos, and layout options. You can create a unique brand identity rather than looking like every other newsletter on the platform.

How do I know WordPress is reliable for email delivery? WordPress.com sends over 20 million emails daily with excellent deliverability rates. This infrastructure has been refined over 17+ years and includes proper authentication, spam protection, and delivery optimization.

Is it really easy to import from Substack? Yes. WordPress.com’s import process handles both content and subscribers. The technical migration typically completes in hours, though you may want to spend additional time customizing your new site’s appearance and features.

Can I start free and add paid subscriptions later? Absolutely. This is one of WordPress.com’s key advantages—start building your audience for free, then add monetization when you’re ready, with much lower fees than Substack.

Your newsletter deserves a forever home

Choosing a newsletter platform isn’t just about today—it’s about where you want to be in five years. Substack might offer quick setup, but WordPress gives you a foundation that grows with your ambitions.

WordPress represents a fundamentally different philosophy: instead of renting space on someone else’s platform, you’re building a forever home on the open web. A place where you make the rules, keep more of your revenue, and never worry about platform changes affecting your business.

Whether you choose WordPress.com Newsletter for the perfect balance of power and simplicity, or self-hosted WordPress with Jetpack for maximum control, you’re choosing ownership over dependency, flexibility over limitations, and unlimited potential over artificial constraints.

Your brand deserves a home you own.

Start your WordPress.com Newsletter today or learn more about migrating from Substack to begin building your audience on a platform you truly control.

Have you made the switch from Substack to WordPress? Share your experience in the comments below!

Changing your domain name can feel intimidating and isn’t without risks. If done carelessly, it can lead to broken links, lost traffic, and a drop in search rankings. At the same time, it can also be a chance to rebrand, upgrade to a more memorable website address, and improve your SEO.

The difference simply lies in careful planning and execution. In this tutorial, you’ll learn everything you need to know to change your website’s domain name with as little hassle as possible.

Why change your domain name?

Your site’s is a very important part of branding, which is why you usually want to keep it as is. Then again, there are also many valid reasons to switch.

For example, you might have changed your company or blog name and want your domain to match it. Or maybe your business has changed, and your current domain no longer accurately represents what you do.

Another possibility is that you found a better, shorter, more memorable, or more professional domain.

You might also only want to change the domain extension, such as when relocating your business and going for a country-specific TLD like .de, .fr, or .co.uk. Domain changes also happen for legal reasons, such as trademark conflicts.

Finally, you might aim to improve your SEO with a more relevant domain or distance yourself from an old name that carries a damaged reputation.

No matter the reason, a domain change can be a smart move if you plan it carefully and with a clear purpose in mind.

Challenges to be aware of

Switching to a new domain name is not without risks. Discussing them isn’t meant to scare you off, but to stress the importance of preparing well. Most of the risks can be minimized or avoided entirely, and if your reasons for changing your site’s domain name are good, the effort is usually worth it.

Loss of branding

Making the switch without communicating it can negatively impact your audience’s brand association that you worked so hard to build. Returning visitors might not recognize your site right away and think it has shut down or moved.

In addition, any other marketing material your domain name was part of, such as logos, slogans, social media presences, or printed materials, may need updates.

SEO implications

Your site will likely experience a drop in rankings and website traffic after the domain change. This is a normal part of the process and is usually temporary. Search engines need time to recrawl and re-index your site under the new domain.

You do, however, need to do the necessary work to maintain your rankings. For the most part, that means putting redirects in place to make sure traffic from search engines, backlinks, and other sources is sent to the correct (new) address.

Costs involved

Changing your domain name isn’t just a technical task, but can come with financial costs:

More expensive fees for the new domain.Paying for two domains during the transition period.Design costs, such as for logo changes and reprinting branded materials.Technical costs like development time or a new SSL certificate.Additional marketing costs to promote the new domain.

While not all of these costs apply in every case, it’s important to budget for them in advance.

Website downtime and technical issues

There can be technical hiccups as well, such as:

Lengthy DNS changes may cause your site to become temporarily inaccessible.Redirect mistakes can lead to broken pages or errors.SSL certificates may not transfer automatically and may stop working.Email services connected to your domain can be disrupted.Third-party integrations and APIs may need reconfiguration.

These issues are usually temporary, but even a short period of downtime can affect visitor trust and search engine rankings.

Time investment

Even with a clear plan, transitioning to a new domain involves many small steps, most of which need to be done by hand. It can be time-consuming, but it’s critical for success.

Expect the process to take several hours at minimum, and potentially days depending on the complexity and size of your site. It’s better not to rush than deal with time-consuming problems later.

Changing your domain: A step-by-step guide

Here’s how to switch domains with minimal disruption.

1. Choose and purchase your new domain

The process of is worth its own article, so we won’t go over it in detail here. You can register domains from any registrar. When using WordPress.com, you get domain privacy and super fast DNS included. Just saying.

Use our domain search tool to find your desired name:

Make your choice, then continue to the checkout and complete your purchase. That’s it.

Tip: Do you want your domain and hosting under one roof? Switch to WordPress.com’s world-class secure hosting using our hassle-free site migrations and get a free domain for the first year (on annual plans). You can also move your existing domain and manage everything in one place.

2. Plan your redirects

A redirect is like a virtual signpost showing that a web page has moved. It automatically sends visitors and search engines from an old address to the new one.

If you change your domain name without redirects, old links to your site in search results, other websites, and social media will lead to broken pages and 404 error messages. That’s why they are essential to preserve traffic, SEO value, and usability, and need to be planned in advance.

There are different kinds of redirects. The one most relevant here is the 301 redirect, which signals that a page has permanently moved.

Make a list of your most important pages — blog posts, product pages, landing pages, and any content that gets consistent traffic — and plan their counterparts on the new domain.

For detailed information, check out our online course lesson on redirects.

3. Notify your audience

Once you are ready to execute the domain change, let your audience know about it ahead of time. Send out an announcement via email, blog post, or banner on your site.

Example of announcement blog post from a well-known brand changing their name (and their domain name to match).

Clearly explain that only the address will change, not the content or company behind your website. Use this opportunity to reinforce your branding and highlight improvements that come with the change.

4. Change DNS records

DNS stands for “Domain Name System.” It’s a network of servers containing the information regarding which domain points to which server. It’s essentially the internet’s phone book (if you are old enough to remember those).

To change domains, you need to update your new domain name’s DNS settings so it is connected to your server and site. This process isn’t instantaneous — the changes have to register or “propagate” globally, which takes up to 48 hours, but usually happens much sooner.

Here’s where to direct your new domain depending on your use case:

If all you are doing is switching the domain name, aim it at your existing website. Your site will simply have two domains for a while, allowing you to switch once ready with no downtime.Should you be changing hosts too, point the new domain to your new server instead, and keep the old site live as is for now. This allows you to migrate your content and prepare the new site without affecting your current web presence. You can update the DNS to point the old domain to your new hosting provider once ready.

You can manage your domain’s DNS settings through your domain registrar or a management panel like cPanel, and it roughly looks like this:

Get your hosting provider’s nameserver address(es). It will be something like “ns1.example.com” and “ns2.example.com.”Log in to your domain registrar account and find your new domain’s DNS or nameserver settings.Update the A records with your hosting provider’s nameservers.Save the changes.

Make sure to back up the DNS records from your old domain in case you need them later!

In WordPress.com, you manage your site domains under Upgrades → Domains (or Hosting → Domains if you are using WP Admin).

If you purchased your domain together with hosting, it’s automatically connected to your site. You also have the option to switch transferred domains to the WordPress.com nameservers with the click of a button.

You can learn all about it in our detailed instructions for , including alternative methods, and more information about DNS on WordPress.com.

5. Back up your existing website

Always back up your website in full before making major changes like switching your domain name. On a managed hosting provider like WordPress.com, backup is done for you, and you can restore your site with one click.

When self-hosting your website, use a backup plugin like Duplicator or back up your site manually. Make sure to save both your database and website files. For even more security, download your backup and store it in multiple places.

6. Switch the domain in your CMS

The upcoming steps will all directly impact your site’s usability and — possibly — availability. Therefore, if you are not switching your host along with your domain and only have one version of your site, it’s highly recommended that you use a staging site first before making changes to your live website.

When the DNS changes have propagated, it’s time to update your site to use the new domain. In WordPress, you usually do this under Settings → General. Fill in the new domain under WordPress Address (URL) and Site Address (URL), then save at the bottom.

Both settings should include the https:// or http:// part and not have a slash (“/”) at the end.

Depending on your hosting provider, these settings may also be located elsewhere. For example, on WordPress.com, you change your website’s primary domain in the aforementioned Upgrades → Domains.

An important consideration for this step is your SSL certificate. You need to ensure it is active and valid for the new domain. On WordPress.com, SSL/HTTPS is included with every plan.

7. Update links in your database

After changing your domain, all WordPress page and menu links will switch automatically as well. However, you likely still have manually created links pointing to the old domain in posts, pages, and elsewhere.

The easiest way to update those is to replace them in your website’s database. WordPress has several plugin solutions for this, like Update URLs.

Alternatively, you can also use a tool such as the database search and replace script by Interconnect, SQL commands inside phpMyAdmin, or WP-CLI. Double-check your input and run a preview or dry run to see if your tool supports it and avoid making mistakes!

8. Implement redirects

Now the only thing left is to set up redirects from your old to your new domain. You have two main options for that, depending on your scenario:

Set up redirects on the old server: When you move hosting providers along with switching your domain name, you can keep your old website around, but redirect it completely. In this case, you do NOT change the DNS record of your old domain to the new host.Redirect on the new server: If you plan on directing your old domain to your new host, redirects have to be in place on the new server. That’s because, once you change the DNS records of your old domain, anyone who uses it will arrive at the new server and need to be redirected to the right location from there.

A plugin like Redirection is great for self-hosted sites where you will keep the old website around, at least for a while. It has a dedicated option to move your entire site.

There are also SEO plugins that help you set up redirects, like All in One SEO.

A comfortable solution for implementing redirects on the new server is your .htaccess file. Place the following code at the top of the file and make sure to replace the example domains with your old and new domains:

RewriteEngine OnRewriteCond %{HTTP_HOST} ^olddomain\.com$ [OR]RewriteCond %{HTTP_HOST} ^www\.olddomain\.com$RewriteRule ^(.*)$ https://newdomain.com/$1 [R=301,L]

Tip: On WordPress.com, redirecting your website is super easy. It happens automatically when you change the primary site address.

9. Check site links thoroughly

Once redirects are in place, be sure to test them! Access your most important pages via your old domain and see if you land in the right place. You can also use a bulk redirect checker to test multiple links at once.

While you are at it, look for any broken links on your site and correct or redirect them as well. You can find them with a plugin like Broken Link Checker. The aforementioned Redirection plugin also tracks 404 errors, so you can easily point them to the right location.

Another option is advanced tools like Sitebulb or Screaming Frog.

Once you’re done with that, if you’ve been working with a staging site so far, now is the time to move your changes over to your live or production website.

10. Signal the domain change in Google Search Console

To preserve your SEO rankings and speed up the reindexing process, Google needs to be notified that your website has moved to a new domain. To do that, both your old and new domain names need to be set up and verified in Google Search Console.

Open the old domain property and use the Change of Address tool under Settings.

Select your new domain from the drop-down menu and click Validate & Update.

In addition, prepare and submit a new sitemap for your new domain under Indexing → Sitemaps.

Do the same for other webmaster tools you might have connected to your site.

11. Update Google Analytics

The last step is confirming your change in domain in Google Analytics so you can continue tracking your traffic correctly. Log in to your Google Analytics account and go to the Admin panel, and then to Data streams under Data collection and modification.

Edit the stream details to use your new domain’s URL.

Ensure the existing tracking code is installed on the new domain and working properly. If you plan to track traffic for both domains, make sure to enable cross-domain measurement.

Next steps

The domain switch is done, but a few follow-up steps help ensure everything continues to run smoothly:

Stay on top of analytics and Search Console: Watch for crawl errors, indexing issues, warnings, and unexpected changes in traffic patterns to catch problems early.Update robots.txt: Check your robots.txt file for any hard-coded links to the old domain, such as the sitemap URL.Revise social profiles: Update the website URL on all your social media accounts to reflect the new domain.Adjust email addresses: Change any email addresses that used your old domain. On WordPress.com, you can use email forwarding for that.Migrate backlinks: While redirects should do a good job of preserving the SEO value of your backlinks, it’s a good idea to reach out to websites that have linked to your site and politely ask them to update the links to your new domain.Disconnect and cancel the old domain: Monitor traffic and indexing to ensure the new domain has fully replaced the old one in search results before canceling the old domain. Google recommends maintaining 301 redirects for at least 12 months to preserve SEO value. Change your domain name with confidence

A domain name isn’t just an address — it’s part of the brand and identity of your site and business. Changing it can feel like a risk, but it can also be an opportunity to grow, move forward, or start fresh.

What matters most is that you take your time. Switching to a new domain is a process with many steps that requires careful planning and attention to detail.

Of course, having a good partner on your side makes it easier. Choose WordPress.com and comfortably manage domains and redirects right from your site backend.

Move to WordPress.com