Each time we hear about a Web site being attacked, the owner of the hacked site doesn’t understand why their site was targeted. The short answer is that the bad guys are rarely looking to attack a specific site. Instead they are looking for sites that are vulnerable. Let’s go over some of the specifics that can make your site vulnerable and ways you can protect it.
For a minute, pretend you are an enterprising hacker and you want to make the most money possible. If you are going to attack sites, wouldn’t it make sense to go after the most popular platform on the Web? WordPress powers 28% of all sites (as of this writing) which is far more than any other platform. Because of this, it is targeted regularly.
What Needs Updated
There are three major components to the WordPress ecosystem that can be vulnerable. First is the core WordPress installation. Next are themes installed in WordPress. Every site must have at least one theme and it is common to have 2-5 installed. The third are plugins that are added to a WordPress site. Typically sites will have 10-25 plugins installed. All of these components provide a way for bad guys to compromise your site. Let’s look at each component separately.
In a given year, the core WordPress is updated 5-10 times. Updates address known security issues, fix bugs and add new features. For site security, the most important reason to install an update quickly is to make sure the security issues are patched. When you purchase hosting for a WordPress site, it may include automatic installation of the core WordPress files. It also may not. We’ve seen sites that haven’t had the core WordPress updated in several years and those sites are huge targets for hackers.
For those of you who have hosting plans that automatically update the core WordPress, you can at least breathe easy on that component. Most site owners probably don’t even know if the updates are automatic so this is something worth investigating. If your site isn’t updated automatically, you need to develop a plan to check for updates and get them installed in a timely manner.
Do You Have a Good Theme?
It is possible that a theme never has updates released. While this may seem like a good thing since you don’t have to install the update, it typically means the theme becomes more vulnerable over time. Let’s pretend you use XYZ Theme (this is a fictional name) and it hasn’t been updated in a year. In total, we’ll say this theme is installed on 10,000 sites. When the hackers find an issue with that theme, they know they can attack a large number of sites very quickly. They aren’t targeting your site, they are targeting all sites with that theme.
Other themes are updated almost every week. While this can mean you have more updates to install, it also means the developers are making sure it is as safe as possible. This is one of many reasons we like Elegant Themes. Plus they are likely adding new features! The key is that someone must login to the back end of your site and install those updates in a timely manner. This is not a feature often included as part of your site hosting. So if you aren’t doing it, is someone else doing it for you?
Since most sites have a small number of themes installed, it is important to make sure they are all updated. Even the themes not active can be vulnerable. Maybe some of them should be deleted. Even then, the best plan is to make sure they are all updated regularly.
Plugins Provide Power and Vulnerability
Plugins make it very easy to add features to your site, even by adding a layer of security. But each plugin also provides one more component that can be vulnerable. You want a form on your site for visitors to contact you, right? So let’s pretend your site uses ABC Form Builder (again, a fictional name). It is a really popular plugin with 500,000 installs. And because it allows anyone to enter information, it is especially vulnerable if the developer has missed something. When you don’t update it for six months, the hackers will gladly come infect your site with malware.
Since most sites have at least ten plugins and these plugins are regularly updated, you have to really stay on top of it. On a given site, it is quite common to have at least five plugin updates in a given week. If any of them aren’t installed, the bad guys may have a way to attack your site.
We’re not aware of any hosting plan that includes plugin updates. Maybe your Web developer has included this in the plan they sell to you. What we’ve seen is that most site owners simply don’t install updates. It is those same site owners who don’t understand why their site was hacked. Are you installing plugin updates? Is someone else installing them for you?
The Basic Level of Protection
At the very least, every WordPress site must have a plan in place to install updates to the three components we’ve discussed. Even if this is only done once a week, it could take 10-15 minutes to login to the site and get everything updated. Over a month’s time, that could add up to as much as an hour. Will you take the time to do it? Do you want to pay your Web site developer for an hour of their time to do it?
This is exactly why we developed our WordPress Maintenance Service. Even our Bronze plan does more than simply keep these components updated. Instead of just doing it weekly, updates are installed more often to make sure security patches are in place quickly. So do you want to take an hour or more to do it? Do you want to pay for an hour of your developer’s time? Or do you want it done for a fraction of the cost on an even more regular basis?
What Happens When My Site Gets Hacked?
Each hack is different. Some hacks don’t seem to have any noticeable change to a site. Other hacks will take a site completely offline. Would not having a Web site for a few days hurt you? Some hacks install malware which infects visitors to your site and causes Google to label you as a bad site and remove you from search engine rankings. Would it hurt you if your visitors are mad at you and your site no longer appears safe to Google? Getting that label removed and re-gaining your Google ranking can take quite a bit of time.
We’ve also seen hacks where legitimate blog posts are deleted and a number of spammy posts were added. Would it hurt you if the posts you created were gone forever? Would your visitors trust you if your site had a bunch of spammy posts?
Instead of asking yourself why anyone would want to hack your site, you should just assume it is being attacked every single day. Why? Quite simply, it is being attacked. Installing updates regularly is the first line of protection. More can be done by making sure your site is backed up. Should it get hacked, the backup could save you. Active security protection can also be put in place to repel the attacks. This additional protection is part of our Silver WordPress Maintenance plan.
As I write this, I think of an appliance commercial from long ago with the tagline “you can pay me now or you can pay me later.” If you want to do the maintenance yourself, go for it. It’s just most of you aren’t doing it. I’d rather you invest in a maintenance plan to keep your site working well. If not, the cost to recover your site after a hack is probably going to be a lot higher. Add to that any lost revenue from being without a working site for a period of time.
View Cart Product successfully added to your cart.
We know the importance of Web sites that work on mobile devices. Often when talking with clients, we explain the important and they don’t think it applies to their site. That all changes when we look at their traffic stats in Google Analytics and see the exact percentage of mobile visitors.
Google stresses the importance of mobile. If a site isn’t mobile-friendly, it gets penalized in the rankings. Even sites that function on mobile may not be optimized for mobile visitors. Does your site work well on phones and tablets?
We’re proud of the work we do on mobile sites. Our portfolio is one way to show clients what we can do for mobile visitors. We wanted something more and so we took the Google Mobile Sites Certification Exam. Yes, we passed and we did it with a 96% score! Below are the certificates we earned.
First, let’s talk about the conversion process. Deep down, all Web sites are built with HTML. A common process in the past was to hand craft the HTML code. While the site may be awesome, it did take more time to build the site and some changes could be time consuming.
Now it is more common to use a content management system like WordPress to build a site. WordPress, the theme chosen and plugins do much of the heavy lifting and allow the focus to be on the content of the site.
We’ve done quite a few of these conversions and having the original HTML code can be helpful as it can be pasted directly into WordPress in many cases. But that is just a starting point and we often will make changes so the site uses the functionality WordPress offers so the site will function well on all devices.
Having a WordPress site also makes it easier for clients to make minor changes to the site. This can allow clients to save some money or use that money to allow us to make other improvements to the site.
Part of the post focused on using an “agency” vs. using a “freelance designer”. The stereotypes perpetrated can be frustrating as it said agencies were likely to be there after the site launches to provide support and freelancers were far less likely. I’ve found that both agencies and freelancers can be there for support and I’ve also found they can disappear after a site launches. It really depends on each individual agency or freelancer and we’ve heard a lot of success stories as well as horror stories.
Recently a client posted a really nice review on our Yelp page, even though Yelp’s robots decided it was “not recommended”. This a huge fail for their automation as we’ve already worked with this client on four sites and there is no doubt there will be more in the future. Below is their review or working with us. Should you want to work with us on a conversion from HTML to WordPress, give us some basic information and we’ll discuss the project with you.
Unleashed came recommended to us by a trusted source. But still, it’s website design, and we had had more than our share of bad experiences with some shady characters in the past. Not the case with this company. They could not be more responsive, more knowledgeable or more principled. Since getting their help on a specific problem with a GoDaddy upload, we have transitioned into a more collaborative relationship, bringing them in to consult on everything from social media (double-spacing after a period, they politely pointed out, is a big no-no. Thank you for that!) to AdWords to the picky little technical details that leave us all so frustrated. After spending three hours trying unsuccessfully to embed a YouTube video onto our home page, we cried “Uncle” and asked them to look into it. In less than 10 minutes they called us back to explain that since our site has an SSL certificate and the site we were trying to link to (NBC’s YouTube, no less) does not, embedding a link to a non-secure site is not possible. And that is just one small example of the many problems they have solved for us. Their expertise, flexibility, and ability to offer a variety of solutions have made us proud to call them a partner and recommend them for website design three times this year alone. We cannot recommend Unleashed highly enough.
The folks at Website Magazine had a good article recently about what you need to have a site that works well for you. There was so much good information in this article that we’ll have more blogs in the future that focus on a specific section of the article. We encourage you to read Why a Good Website Won’t Cut It Anymore… and What You Can Do About It so that we can discuss it with you.
The second paragraph of the article was a bit surprising.
Everyone has a good website now. Even guys with food trucks have sleek, responsive online storefronts they use to pump out information and social media awareness. A good website is the minimum expected standard you have to meet, but it doesn’t give you any advantage.
Before you did deeper in the article, you really need to be honest with yourself as to whether you truly do have a good Web site now. Does it work on all devices, specifically phones? Has it been updated in the last year? Last month? Does it incorporate your social media channels? As the paragraph above states, this is the minimum expected standard and there are many sites that fall well below the standard.
In order to have a good Web site, it needs to be built in a responsive manner. Sure, there are various technical issues involved in the process. A good Web designer should be able to take care of this for you. Sadly, some Web designers aren’t nearly as good as they may claim.
One of the more difficult tasks can sometimes be getting great content from clients. Even if you get good content, does the client have a clear goal of what they want the site to accomplish? Just claiming you want the site to increase sales is not a complete answer. For example, one client was very clear about their goal. The site was supposed to make the telephone ring. This goal was quickly accomplished to the point that the company had to hire more employees to answer the phones.
Of course just making the phone ring could be a nuisance. If there are questions that can be answered on the site, it may make the call more efficient or it could even mean the call is never made as the company isn’t the right answer.
Clients come to us for our expertise in WordPress Web design. Some clients want us to handle everything while others want to have the ability to make any changes they desire. Even when we give clients the ability to make those changes, we try to give them advice that will help them to avoid problems.
Our thought is that it is truly their Web site so we have to allow them to make those changes. If the changes cause problems, they’ll rely on us to fix the problems. Fixing those problems will likely cost them more than simply asking us to make changes in the first place.
Recently just such an issue came up. A client contacted us because their shopping cart wasn’t functioning properly. Products weren’t staying in the cart and other products couldn’t be removed from the cart. At first glance, we also noticed that their pages where not being loaded securely. While this could be related to the problem, it was very concerning to us that the e-commerce data wasn’t properly secured.
We can only guess that the client had also noticed that the store wasn’t secured as there was a WordPress plugin installed related to SSL security. It wasn’t something that was installed by us so it was time to investigate this plugin. At the top of the plugin page was the warning below.
Each plugin included in the WordPress repository also includes some basic stats on updates, compatibility and popularity. As shown in the screenshot at right, this particular plugin hadn’t been updated in more than four years. In the WordPress world, that is ancient history!
As soon as this plugin was disabled, the shopping cart started functioning properly. There were still security issues with the site to be resolved, but the initial problem had been resolved. Unfortunately in trying to fix the security issues, the client had created more problems and yet the site still wasn’t secure.
We did find the root cause of the security issues and got them fixed. Now, the e-commerce functions on the site are working as designed and shoppers can enter their payment data with peace of mind on a secure site.
When I was young, I always got a chuckle because my mom kept a yellow pages in the trunk of her car. This was long before the Internet and smart phones. Her reasoning was that she would have a way to find a business while she was away from home. Yes, the yellow pages were indispensable back then. You may have even had the same reaction as Nathan Johnson did in “The Jerk” as shown in the movie clip below.
The clip ends with “I’m in print, things are going to start happening to me now!” OK, that is from a 1979 movie and it is certainly exaggerated. When you get a new phone book now, do you even open it? When was the last time you used it to find a company to help you?
Most people now use the Internet to find a company to solve the current issue. Often the search is done on a smartphone which means that keeping a phone book in your trunk is no longer needed. But if someone tries to find your company on the Internet, are they going to find you? If you are found, what will they find?
Now let’s talk about the money that businesses once budgeted for ads in the phone book. In talking to a printer in the Phoenix area, their quarter page ad cost them around $900 per month or $10,800 per year. When the phone book was no longer delivering customers to their shop, they had that money already budgeted for marketing.
Obviously a great replacement for an ad is a great Web site. It can deliver far more information than you could fit into a static ad. While building a site does have an upfront cost, the monthly cost to keep the content fresh doesn’t have to be expensive. In the case of the printer, it is less than $200 per month.
While the Web site is great, it is important to get people to the site. The printer runs ads on Google, Facebook and Yelp on a regular basis to bring potential customers to the Web site. Yes, that advertising costs money. I’m going to guess they spend around $500 each month for online advertising. Often I’m asked for more ways they can advertise their business.
Those of you who have had a business for many years will certainly understand the money you once budgeted for an ad in the phone book. Replacing that expense with online marketing expenses can give you wider exposure and still be a smaller investment. If you started a business more recently, it is still important that you allocate money (and time) each month to promoting your business.
Do you have a Web site? If not, you really should consider investing in even a very basic site. When was the last time your site got any significant updates? If it was more than a couple of years ago, you really need to look at updating your site to work with today’s devices. Now determine a budget to invest in a new or updated Web site. It doesn’t have to be a large number. That investment can pay off when more customers find your business.
Once the site is all set, make sure you have a good presence on at least a couple of social media platforms. Facebook is important for most all businesses. The second or third choice can vary based on your business. Also consider a monthly budget to promote your business online. Once again, it doesn’t have to be a big number if you choose the right platforms.
Need some help with your Web site, social media platforms and online promotion? We’d love to help you. Just give us basic information about how we can help, and we’ll use our online marketing talents for your business. Yes, you may have guessed it, this blog post is one way that we promote our business online.