We’ve always prided ourselves on creating unique, brand-lead websites that are fully bespoke in their design and functionality. We have a tried and tested, comprehensive project process that starts at the very basics: understanding your business, its goals, who your target audience is, and the user and customer journeys. From there we work out the structural layout of your pages through wireframing and iterating on what works and what doesn’t, ensuring you understand how your website will function through the use of clickable prototypes and detailed specifications. Designing your website comes next; bringing in all your brand language and subtleties into the mix, creating a unique website look that only you have.
Finally, we put it all together through fine-tuned and customised development, building your site to work across all devices, making sure your business needs are met, and send it live for your customers to engage with.
Developing our understanding from our clients’ ongoing needs to be able to work more freely on their websites, we even built a tool called the Dynamic Page Builder allowing content creation and layout modifications without the need for constant intervention by developers, giving our clients the ability to have more creative control and flexibility during the ongoing life of their website.
When we feel it’s necessary, we will often recommend this bespoke and customised solution for our clients when we can see that their requirements warrant it. However, due to budget restrictions or timing requirements, or simply a lack of experience with these types of projects, they end up opting for something more out-of-the-box like Squarespace, Wix, or will purchase a theme for WordPress through a high-volume web development team who will quickly build a website with the basic application of the brand colours and logo – usually within a couple of weeks, and for less than a couple of grand (and sometimes as low as a few hundred – do yourself a favour and steer clear of those).
With our hand to our heart, we can honestly say the majority of the time those clients will end up coming back to us within 12 – 18 months with the same issues; the agency / developer is unresponsive to their needs, the site can’t adapt to the changing needs of the business, there are limitations on what it can do. The list goes on:
– They’re tired of “cheap” website solutions offered by one-man-band developers who abandon their clients, or lack any brand and marketing experience.
– Have been burned by agencies using off-shore developers, lacking experience of local industries and attention to detail.
– Working with teams or individuals that can’t deliver what they promise or within the right budget.
– They want something affordable, but are frustrated with the bloated nature of off-the-shelf WordPress themes, and the issues they run into later when they have new design or content requirements that the theme cannot deliver, or the developers lack the design capabilities to make things look good.
– They’ve tried a system like Squarespace or Wix, but want greater flexibility for customised development if necessary, and want something they have more ownership over than a full SASS approach (i.e. once you stop paying your monthly fees, your website disappears and you can’t take it elsewhere).
– Their WordPress sites don’t get maintained, and become vulnerable to security risks – the site gets hacked and becomes unusable (this one unfortunately happens too often).
Driven also understood that our comprehensive approach isn’t suitable or even necessary for every type of business, but at the same time we just don’t work with off-the-shelf WordPress themes like most other low-budget-offering agencies do. We’ve also created Squarespace sites for clients in the past as an alternative option but, as mentioned above, they will end up experiencing the same shortcomings that our other clients have expressed to us (by the way, we do actually think Squarespace sites look great!).
Hence the reason why we often end up recommending something more bespoke right from the beginning, and a solution that is backed up by our experience when it comes to creating a website. Of course, when we approach websites (using our full end-to-end project method), the process naturally takes time, and lots of people. While this is great for medium to large businesses, or those with a budget and need for this type of solution, projects that are this customised, large, and detailed require an appropriate budget and timeline for this kind of endeavour.
This left us in a bit of a predicament. We didn’t want to turn away our clients, especially those we’d invested a lot of time and dedication to the foundation of their brand and design work, just because our solution didn’t match their needs or constraints. And we don’t like working with off-the-shelf themes (for reasons mentioned above), so we started thinking – why don’t we try combine the best of both worlds? Something in between the affordability and speed of a theme-based website, but at the same time something that we could stand behind in terms of quality, security, and ease-of-use – just like our big budget websites?
Well, we Made it (sorry, we had to). Introducing our brand new product offering called Made; a fresh website building solution which is affordable and fast, while still offering our signature design, technical, project managing, and quality-backed experience. Made offers us the ability to work with our clients on establishing their website needs, and then designing and building a solution for them from our Driven crafted framework. Using our years of experience of the most common types of content, design layout, and functionality requirements we put together a library of these elements so we can finally offer all our clients the right solutions for their needs.
With all sites, whether you’re a client undertaking one of our large projects, or one seeking the Made solution, we want to figure out what your website needs to do. With Made, we assess your requirements, and then we create the structure of your website from our framework’s library of content blocks. We take your business’ brand identity and apply it to the design, which then gets implemented into WordPress in the same way our full-sized sites do. You get our custom Dynamic Page Builder tool to create new pages and layouts, freeing you from the constant need for developer intervention. We give you the freedom you want, while still keeping your site easy to maintain and update at your leisure.
The Made offering is available in three tiers, each comes with its own set of features and options, and with each respective tier offering varying levels of customisation. Each tier also comes with ongoing support to ensure your site remains safe, backed up, and up-to-date. These tiers are simply recommended to you based on the complexity of your site, but offers you flexibility to choose what’s right for your budget and ongoing needs.
The Made solution offers the following that others (cheap WordPress themes and / or Squarespace) don’t always provide or don’t do well, such as:
– We do the ongoing maintenance: monthly backups, plugin updates, WordPress upgrades, and feature updates to the service, ensuring you have peace of mind.
– A staging environment for you to review your site before going live, and if / when we do big changes in the future to your site, you can review them and prepare them before making them available to the public.
– We only add the absolutely necessary plugins to your site, and we make sure they pass our quality assessment. Cheap WordPress themes come with a lot of unnecessary add-ons, and this creates headaches for maintenance, can slow your site down, and over time it will increase the security risk to your site.
– We offer monthly phone and email support as part of our service, so you don’t have to rely on reading through countless threads of customers FAQs to find your answer.
– Even though your site is built on our framework, we have the flexibility to customise and do further development if needed. We’re not limited by third-party coding or theme restrictions – if you need something specific, we can do it. Our tiers also cater to the ongoing maintenance of sites with extra customisation, so you’ll still get the updates and support you need.
– We don’t outsource to off-shore teams, your team all work at Driven, and understand your business needs and apply that to the final product. Things don’t get lost in translation.
– We deliver what we say we will. Too many times we get clients telling us they can’t rely on their current or old provider, but we take pride in our ability to stick to the schedule, deliver on time and on budget, and most importantly we give you what you paid for. No hidden costs, no surprises.
So if any of this sounds familiar to you, reach out by getting in touch with us here. You may also be starting out with a new business, or are just looking for a more affordable solution to a new business website, a sub-site, or something else – so for any more information about the Made solution, just reach out to the team at Driven.
Most businesses today have experienced something in the last 10 – 15 years that’s made us have to adapt to a sudden or impending change in the economy, be it the GFC, recessions, or the floods that hit Brisbane in 2011 and impacted countless local businesses. But no one was really ready for what we’re facing right now, and it’s not isolated to one city, state, or country – this is a global situation that the modern world wasn’t prepared for. One day we will look back at these words with hindsight, and through a completely different lens.
Right now we’re all worried, and we’re scared of the uncertainty of what faces us in the near future. It’s that same feeling we got when we were kids, when we were left in the dark and couldn’t see what lies ahead. And it’s ok to feel that way.
The fact is we’re all in this together, we’re all trying to ensure the continuity of our businesses and are scrambling to find some form of predictability and equilibrium in this time of fear. For many, this is going to be a tough time, and you’d be naive to think that anyone is invulnerable to the state of the world and economy as it is right now. People will lose jobs, businesses will close down. We hope for the best, but prepare for the worst.
Driven have been slowly implementing measures over the last year or two to allow our team to work completely remotely, and thankfully that paid off for us when it came time to make a decision to shift our whole team out of our Spring Hill office, and into their homes. We made this decision to not only to ensure the safety of our team, but to try and do our little part to help the health care system flatten the curve. While Australia has had fewer diagnosed cases of COVID-19 than many other countries, the reality is that the situation is going to get worse before it gets better, and we need to all do our part to help the authorities and medical professionals manage the situation as best they can.
Like us, many of you are finding your way through the dark right now, trying to find the light to give us some sense of certainty in these times. But we’re here to help you, and the reality is that businesses are going to need to keep operating to keep the economy strong, and to survive and come out fighting when things do settle. Your customers are going to be getting their information in different ways, in the immediate future, and in the next 6 – 12 months. Digital and social are going to be placed high in your priorities for keeping them up to date, and promoting your business.
Because our team have been setup to work at 100% capacity remotely, we’re here to support your business to get your ready for when the dust settles, and to also shift the way you communicate with customers right now. To help our clients, we’re also going to extend payment terms for new work, and will be offering discounts on new projects to help keep your business running and healthy.
Most importantly, above all else, we ask that everyone focuses on their health and of those around them. These are indeed trying and uncertain times, and we’ve seen some of the more unfortunate, ugly sides of humanity in the news. But it is in times like these that we also see the best, where we come together and do what’s best for those who need it most. Where science and medicine makes leaps and bounds, and we notice things in the world around us that we haven’t before, simply because this whole situation has forced us to just slow down a little. Here are some things to help you see the great things that surround us, and are happening – even though the media yells the loudest when things are bad:
– South Korea reports more recoveries than new cases
– The canals of Venice have become clear, and dolphins are visiting the ports of Italy because human activity has drastically slowed down in the waters
– Arnold Schwarzenegger apparently has a tiny horse and donkey
Just remember that not all is bad, and together we will get through this. The Driven team are here to help.
Part 2 of this series looks a little more into a few other types of vulnerabilities and considerations for your website, and what you should be doing to help mitigate these risks. If you missed part 1, read it here.
There’s not much to this type of attack, but it plays into the aforementioned regarding passwords and the need for additional layers of security on your site. Another common mistake users make is to simply use a really simple, unsafe, and easy to guess password such as “password123” (e.g. see Cash Crates’ data breach in 2018 where 86% of users were using passwords like this). Hackers then use scripts to blast your login forms with combinations of usernames and likely passwords (hence “brute force”), and can get in if a) they have a database of compromised email addresses, and/or b) you don’t have 2FA enabled.
Implement the password manager into your workflows, and enable 2FA. This will at least drastically decrease any chance of a hacker actually being able to get into your site this way. A plugin like WordFence (even the free version) also monitors this type of activity, and by default will even block IP addresses that are clearly attempting to use this type of exploit. The premium version offers more control and rules around this, so again we strongly recommend this for all WordPress site owners or managers. Note that this isn’t necessarily going to stop these types of attempted attacks, but they will more than likely prevent them from being successful and may even deter them.
You backup your important photos and documents for redundancy, and your website should be no different at all. While we do housekeeping at our end and do backups for internal reasons, frequent backups can take time to set up automation, maintenance, housekeeping, and storage solutions. While we offer this to clients as an additional service in our monthly Service Agreements you should consider running backups yourself if you don’t get your agency to do this. Depending on where you’re hosted, this is sometimes partly managed by certain WordPress managed providers such as WP Engine or FlyWheel, but you should make sure that the backups are setup at a frequency that makes sense to your business – if you make weekly changes to your site, then your backups should be at a higher frequency in case you have to roll back to the last working version. You should also make sure that both the database and the files (all your images, videos etc.) are backed up, as backup solutions often default to just your database as it’s the smallest. Plugins like Updraft Plus allow for tailored control over your backups, and are especially useful for sending them directly to popular cloud-based storage solutions such as Google Drive, Dropbox etc.
As part of our Service Agreements with our clients, we ensure that the core of WordPress is up to date, along with any of the plugins that your site may use. Out of date plugins pose big risks to your website as potential vulnerabilities that exist may not have been patched with recent updates, or the plugin simply may have been abandoned by the original developer and need to be replaced completely. WordPress itself also needs to be kept up to date to ensure you’re getting the most recent security and bug fixes. Unfortunately, this isn’t as simple just clicking an update button and hoping everything will work nicely after. Websites are built by your agency or developer, WordPress by others, and then every plugin is respectively created by different companies or developers – this creates a lot of potential for issues with compatibility and broken functionality.
As mentioned above, there are also WordPress-specific hosting providers that take care of several of these housekeeping elements for you such as backups and additional layers of security, and some even offer automation around updates. But there’s no perfect, hands-off approach to this. Human intervention is a necessity, unless you’re willing to let it all be done for you by their automated systems and hope that everything works and is compatible after updates. Even when discussing problems with these types of providers with automated options, Driven have been told that a human set of eyes needs to go over everything and check the site still functions as intended.
One of the other things we gained further insight into from our recent WordPress conference that the Driven team attended was that disabling an unused plugin isn’t enough to stop hackers from exploiting any existing vulnerabilities that they may have. We won’t go into detail as to how this occurs (it’s to do with SQL Injection if you’re really interested), but as a rule: if a plugin is no longer needed, don’t just disable it but instead ensure that it is removed from the backend of your site.
Another exploit that exists is basically like the phishing emails you may be familiar with in day to day life. To simplify it, if you ever get an email from someone asking you to log into your WordPress site to check a page or some content – don’t. It’s better to be safe and just go to the WordPress interface via your normal processes, and avoid clicking any links that get sent to you. They may appear to be legitimate, and the sender may even appear to be someone from your business or contacts. But as with phishing scams, hackers will try to direct you to official looking forms to then get your login details, and then use those to access your real website.
There’s no silver bullet solution to fully cover your website perfectly, but instead it’s a series of important measures you can take to minimise the chances of your business being impacted by some form of compromise. This article highlights various things to be aware of, and steps you can take to avoid or minimise these risks. Implementing these in both your personal life and for your business and WordPress website, while adds a lot of extra steps, is extremely important. We’ve seen far too many cases of clients or other businesses who have pushed these to the side, and then are left in very difficult positions when the worst case scenario happens. If you’re a client of Driven, you can engage our team in a monthly Service Agreements where we make sure WordPress and your plugins are up to date and manually tested for compatibility and continued functionality, and backups are taken care of as well. When we have all these measures in place, it allows us much greater control over continual site safety, as well as redundancy measures and options in case something bad does in fact happen.
At the very least you should look at having a site audit and updates done as often as possible, which you can talk to the team about. Adding WordFence Premium and Updraft Plus is something we can help you do, and at least this takes care of some of the monitoring and security for you, letting you know when plugins are out of date or when attacks are potentially occurring, and having the backups available gives you some sort of foundation if your site is compromised.
Designing and building a website is a big undertaking – you spend months working with your agency, managing stakeholders, feedback, expectations, go-live – by the end of it you’re happy it’s all done and dusted, but of course you then have to keep the content relevant and new, manage leads, social cross linking… let’s be honest, it never really ends.
But one thing that we see businesses neglecting or, just (understandably) not being aware of is the need for security and maintenance of their website, especially those built on the WordPress platform. Without a well maintained and properly protected website, it’s not a matter of if your site will be compromised, but when.
In this two part series, we will examine some of the key considerations for WordPress security that you can take into your own hands.
It’s worth firstly noting that WordPress isn’t inherently less safe than other platforms, but it does need to be carefully managed simply because it’s one of the most popular content systems. And like anything with a large user-base in today’s day and age, that’s where the “hackers” focus their efforts. Spending time with some of the world’s leading WordPress developers and security experts at a recent conference, the team at Driven gained further insight into some of the many ways your website can be compromised. While there’s a considerable list, many of those fall into the hands of your agency, developer, and / or hosting provider. Below are some of the most common vulnerabilities that website owners (you) should be keeping in mind when reviewing and maintaining your WordPress site.
We’re all guilty of using one basic password in more than one instance as it’s difficult to remember multiple passwords, and it’s impossible to remember the suggested passwords created at random when you make a new account on a new website or app. However, using the same password across more than one account is extremely risky for you and your business – and chances are that, if you do this, it’s just a matter of time before your details are exposed and sold, to then be exploited by bad people.
Here’s an unfortunate yet common scenario: let’s say you use the same password for your email address as you do for your LinkedIn account, and for your WordPress website login you just use the same email address but you thought to yourself “maybe I should keep this password a little different for the sake of safety”. Like most people, you don’t change your email password too often because, let’s be honest, it’s a pain. Back in 2012 LinkedIn’s database was breached by Russian hackers, exposing 6.5 million users’ passwords. The hackers then made this database of passwords (with your login email address) available either for free or, in some cases, to purchase. Someone gets their hands on your details, and now has access to your email account (because remember, you used the same one for LinkedIn). They already have access to two major accounts, with personal and confidential details, conversations etc. The bigger issue here, apart from all the horrible things they can already do with even just access to one account, is they have a way of verification control and they can say they are you.
As per the scenario above – let’s assume you just use the same email address for your WordPress site, but the password is different. The hackers look at your LinkedIn profile, they see which company they work for and simply go to the URL of your website and add /wp-admin to the end. They’re prompted with a login to the WordPress system, and they go to enter your exposed details from the LinkedIn breach – but you thought ahead! They can’t log in because you decided in advance to choose a different password. Unfortunately, like almost every single login form in existence, websites and app makers understand we have a lot of passwords or that we forget them over time, so they all have that little “Forgot password?” link below them, and the majority of the time it’s just a case of simply entering your email address to get sent a new password… and as you guessed it, they have access to that email address.
They now have full control over your business’ (or the business you work for’s) website as well. It doesn’t take much imagination to figure out what can happen once someone has access to this type of platform – apart from all the various types of public damage to a brand that can be caused be having complete control over the content, design, and what the site does when a normal user then tries to view it – the hackers can also lock everyone else out of the site making it difficult, or impossible to regain control. It’s possible in some cases for your developer or hosting provider to completely shut down the site, but that alone is already a huge issue – and then there’s the question of whether or not they or you have been making regular backups, and if not, there is no way to restore a previously working version of your site.
The above is just an partly made up scenario, but we have experienced almost the identical situation happening with our clients – the LinkedIn breach is just one example, but this type of mass exposure of passwords, email addresses and personal details is far more common than most people think. A Queensland man by the name of Troy Hunt created a website that allows you to enter your email address to see if, at any point in the past few years, has been exposed via one of these breaches. Check both your personal and work email addresses against this database to see if they have ever been exposed and take action as needed (see below). You’d be surprised to find that in most cases, your details have been exposed at some point in the last few years.
So you’re probably asking “what can I do?!” – the answer is relatively simple, but you may not like it. In our opinion there’s two important measures that you should really try and implement as soon as possible:
1. Use a Password Locker + randomly generated passwords: Password lockers are fairly self-explanatory, and you’re probably using them in some form or another with your mobile devices (e.g. iCloud Keychain) or your computer’s operating system. They’re usually cloud-based services that store all your passwords for you, and will more often than not generate your new passwords for you too. This is useful because it solves a couple of issues that we have:
a) coming up with hard to guess (impossible really) passwords for your accounts, and
b) not needing to remember these since most of these password lockers offer some form of integration with your favourite operating systems or web browsers.
There are a variety of offerings available for password lockers such as LastPass, Dashlane, 1Password, Keeper and many others. Some are free and are great for personal use, but you should ensure that if you’re implementing this across your business, that you find one that allows for a solid foundation of password sharing, team / user managing and control, and works across the technology (operating system/s, browsers etc.) that your business uses. We use LastPass here at Driven, and it has proved to be a great way of keeping track of all our business logins, and it generates unique passwords for each new account we create.
2. Two Factor Authentication (2FA): So how do you protect your password locker? You’re probably thinking that the above tool is all good in theory, but you obviously need to password protect… your passwords. How do you stop someone getting that password and then gaining access to all others? Well firstly, we would recommend making sure that whatever password you use for this purpose is only used for your password locker, and absolutely nothing else. But let’s just pretend for a minute that your password for your locker was somehow discovered and a hacker tries to log in to your account.
You can prevent this from happening, especially on a new device or browser IF you have something called Two Factor Authentication (also known as 2FA, two-step verification, or dual factor authentication) enabled. This simply puts a verification step between the correct details being entered, and actually gaining access to the system. It will most commonly require either an email link, SMS code, or other type of verification code to be entered along with the correct email address and password. This ensures that you are the one trying to gain access to the account, and while it means there’s just one more thing to do – it is one of the most effective ways of protecting yourself against unwanted intrusions and account access.
This of course isn’t just for your password locker, so it should be implemented across all logins where you can. Most platforms offer it as a feature these days (Gmail, Amazon, etc.) – you just have to go into your settings regarding privacy and security and enable it. Our recommendation is to avoid using SMS verification if possible, since this relies on your phone number which, as it turns out, is also easy for hackers to get access to. Without going into too much detail, apparently a simple convincing phone call to your telco with the request of “I’ve lost my phone and got a new SIM card, can you please port my number” can be enough. We suggest listening to this episode of Reply All for a lot more insight into the topic and what can happen to your personal account and data when the wrong people get their hands on it. We tend to use an authenticator app (Google Authenticator on Android or iOS) which generates timed codes like the old early online banking days, which you enter along with your login details.
So how does this relate to your WordPress site? In case it’s not clear – your site more than likely uses a simple username (email) and password form of authentication. In today’s landscape this isn’t enough. Most of our clients’ websites use the free version of WordFence at the least to have a basic additional layer of monitoring and security, and while it does a lot out of the box for free, it will only take you so far. Apart from full scanning, removal of malware, IP blocking (more on that later), and other security useful features, WordFence Premium offers Two Factor Authentication as an option. We’ve been working with clients on purchasing this version of the plugin, and mandating 2FA for all WordPress users of the site. Along with the proper use of a business or team password management tool, you are greatly minimising the chances of unwanted access to your site (and everything else).
Part 2 of our WordPress security insights looks at other types of vulnerabilities that you as a site owner should be aware of, and what you can do to help minimise the risk and protect yourself against these problem areas, so keep reading on here.
In the previous article ‘User experience design: an overview’ we discussed the importance of supporting task associated interactions. Users visit a website not to read every word on the page, but rather, to find something specific and of relevance to them. There are some key guidelines for writing copy for the web which experts in the field have found to be most effective for usability.
Writing web content is quite different from writing for print. In print, storytelling can spice up the content, entertain and persuade a reader that’s in a relaxed setting with more time to take it in. In the web arena, the content must be brief because users are in task mode, on a specific mission and time poor.
It makes sense then that web users prefer writing that is succinct and easy to scan. They don’t respond well to marketing promotional style writing as this is just a level of frill that separates them from the point. By providing text that is succinct, easily scannable and compact, the user’s cognitive load is reduced allowing for more efficient processing of the information.
Here’s a few basic tips to help with writing for the web:
1) Paragraphs should contain no more than 3-5 sentences. It’s much easier to consume a small paragraph of information than a large block of text.
2) Start sentences with the most relevant words, don’t leave them until the end of the sentence. Users scan down the left side of the paragraph, so the words at the end of the sentence are often missed.
User experience experts applied these principles to an existing site and reported a 124% increase in usability. This was measured in task time (80% better), task errors (809%), memory (100%), and subjective satisfaction (37%). The full report can be viewed here.
3) Use hyperlinks as navigational tools. Think of links within the copy as sign posts. They stand out within the copy and if described well, can provide information about what is on the linked page and gives users an idea of where they might want to go next.
These 3 tips are just the beginning of writing for the web but hopefully provides a useful overview for those starting out. For further reading try ‘Letting Go of the Words: Writing Web Content that Works’, 2nd edition, by Janice (Ginny) Redish.
UX is any aspect of a person’s interaction with the interface and graphic elements of a website. Although visual design aesthetics plays a role in this, UX relates primarily to ease of use. Can the person find what they’re looking for? Can they get to where they need quickly and with minimal frustration? Websites that make people feel confused and frustrated are less likely to be used. If that website is an online store, it means lost revenue. If that website is your companies online profile, your brand can be perceived as unhelpful.
The main principle of user experience design is to support task associated interactions. What does this mean? The user (person) is almost always in task mode. They might be looking for specific information about what your business offers, how much something costs, where you’re located, whether you provide free shipping.
Users don’t visit a website to read every word on the home page or to view each and every page of the site. They’re looking for something specific and of relevance to them. They do this by scanning the page as quickly as possible, picking out key words and clicking on areas they think may help them achieve their goal.
There are many tried and tested ways to support task associated interactions through careful user experience design. Over the coming months I will be writing about some of these findings from experts in the field. The first will relate to writing copy for the web. Since we know users scan the page quickly during their tasks, it makes sense that copy should be written to support the user. The next article will discuss effective ways to do this.