Part 2 of this series looks a little more into a few other types of vulnerabilities and considerations for your website, and what you should be doing to help mitigate these risks. If you missed part 1, read it here.
There’s not much to this type of attack, but it plays into the aforementioned regarding passwords and the need for additional layers of security on your site. Another common mistake users make is to simply use a really simple, unsafe, and easy to guess password such as “password123” (e.g. see Cash Crates’ data breach in 2018 where 86% of users were using passwords like this). Hackers then use scripts to blast your login forms with combinations of usernames and likely passwords (hence “brute force”), and can get in if a) they have a database of compromised email addresses, and/or b) you don’t have 2FA enabled.
Implement the password manager into your workflows, and enable 2FA. This will at least drastically decrease any chance of a hacker actually being able to get into your site this way. A plugin like WordFence (even the free version) also monitors this type of activity, and by default will even block IP addresses that are clearly attempting to use this type of exploit. The premium version offers more control and rules around this, so again we strongly recommend this for all WordPress site owners or managers. Note that this isn’t necessarily going to stop these types of attempted attacks, but they will more than likely prevent them from being successful and may even deter them.
You backup your important photos and documents for redundancy, and your website should be no different at all. While we do housekeeping at our end and do backups for internal reasons, frequent backups can take time to set up automation, maintenance, housekeeping, and storage solutions. While we offer this to clients as an additional service in our monthly Service Agreements you should consider running backups yourself if you don’t get your agency to do this. Depending on where you’re hosted, this is sometimes partly managed by certain WordPress managed providers such as WP Engine or FlyWheel, but you should make sure that the backups are setup at a frequency that makes sense to your business – if you make weekly changes to your site, then your backups should be at a higher frequency in case you have to roll back to the last working version. You should also make sure that both the database and the files (all your images, videos etc.) are backed up, as backup solutions often default to just your database as it’s the smallest. Plugins like Updraft Plus allow for tailored control over your backups, and are especially useful for sending them directly to popular cloud-based storage solutions such as Google Drive, Dropbox etc.
As part of our Service Agreements with our clients, we ensure that the core of WordPress is up to date, along with any of the plugins that your site may use. Out of date plugins pose big risks to your website as potential vulnerabilities that exist may not have been patched with recent updates, or the plugin simply may have been abandoned by the original developer and need to be replaced completely. WordPress itself also needs to be kept up to date to ensure you’re getting the most recent security and bug fixes. Unfortunately, this isn’t as simple just clicking an update button and hoping everything will work nicely after. Websites are built by your agency or developer, WordPress by others, and then every plugin is respectively created by different companies or developers – this creates a lot of potential for issues with compatibility and broken functionality.
As mentioned above, there are also WordPress-specific hosting providers that take care of several of these housekeeping elements for you such as backups and additional layers of security, and some even offer automation around updates. But there’s no perfect, hands-off approach to this. Human intervention is a necessity, unless you’re willing to let it all be done for you by their automated systems and hope that everything works and is compatible after updates. Even when discussing problems with these types of providers with automated options, Driven have been told that a human set of eyes needs to go over everything and check the site still functions as intended.
One of the other things we gained further insight into from our recent WordPress conference that the Driven team attended was that disabling an unused plugin isn’t enough to stop hackers from exploiting any existing vulnerabilities that they may have. We won’t go into detail as to how this occurs (it’s to do with SQL Injection if you’re really interested), but as a rule: if a plugin is no longer needed, don’t just disable it but instead ensure that it is removed from the backend of your site.
Another exploit that exists is basically like the phishing emails you may be familiar with in day to day life. To simplify it, if you ever get an email from someone asking you to log into your WordPress site to check a page or some content – don’t. It’s better to be safe and just go to the WordPress interface via your normal processes, and avoid clicking any links that get sent to you. They may appear to be legitimate, and the sender may even appear to be someone from your business or contacts. But as with phishing scams, hackers will try to direct you to official looking forms to then get your login details, and then use those to access your real website.
There’s no silver bullet solution to fully cover your website perfectly, but instead it’s a series of important measures you can take to minimise the chances of your business being impacted by some form of compromise. This article highlights various things to be aware of, and steps you can take to avoid or minimise these risks. Implementing these in both your personal life and for your business and WordPress website, while adds a lot of extra steps, is extremely important. We’ve seen far too many cases of clients or other businesses who have pushed these to the side, and then are left in very difficult positions when the worst case scenario happens. If you’re a client of Driven, you can engage our team in a monthly Service Agreements where we make sure WordPress and your plugins are up to date and manually tested for compatibility and continued functionality, and backups are taken care of as well. When we have all these measures in place, it allows us much greater control over continual site safety, as well as redundancy measures and options in case something bad does in fact happen.
At the very least you should look at having a site audit and updates done as often as possible, which you can talk to the team about. Adding WordFence Premium and Updraft Plus is something we can help you do, and at least this takes care of some of the monitoring and security for you, letting you know when plugins are out of date or when attacks are potentially occurring, and having the backups available gives you some sort of foundation if your site is compromised.
Designing and building a website is a big undertaking – you spend months working with your agency, managing stakeholders, feedback, expectations, go-live – by the end of it you’re happy it’s all done and dusted, but of course you then have to keep the content relevant and new, manage leads, social cross linking… let’s be honest, it never really ends.
But one thing that we see businesses neglecting or, just (understandably) not being aware of is the need for security and maintenance of their website, especially those built on the WordPress platform. Without a well maintained and properly protected website, it’s not a matter of if your site will be compromised, but when.
In this two part series, we will examine some of the key considerations for WordPress security that you can take into your own hands.
It’s worth firstly noting that WordPress isn’t inherently less safe than other platforms, but it does need to be carefully managed simply because it’s one of the most popular content systems. And like anything with a large user-base in today’s day and age, that’s where the “hackers” focus their efforts. Spending time with some of the world’s leading WordPress developers and security experts at a recent conference, the team at Driven gained further insight into some of the many ways your website can be compromised. While there’s a considerable list, many of those fall into the hands of your agency, developer, and / or hosting provider. Below are some of the most common vulnerabilities that website owners (you) should be keeping in mind when reviewing and maintaining your WordPress site.
We’re all guilty of using one basic password in more than one instance as it’s difficult to remember multiple passwords, and it’s impossible to remember the suggested passwords created at random when you make a new account on a new website or app. However, using the same password across more than one account is extremely risky for you and your business – and chances are that, if you do this, it’s just a matter of time before your details are exposed and sold, to then be exploited by bad people.
Here’s an unfortunate yet common scenario: let’s say you use the same password for your email address as you do for your LinkedIn account, and for your WordPress website login you just use the same email address but you thought to yourself “maybe I should keep this password a little different for the sake of safety”. Like most people, you don’t change your email password too often because, let’s be honest, it’s a pain. Back in 2012 LinkedIn’s database was breached by Russian hackers, exposing 6.5 million users’ passwords. The hackers then made this database of passwords (with your login email address) available either for free or, in some cases, to purchase. Someone gets their hands on your details, and now has access to your email account (because remember, you used the same one for LinkedIn). They already have access to two major accounts, with personal and confidential details, conversations etc. The bigger issue here, apart from all the horrible things they can already do with even just access to one account, is they have a way of verification control and they can say they are you.
As per the scenario above – let’s assume you just use the same email address for your WordPress site, but the password is different. The hackers look at your LinkedIn profile, they see which company they work for and simply go to the URL of your website and add /wp-admin to the end. They’re prompted with a login to the WordPress system, and they go to enter your exposed details from the LinkedIn breach – but you thought ahead! They can’t log in because you decided in advance to choose a different password. Unfortunately, like almost every single login form in existence, websites and app makers understand we have a lot of passwords or that we forget them over time, so they all have that little “Forgot password?” link below them, and the majority of the time it’s just a case of simply entering your email address to get sent a new password… and as you guessed it, they have access to that email address.
They now have full control over your business’ (or the business you work for’s) website as well. It doesn’t take much imagination to figure out what can happen once someone has access to this type of platform – apart from all the various types of public damage to a brand that can be caused be having complete control over the content, design, and what the site does when a normal user then tries to view it – the hackers can also lock everyone else out of the site making it difficult, or impossible to regain control. It’s possible in some cases for your developer or hosting provider to completely shut down the site, but that alone is already a huge issue – and then there’s the question of whether or not they or you have been making regular backups, and if not, there is no way to restore a previously working version of your site.
The above is just an partly made up scenario, but we have experienced almost the identical situation happening with our clients – the LinkedIn breach is just one example, but this type of mass exposure of passwords, email addresses and personal details is far more common than most people think. A Queensland man by the name of Troy Hunt created a website that allows you to enter your email address to see if, at any point in the past few years, has been exposed via one of these breaches. Check both your personal and work email addresses against this database to see if they have ever been exposed and take action as needed (see below). You’d be surprised to find that in most cases, your details have been exposed at some point in the last few years.
So you’re probably asking “what can I do?!” – the answer is relatively simple, but you may not like it. In our opinion there’s two important measures that you should really try and implement as soon as possible:
1. Use a Password Locker + randomly generated passwords: Password lockers are fairly self-explanatory, and you’re probably using them in some form or another with your mobile devices (e.g. iCloud Keychain) or your computer’s operating system. They’re usually cloud-based services that store all your passwords for you, and will more often than not generate your new passwords for you too. This is useful because it solves a couple of issues that we have:
a) coming up with hard to guess (impossible really) passwords for your accounts, and
b) not needing to remember these since most of these password lockers offer some form of integration with your favourite operating systems or web browsers.
There are a variety of offerings available for password lockers such as LastPass, Dashlane, 1Password, Keeper and many others. Some are free and are great for personal use, but you should ensure that if you’re implementing this across your business, that you find one that allows for a solid foundation of password sharing, team / user managing and control, and works across the technology (operating system/s, browsers etc.) that your business uses. We use LastPass here at Driven, and it has proved to be a great way of keeping track of all our business logins, and it generates unique passwords for each new account we create.
2. Two Factor Authentication (2FA): So how do you protect your password locker? You’re probably thinking that the above tool is all good in theory, but you obviously need to password protect… your passwords. How do you stop someone getting that password and then gaining access to all others? Well firstly, we would recommend making sure that whatever password you use for this purpose is only used for your password locker, and absolutely nothing else. But let’s just pretend for a minute that your password for your locker was somehow discovered and a hacker tries to log in to your account.
You can prevent this from happening, especially on a new device or browser IF you have something called Two Factor Authentication (also known as 2FA, two-step verification, or dual factor authentication) enabled. This simply puts a verification step between the correct details being entered, and actually gaining access to the system. It will most commonly require either an email link, SMS code, or other type of verification code to be entered along with the correct email address and password. This ensures that you are the one trying to gain access to the account, and while it means there’s just one more thing to do – it is one of the most effective ways of protecting yourself against unwanted intrusions and account access.
This of course isn’t just for your password locker, so it should be implemented across all logins where you can. Most platforms offer it as a feature these days (Gmail, Amazon, etc.) – you just have to go into your settings regarding privacy and security and enable it. Our recommendation is to avoid using SMS verification if possible, since this relies on your phone number which, as it turns out, is also easy for hackers to get access to. Without going into too much detail, apparently a simple convincing phone call to your telco with the request of “I’ve lost my phone and got a new SIM card, can you please port my number” can be enough. We suggest listening to this episode of Reply All for a lot more insight into the topic and what can happen to your personal account and data when the wrong people get their hands on it. We tend to use an authenticator app (Google Authenticator on Android or iOS) which generates timed codes like the old early online banking days, which you enter along with your login details.
So how does this relate to your WordPress site? In case it’s not clear – your site more than likely uses a simple username (email) and password form of authentication. In today’s landscape this isn’t enough. Most of our clients’ websites use the free version of WordFence at the least to have a basic additional layer of monitoring and security, and while it does a lot out of the box for free, it will only take you so far. Apart from full scanning, removal of malware, IP blocking (more on that later), and other security useful features, WordFence Premium offers Two Factor Authentication as an option. We’ve been working with clients on purchasing this version of the plugin, and mandating 2FA for all WordPress users of the site. Along with the proper use of a business or team password management tool, you are greatly minimising the chances of unwanted access to your site (and everything else).
Part 2 of our WordPress security review will look at other types of vulnerabilities that you as a site owner should be aware of, and what you can do to help minimise the risk and protect yourself against these problem areas, so stay tuned.
In the previous article ‘User experience design: an overview’ we discussed the importance of supporting task associated interactions. Users visit a website not to read every word on the page, but rather, to find something specific and of relevance to them. There are some key guidelines for writing copy for the web which experts in the field have found to be most effective for usability.
Writing web content is quite different from writing for print. In print, storytelling can spice up the content, entertain and persuade a reader that’s in a relaxed setting with more time to take it in. In the web arena, the content must be brief because users are in task mode, on a specific mission and time poor.
It makes sense then that web users prefer writing that is succinct and easy to scan. They don’t respond well to marketing promotional style writing as this is just a level of frill that separates them from the point. By providing text that is succinct, easily scannable and compact, the user’s cognitive load is reduced allowing for more efficient processing of the information.
Here’s a few basic tips to help with writing for the web:
1) Paragraphs should contain no more than 3-5 sentences. It’s much easier to consume a small paragraph of information than a large block of text.
2) Start sentences with the most relevant words, don’t leave them until the end of the sentence. Users scan down the left side of the paragraph, so the words at the end of the sentence are often missed.
User experience experts applied these principles to an existing site and reported a 124% increase in usability. This was measured in task time (80% better), task errors (809%), memory (100%), and subjective satisfaction (37%). The full report can be viewed here.
3) Use hyperlinks as navigational tools. Think of links within the copy as sign posts. They stand out within the copy and if described well, can provide information about what is on the linked page and gives users an idea of where they might want to go next.
These 3 tips are just the beginning of writing for the web but hopefully provides a useful overview for those starting out. For further reading try ‘Letting Go of the Words: Writing Web Content that Works’, 2nd edition, by Janice (Ginny) Redish.
UX is any aspect of a person’s interaction with the interface and graphic elements of a website. Although visual design aesthetics plays a role in this, UX relates primarily to ease of use. Can the person find what they’re looking for? Can they get to where they need quickly and with minimal frustration? Websites that make people feel confused and frustrated are less likely to be used. If that website is an online store, it means lost revenue. If that website is your companies online profile, your brand can be perceived as unhelpful.
The main principle of user experience design is to support task associated interactions. What does this mean? The user (person) is almost always in task mode. They might be looking for specific information about what your business offers, how much something costs, where you’re located, whether you provide free shipping.
Users don’t visit a website to read every word on the home page or to view each and every page of the site. They’re looking for something specific and of relevance to them. They do this by scanning the page as quickly as possible, picking out key words and clicking on areas they think may help them achieve their goal.
There are many tried and tested ways to support task associated interactions through careful user experience design. Over the coming months I will be writing about some of these findings from experts in the field. The first will relate to writing copy for the web. Since we know users scan the page quickly during their tasks, it makes sense that copy should be written to support the user. The next article will discuss effective ways to do this.