Category: Best practice

An SSL certificate does NOT mean you have a secure website

  • Posted on
  • By

Is that news to you? If it is you really MUST read this.

I’ll keep it short and sweet and keep technical jargon to an absolute minimum.

You need an SSL certificate but it really does not mean your website is secure. Let me explain…

 

SSL certificate TLS secure connection

Cryptographic protocols: Secure Sockets Layer (SSL) certificate, and it’s successor Transport Layer Security (TLS) allow secure communications over the internet. You can see in the address bar of this site, the green SECURE and lock which tells you that you are where you are supposed to be and that no one can snoop or tamper with your communications on this site.

SSL/TLS certificates ensure a secure connection. That’s it.

They do not ‘secure’ your website.

SSL/TLS certificates are issued by a Certificate Authority (CA) and are stringently verified against the owner of the website to which they are issued. When you connect to a site with a certificate the browser goes through a series of checks to make sure that all is present and correct. Assuming that it is then you are granted a connection.

Filed under: Best practice, GDPR, Security

Are you gambling on your data security?

  • Posted on
  • By

Has your web developer left the back door open?

Your web developer has a responsibility to make sure that you receive the right advice about your data security. To make sure that your business does not inadvertently expose sensitive data. There are tens of thousands of so-called WordPress developers. They most often use WordPress because it is easy to build a site, and crucially you don’t have to know how to code, program or use a database. They just point and click. This is how nearly all WordPress websites are created. This is also where nearly all of the vulnerabilities creep in.

If your directories are not secured, then they will be accessible to anyone, including Google, a Hacker or even a competitor. If Google has not been specifically told not to index information it just sucks it up and makes it available to find in a search.

So is it data security protection ignorance or arrogance?

If you don’t know how WordPress works, under the bonnet, you can’t fix it, so it’s mostly ignorance. But, if you don’t even think it’s a problem, and you’ve never bothered to look into it, then that is perhaps arrogance. In what I do, I come up against the latter all too often. Developers with vulnerable sites are just not interested, they are not taking data security seriously, as I keep finding out. The new GDPR compliance should help, but only if developers take notice.

How do you check your website?

I have put together a handful of tests to help you. They are completely free to use and you’ll find them here: https://formapps.co.uk/wordpress-website-testing/

Or, you can drop me a line and I’ll take a look for you, in confidence of course.

How do you get it fixed?

Fortunately for most websites it’s not a massive job and can be secured fairly quickly, depending of course on the vulnerabilities. But don’t leave it to chance. Get secured now.

Please share this article and help raise awareness of these issues.

Thank you for taking the time to read this and I hope you stay safe and secure.

Filed under: Best practice, Business, GDPR, Security

How to get straight to number 1 on Google in just 5 days

  • Posted on
  • By

The secret of great SEO

I put this site live on the 23rd November. On the 28th I was number 1 on Google for several of my top keywords.

I am straight in at number 6 for WordPress SEO Norwich – given that keyword is competing against dedicated SEO companies I don’t think that’s too bad at all.

How did I do it?

Firstly, I have a niche, but I expect you do too. I am also in one of the most competitive arenas given that my competitors are in the same industry and we all know a bit of SEO. Unless you trying to get keywords like car insurance to number 1, I think this is going to work for you. However, unlike ‘SEO Companies’ there is no guarantee because it is not possible to provide one when you rely on a third party system over which you have absolutely no control, in this case, Google.

I am using a location qualifier in my searches, but as we know, most people do. So, I search for my keywords followed by location e.g: WordPress Expert Norwich

Update, 5th December 2017: I am currently ranking 1st in the natural listings, below the map, for WordPress Norwich.

What SEO trickery am I using?

This is a very important question. The answer is none.

  • I am using no backlinks apart from a few references from sites that I have developed and a link on Twitter, Facebook, and Linkedin.
  • There is no hidden copy.
  • I am not stuffing my pages with keywords, it is all human readable.

Ok, so no trickery, then what’s the edge?

  • I am using open honest techniques.
  • I have a fast, highly optimised website.
  • I have a secure website which has been set-up correctly.
  • Google like all of these things. It helps them serve up relevant good quality content to their users, which is what their business is all about.

What keywords are ranking?

Here are the current Google rankings. I don’t expect you to take my word for it. Try the searches yourself.

[vc_separator type=”normal” color=”#202020″ thickness=”1″ up=”20″ down=”20″]

Keywords Google position(s) Number of results
wordpress expert norwich 1 332,000
wordpress specialist norwich 1 279,000
wordpress security norwich 1 392,000
wordpress GDPR norwich 1 23,900
wordpress hacked norwich 1 419,000
wordpress consulting norwich 1 226,000
wordpress disaster recovery norwich 1 86,200
GDPR expert norwich 3 55,600
GDPR specialist norwich 3 61,600
wordpress SEO norwich 6 219,000

Results may vary slightly depending on location and general shifts in Google rankings

[vc_separator type=”normal” color=”#202020″ thickness=”1″ up=”20″ down=”20″]

How can you improve your website for SEO?

It’s a combination of great website speed, performance, website security and security headers, good site structure and well written optimised content.

It only takes a few seconds to run your website through these security and performance tests to find if your website could be improved.

I have been running these optimisations on client sites recently and getting continuously excellent results in just a few days.

Filed under: Best practice, Performance, SEO

What is the real cost of a hacked WordPress website?

  • Posted on
  • By

Ever wondered how much it would cost if your website got hacked?

The real cost of a hacked WordPress website could be much, much higher than you ever imagined.

Ok, so it’s hard to put a value on a website, especially without having any information. You may have paid little for it, you may have paid a lot, but if you’ve developed it over time it’s probably worth a lot more than you paid for it. If your website works, even if it’s not as well as you would like, it’s worth more than you think: here’s why:

  • Your SEO – you will have a Google ranking and you may have invested in SEO
  • Your content – you may have developed a blog, content, products, services – it all adds up
  • Your customers are finding you and using your website to purchase directly or get background information
  • Your brand and goodwill – it’s all tied up in your website

If you have to redevelop it all from scratch, how long would it take?

So, let’s take a rough guess at how much it would cost if your website got hacked

My findings are based on allowing my own website to get hacked just to find out what would happen. Yes, I really did that, and you can read about it here.

Let’s take a website that generates £100,000 a year in revenue and has been in existence for two years. It a purely arbitrary figure to help present a case. It could be an e-commerce store a site that generates leads, or a brochure site that backs up your proposition.

The true cost of a hacked WordPress website

[vc_separator type=”normal” color=”#202020″ thickness=”1″ up=”20″ down=”20″][vc_column_text]

Issue Description Cost
New website You will need a new website designed and developed. It will need to be much more secure than the one you just lost. It will have to be GDPR compliant. Some data recovery may be possible. £5,000
Lost trade A sensible new website development will unlikely be less than 8 weeks. You will probably spend a couple of weeks finding a good web development agency and creating the brief. In that time you may have lost 10 weeks of trade. £19,230
Lost SEO rankings You will need to start all over again. This will take time to build. I have allowed what is probably a modest 20% drop in sales over the next 12 months. £20,000
Original site cost Let’s assume that you paid £3,000 for the original site that got hacked. £3,000
Website developments Over the last two years you may have paid for SEO work, content writing, social media marketing, product and service development or adding e-commerce products to a database. There could be many other elements.  So I’ll just take figure £500 a month in added value to the site over 2 years. £12,000
Goodwill It’s very hard to put a price on this, but you could lose trust in your customer base and suffer a dent in your business reputation. I’ll allow 10% of the turnover while you re-build that trust. £10,000
Total This is what it could actually cost you if your website get’s hacked £69,230

[/vc_column_text][vc_separator type=”normal” color=”#202020″ thickness=”1″ up=”20″ down=”20″]

I know this is highly speculative, but it does give a good impression of the kind of losses in a hacked WordPress website that you may not have considered. This is without any additional fines and hidden costs that could be incurred by failure to meet with GDPR compliance.

 

Filed under: Best practice, Security

I let my WordPress website get hacked to help you avoid it

  • Posted on
  • By

It is no longer a question of IF but a question of WHEN.

This is not speculation, this is fact. I believe in hands-on experience. I allowed it to happen so that I could see what happens and further my knowledge. What better way to advise you on how to prevent a hack in the first place?

Two years ago I took the security off my site and waited. Two months later I was hacked. Yes, this is what I wanted. Then I watched and waited to see what would happen.

In the first instance you probably will not know that you’ve been hacked.

The early hack could easily have gone unnoticed. If you don’t do what I do for a living, then you would never have noticed it. A seed was planted and it sat dormant for a few weeks. Then, at a point when it was most likely all my backups would have been infected, the seed sprouted.

One month later there were 20,000 pages on my site. Yes, that’s TWENTY THOUSAND. All these pages were affiliated with various offerings where the hacker stood to gain a commission on any sales that were redirected. Literally spammed affiliate linking.

Then the website was Blacklisted and everything was lost.

A couple of weeks later Google’s algorithms spotted this and blacklisted my site. Once Google had done that, other blacklisting sites followed suit. So, if you tried to access my site you simply go a red screen informing visitors that the safe was unsafe and infected with Malware.

I lost all Google rankings and the entire content of my site. All the back-ups were corrupted.  I lost everything. This was great news because now I could work on getting a hacked site back again, but that’s another post.

If it was your website how would it fair, and what would be the true cost of a hacked website.

How do you make sure that your website is safe?

Simply run your website through these free security tests. It only takes a few seconds.

If you fail these tests you could fall victim to a hack at any time. This could have serious implications for your business.

Do you collect contact, customer or inquiry information via your website? If so your due diligence in protecting your customer’s data would fall outside of GDPR compliance.

Filed under: Best practice, Security

The easiest way to detect if WordPress is not secure

  • Posted on
  • By

How easy is it to find your login page?

WordPress wp-admin

If you can type /wp-admin after your domain name and get this screen below, then please read on. Find out how easy it could be to hack into your site.

What about the username and password?

Now we need the login credentials. Both of these could be brute forced fairly easily, especially if the default settings with the user ID of 1 and Admin have not been changed. But, what if we could find the username?

It may be easier to find your login ID (username) than you think. Scan your site with the Hacker Target WordPress Security Scan and see if your User IDs are available. You are looking for something like this:

exposed user IDs

Is user Enumeration possible? That is to say, are your IDs are showing similar to the above screenshot?

If so then all it takes is a brute force attack on your password field, and that is a lot easier than you could probably imagine.

What is a brute force attack?

A brute force attack is an automated script that guesses your password. Usually, this takes the form of checking against a list of known passwords.

Statistically, there’s a 91% chance that your password is within the first 1,000 on a list of 10,000 passwords which is freely available on the internet. So, it will probably only take a couple of minutes to hack your website this way.

Feeling vulnerable?

I would. I know what can happen.

Filed under: Best practice, GDPR, Security