The five words any developer dreads hearing: “Our site has been hacked.”
No one really wants to admit to having a lot of experience dealing with sites that have been hacked because it begs the question: “How did the site get hacked in the first place?” (We will address that later.) In the meantime, if your WordPress site has been hacked, here are 9 steps you should take.
Step 1: Don’t panic. If we are dealing with your typical hackers, your site should be up and running again by the end of the day. Now it may take you all day to get there, but there is hope.
Step 2: Find help online. WordPress has an in-depth, dedicated article precisely for this scenario. Read it and outline a plan for restoring your site.
Step 3: Locate the source. Search for code with spam links or files that you didn’t create. Run scans like the free ones provided by Sucuri and using plugins like the Anti-Malware and Brute-Force Security by ELI.
At this point, you might be wondering why your site was hacked in the first place. Rest assured that it was likely a crime of convenience and likely not because you were specifically targeted. Sucuri has written a great article that provides complete insight on this subject.
Step 4: Clean it up. Once you’ve located the malicious code, get rid of it! We also recommend cleaning your theme as well as ditching all the core WordPress files and replacing them with a fresh version. (Make sure not to delete your “uploads” folder, or all your images and documents will be gone.)
Step 5: Lock it down. Determining the hacker’s entry point is not easy, and you may never find it. Regardless, it’s time to lock your site down, so they can’t get in any of the doors or windows again. Here are just a few steps to increase the security of your site after you’ve ensured all the malicious files and code have been removed.
- Change your FTP password
- Change your WordPress password
- Install security plugins like Wordfence
Step 6: Restore your reputation. If your site has been hacked, it’s likely been flagged by Google and is either noted as a hacked site in search results or blacklisted altogether. To get back on Google’s good side, you will want to sign up for Google Developer Tools, verify your site, recrawl the site and submit it to be reviewed.
Step 7: Keep it clean. Whew! Your site is finally clean and free of malicious code. Now what? Here are a few things you can do to keep your site safe.
- Continue using security plugins like Wordfence
- Keep WordPress and your plugins up to date
- Avoid using the default “admin” as your username
- Always use strong passwords
- Change the default login page to a unique URL
Step 8: Back it up. Now that you have a clean version of your site, make sure to backup your files and database, so you have it if you ever need it in the future.
Step 9: Pour yourself a drink. Exhale. Your site is clean and secure. Keep an eye on your security scans, but if you’ve taken the correct precautions, hopefully you can avoid any breaches in the future.
Last week, I received a short but polite text message from “Janet Thomas.” She said that she was hearing impaired but would like to discuss a new website for her business. This didn’t seem too unusual, but I was a bit skeptical. I asked her to email me full details about the project and budget, and we could continue the conversation from there. Janet followed through and emailed a very thorough list of what she needed. She answered all my questions in good detail, telling me that her Tennessee business is “based on importing and exporting of Agriculture products such as Kola Nut, Gacillia Nut and Cocoa.” She already had hired someone to do her logo and content, both of which were ready to go.
Based on her answers, her legitimacy started to increase slightly. However, there were still a few red flags. First, her email address was very suspect. It wasn’t a business email address; instead, it was email@example.com. (An email address with a name followed by a number and using Gmail, Yahoo, Hotmail or similar providers are often associated with spam.) Second, her phone number had a Nevada area code even though her business was supposedly in Tennessee and lastly, her grammar and punctuation were less than perfect. Nevertheless, I thanked her for her reply and asked some more targeted questions, including requesting a site map which is something I assumed her content writer could easily provide. Lastly, I asked her which of our past or present clients had referred her to us, so I could thank them (95% of our work comes through referrals, so I always ask this question). Up to this point, the red flags were at half-staff. But her response? Well, that’s when the red flags were fully raised.
Although she did an impressive job answering my questions, her “site map” did not match some of her earlier requests. Then the final hoist of the red flags occurred when she said she found us on “a local Google.” Um, yeah.
I had already searched online for her name, Gmail address and business (which returned no results), but I decided to use our “local Google” to do a little more sleuthing. I Googled something obscure from her message, and it turns out the good ol’ Gacillia Nut (or lack thereof) is what revealed Janet’s true colors. That’s when I found a handful of results with similar stories to mine.
For the people who didn’t realize it was a scam (or chose to proceed to see how far it’d go before reporting it to the authorities), the stories all had similar endings. Janet (or Paul, Brad, Tara or some other generic name) immediately agreed to the estimate and offered to pay right away….however, she had one minor favor to ask. She needed to pay you significantly more than you requested and asked that you would, in turn, use the extra money to pay her other “contractor.” When questioned about this, she often has a story about being out of the country or in the hospital (oh, poor Janet!). From what I read, most people halted at this point (thank goodness), recognizing it as a money laundering scam and stopping “Janet” from pocketing the money.
What surprised me most about this scam was how targeted and precise the request original request was, as well as Janet’s dedication to answering all the specific questions I asked. I just hope the next person that “Janet Thomas” contacts has read this post first, and it saves them time from entertaining a similar work request or any possible implications from being tied inadvertently to a scam.
Meanwhile, if a Gacillia Nut really does exist, best of luck to it because it’s reputation is shot, and it’s SEO has gone down the drain!
I will admit it is nice when a client trusts us so completely that they will provide online access to anything and everything we might need for their projects. At the same time, I’m always surprised how easily people share their private information without a moment’s pause. It makes me cringe and wonder if they are always so free giving of this information.
I am sure that if I asked for their Social Security number, I would receive gasps of disbelief, and yet…
- I’ve had a total stranger (not yet a client) give out administrative access to their WordPress account.
- I’ve had numerous people provide full admin access to their hosting account.
- I’ve even have clients send me (unsolicited) the username and password to their PayPal account, which includes their banking information.
As much as we all wish there weren’t people out there who would take advantage of these types of situations, there are. As Stephen King puts it: “The trust of the innocent is the liar’s most useful tool.”
That being said, I think the primary reason so many people give this information up is because they become intimidated by the requests they might get from website developers, so they just give free rein to any and all of their website information. But this is unwise and not necessary.
So how do you protect yourself from making this same mistake? Follow these tips:
- Create an FTP user for third-party developers only. Your hosting provider should be able to give you simple instructions on how to do this.
- Create a WordPress user for third-party developers only. WordPress gives instructions on how to do this.
By creating these types of developer accounts, it gives you control to change or delete the accounts at any time, especially if you think your security is at risk. It also allows you to track (and sometimes undo) changes, since there are people with good intentions (but little web experience) who can accidentally make a mistake in a control panel that is not easy to undo with a shared account.
You can also protect yourself by following some simple rules regarding your passwords:
- Use strong passwords. Include symbols, numbers, uppercase letters, etc.
- Don’t use the same password for everything. For example, don’t use the same password for your bank account that you use for Pinterest.
All in all, your online accounts are something you should protect with the same diligence as you would your home, car and other personal property. Make sure if you do provide an all-access pass to someone, you have established trust…and a contract.
By now, you have probably heard of the Heartbleed bug that puts users’ passwords on dozens of popular websites at risk because of a security vulnerability in OpenSSL software.
The depth and breadth of this bug is quite massive, so we wanted to give our clients some advice on what to do and any services of ours that may have been affected.
First and foremost, whether you are a client or not, it’s strongly advised you change your passwords on the sites that have been affected. You can find a clear and extensive list in this table at Mashable.com.
Next, for clients who host with Jackson Sky (on our servers at Media Temple), rest assured that the services we use at Media Temple (GRID and dv 4.0 Server) were not vulnerable or affected.
Lastly, it seems that the security of WordPress is largely based on your hosting provider, so you will need to check with them about whether they were affected. (Again, our servers with Media Temple were not.) If they were, you will want to change your admin passwords immediately. You will also want to update your WordPress to the most recent version, which has the strongest level of security.
We don’t think this is the last we will hear of Heartbleed, so please stay tuned for any additional updates and information.
Who wouldn’t like them? They require little reading and are pretty to look at. But they are also a great asset to the companies that distribute them. Sure, Google can’t index the information on an infographic image itself, but it can search and index the content around it…especially as it spreads via all the online social outlets.
Take for example the recent infographic we did for VenueSeen, which analyzed the statistics regarding Instagram photos taken at Major League Baseball parks during the first four weeks of the season. The infographic was originally posted on the VenueSeen blog and soon was picked up by Mashable. Within 24 hours, the article on Mashable has been shared across a variety of social outlets including the following:
- Twitter / Tweets: 1.5K
- LinkedIn / Shares: 350
- Facebook / Likes: 334
And that’s just from the posting on Mashable. The same day, the infographic was also featured on the ESPN blog, where it was also then liked, tweeted, etc. Thus, the SEO snowball effect begins.
If you are thinking about whether an infographic is right for you, here are some tips to follow:
- Infographics require research. They are a representation of stats and facts, so be sure to do your homework.
- Host the infographic on your domain.
- Use proper files names, alt and title tags.
- Provide an embed code (that links back to your site), so people can easily share it on their site.
- Include your company’s name somewhere on the graphic. It doesn’t have to be huge, but you want people to know where it came from, especially if the original link back to your site gets lost along the way.
- Share it via your own social media accounts. Track the results, so you know what sharing methods were the most successful.
- Enjoy the process.
- Don’t be discouraged. Not all infographics spread like wildfire.
Shown below is the infographic we designed for VenueSeen. We hope others enjoy it as much as we enjoyed creating it.
Ever tried to check a website on a smartphone and noticed you need a magnifying glass to read it, or you have to zoom in and do a bunch of scrolling left and right, up and down? This is probably because the site was attended to be viewed on a monitor and not a phone or tablet. The fact of the matter is up until recently, mobile device design has been an afterthought. But times are changing, and with the popularity of smartphones and tablets, the need for a mobile presence has moved more to the foreground. Luckily in the past couple years, there have been some major advances to get over this mobile hump.
Before I discuss the answer, I want to give you the brief evolution of mobile design. The first thought, besides just displaying a shrunken version of a site, was to have a secondary site meant for just mobile devices. These sites would be trimmed down versions of the site that would render on small screens. There would be a special function that would check to see what you were viewing the site on and then decide which version to display for you, the normal website or transfer you over to the mobile site. This was a good idea but not great. There were some downfalls to this. Let’s say you saw something on your phone that was interesting, and you wanted to send it to a friend. You’d copy the link and paste it either in an email or a text message. If your friend opened the link on their computer instead of their phone, it would open the mobile site on a full monitor. This would usually look quite awkward on such a large display.
Another downfall came as devices evolved into small displays (but not pocket sized) such as those that can be found on tablets. A developer could make a third version with the dimensions of the tablet…but wait, which tablet are you looking at it in? An iPad? Android 7 inch? Maybe it’s a 10.1 inch? As more devices were made, so were more sizes of screens. Making a specific website version for each size became a much bigger task than originally thought.
So what was the answer? To misquote Lord of the Rings, “one site to control them all”…the idea of one site that had a way to render differently depending on the device you were viewing it on. This thought process is called Responsive Web Design (RWD). So instead of having multiple versions of a site for each device, you have one single site that looks differently depending on the size you are displaying it on. One site that will look nice on a large monitor, small monitor, tablet or phone, the best of all worlds.
Jackson Sky’s website is now using RWD. Check it out for yourself. Bust out that iPhone, go to our site and compare it to what you see on your monitor. Ok, ok, too lazy to get out your phone? How about just resizing the site on your monitor? You’ll notice that as you shrink it or enlarge it, the site will change and make adjustments, so viewing always feels like it’s at the right size.
Do you want to move your web presence to the next level and into your pocket? Maybe Responsive Web Design is the thing for you. Jackson Sky is now offering mobile packages to help you be seen by people who can’t carry a monitor with them everywhere they go. Drop us a line if you’d like to discuss some possible options for your site.
The topic of web-friendly fonts has come up a few times recently in the presentation and early stages of the web design process. In a perfect design world, every font could be read by every browser, and the topic of web safe fonts would not be an issue. But as long as there are different operating systems and different browsers, it cannot be ignored. For this reason, I have put together the following reference list of common web-friendly fonts that can be checked across multiple browsers and platforms. They are listed here as HTML text in 24pt and 12pt font sizes.
Lucida Grande Lucida Grande
Times New Roman Times New Roman
Century Gothic Century Gothic
Courier New Courier New
Arial Black Arial Black
Arial Narrow Arial Narrow