Charles Tips – Best practices for mitigating website hacks

We at CharlesWorks are often asked by our web clients if their site is protected from malware and getting hacked. They also want to know if there site IS hacked, whether there be a charge to fix it.

The totally hack-proof website

The totally hack proof website has no access to it. So it’s not connected to the Internet. No one can view it. Such a website doesn’t sound like its of much use if no one can see it.

So, let’s agree that it is unrealistic to believe that a publicly accessible website can be totally hack-proof. Any website that is accessible via the public Internet is consistently subjected to attempts to break into it. Believe it or not, that’s the norm as opposed to the anomaly.

That being said, however, there ARE things you can do to mitigate website hacks. I have to stress the word mitigate here. Mitigation is defined as the action of reducing the severity, seriousness, or painfulness of something.

Site hacks are based on odds

My goal here is to simply remind you of what you most likely already know: that we can reduce the probability – the odds – of your site being hacked. We at CharlesWorks want that probability to be so low that it hopefully it doesn’t ever happen to you.

The major hacking causes

I have been operating CharlesWorks since 1998. In my experience, there appear to be two major reasons why sites get hacked:

      • The access credentials/passwords have been compromised.
      • The software that operates them wasn’t kept up to date.

Lets take a look at each of these below.

Compromised Access Credentials

Compromised passwords and bad actors gaining access to website login credentials is the major reason we see sites hacked. Think about this in terms of your car. You could have alarms on it. But if you make a copy of your car key and give it to someone, they can do whatever they like with the car. Whether its a drive along the beach or to rob a bank, your car is theirs to use with the key you gave them. Credentials – log in and passwords – work pretty much the same way.

CharlesWorks has many clients who want to be able to do things themselves. We are strong proponents of doing it yourself when it’s feasible and convenient. This is especially true for adding posts or page materials. It also makes sense when making other changes or modifications to your site. It is, after all, YOUR website.

However, many people fall prey to phishing schemes. Directly or indirectly, they usually end up tricked into giving out their website access credentials (as well as credentials to everything else they own). This is especially true if your email account is hacked and the hackers are able to access emails containing your website’s (and other) login credentials.

This problem is exacerbated if you have shared your website’s administrative or other access with others. Think of your emails containing various authorizations or login information as a potential weak link in a chain. If you have shared that information with others you have now created more weak links. This increases the odds of a potential compromise.

One of the best ways to mitigate these situations is to change your site’s access passwords so they are different than those possibly stored in your emails. And, to hope that anyone you may have shared your website access with has done the same.

Obviously, should site access be gained in such a manner, it would be your burden to have the site restored. I’ll expound upon this a little more at the end of this article.

Out of Date Security/Software Updates

Malware and virus protection on home computers operates a little differently than the same types of protection on servers. Website servers operate in the publicly accessible Internet. This results in many more entry points for potential issues. There are a number of very standard server protections available (which we utilize here at CharlesWorks).

After bad actors getting (or guessing) your passwords, the next major reason sites get hacked surrounds unapplied security updates and other software update issues. At CharlesWorks we mitigate such issues by running anti-malware software on our servers. Also, WordPress sites hosted on our servers are kept up to date automatically via automatic updating of the WordPress core as well as automatic updating of the the website’s plugins and themes.

There are literally thousands of individual pieces of software that must work in unison to operate most websites. These are developed by many more thousands of developers around the world. Unfortunately, no company can guarantee that a website will never get hacked. They can only mitigate security compromises and hope against the worst.

Restoring your Website

Regardless of which of the two situations above may have led to your website’s issues, your website will most likely need to be restored. That’s because after a bad actor or a hack back doors into the site will most likely have been installed for the bad actors to gain access again.

Many Internet companies claim to have automatic backups. In most of those, those backups are accessible to the user in their account. If the account is hacked, how safe do you suppose that is?

Some Internet companies delete and account upon a website being hacked. In those cases I have seen many left with no website or backup as a result.

What I believe is most important regarding this topic is the manner in which our WordPress sites are backed up every day for 30 days. Our backups are made to separate servers – external to those your the site operates on. For security reasons, the site administrators do not have access to these backups. So even with a site administrator’s compromised passwords there is no access to the backups. With these backups we can usually restore an average site in about 10-30 minutes if it needs restoring. And we can go back as far back as 30 days. We would only bill our web client for the 10-30 minutes (again – for an average website) which results in only a minor charge to restore it. Note that some websites are extremely large and require much more time to restore but these are very rare).

In my experience running CharlesWorks since 1998, we’ve built and handled more than 5,000 websites. At this point in time, I do not recall the last time a website we built and totally maintained was hacked (unfortunately I recall several instances of sites maintained by others that failed to ensure the site was updated and/or had their passwords compromised).

Sites getting hacked for out of date software happens far less frequently (if at all) when security updates are kept up to date and bad actors are kept out.

I hope this helps you understand a little more about this topic.

Charles Tips – Adding Custom Shortcodes to WordPress

I wanted to create a custom HTML code function, so made one that will generate a line feed. I tested it to neaten up the output from my favorite WordPress statistics plugin: WP-Statistics by Verona Labs.

This shortcode gives the ability to add line feeds to WordPress page, post or report outputs to improve their readability. The function can easily be modified to generate any HTML output by doing this:

      • rename “newline” in the “add_shortcode” line to whatever you’d like the shortcode to be named
      • adjust the HTML code inside the quotes in the “return” line

In this example, we’ll create the line break shortcode.

Creating the Line Break Shortcode

Adding shortcodes in WordPress is easily accomplished by simply inserting the appropriate coding for the shortcode into your child theme’s functions.php file.

Note: Child themes should always be used. Changes made directly to the parent theme’s files are usually overwritten each time the parent theme is updated.

To add the code, first back up your site and then do the following:

      • Log into the WordPress Dashboard as an administrator
      • Navigate to Appearance > Theme Editor
      • Select Theme Functions (functions.php) under Theme Files in the right column
      • Add the short function code lines below
/* -- Start of line breaks shortcode --*/
function line_break_shortcode() {
return '<br />';
}
add_shortcode( 'newline', 'line_break_shortcode' );
/* -- End of line break shortcode --*/

Adding Line Breaks

Once the code has been added to your functions.php file, all you have to do is add the
shortcode in your text to generate a line feed at that point. The beauty of doing this as a shortcode is that it can be inserted in places that do not normally allow you to add them – like in the email output of the WP-Statistics plugin.

Note: When testing your output from the WP-Statistics plugin, there is a convenient feature that allows you to send output every minute to see what you will be sending. As a rule I normally have the report set to send daily.

A Working Example

There were a couple of WP-Statistics report items that were of particular interest to me. One is the last post date. This is handy as a reminder when one should add one or more posts to a site – especially a blog – so the site content doesn’t appear stale (or as an alternative, simply do not show blog post creation dates). Even if you are not displaying the post dates on the site, it is good to know when you last posted something.

An example of the report pattern I used was this (note that in some WordPress themes the “[” and “]” characters in the example below display as repeated – there should only be one “[” opening shortcode character and one “]” closing shortcode character surrounding the shortcode itself when you use it):

WP Statistics report for https://CharlesWorks.com WordPress site:
[newline]
_______________________________________________
[newline]
[newline]
Last post date: [wpstatistics stat=lpd]
[newline]
Total Site Posts: [wpstatistics stat=postcount]
[newline]
Total Site Pages: [wpstatistics stat=pagecount]
[newline]
Total Site Users: [wpstatistics stat=usercount]
[newline]
Online Users at Report Time: [wpstatistics stat=usersonline]
[newline]
_______________________________________________
[newline]
[newline]
Today's Visitors so far: [wpstatistics stat=visitors time=today]
[newline]
Today's Visits so far: [wpstatistics stat=visits time=today]
[newline]
Yesterday's Visitors: [wpstatistics stat=visitors time=yesterday]
[newline]
Yesterday's Visits: [wpstatistics stat=visits time=yesterday]
[newline]
_______________________________________________
[newline]
[newline]
Total Visitors: [wpstatistics stat=visitors time=total]
[newline]
Total Visits: [wpstatistics stat=visits time=total]
[newline]
_______________________________________________
[newline]
[newline]
End of WP Statistics Report.
[newline]

I used the underline characters to separate various parts of the output for clarity. This report pattern generated a nicer, more readable report that even looked great when viewing it on my cell phone.

While I initially added this function as a way to neaten up the output of the WP-Statistics email report – the function should work just about anyplace in WordPress except in the PHP coding itself.

Charles Tips – Adding Akismet comment spam protection

Akismet provides a convenient and free way to protect your personal WordPress site or blog from spam.

Many times we’d like to allow comments to be left on our WordPress site. The hassle with this can be the tremendous amounts of spam that come through the forms on websites.

Akismet is a compact WordPress plugin that filters the incoming comments. It is pretty straightforward to use and pretty easy to set up as well.

Install the Akismet plugin

The first step in this process is to ensure that the Akismet plugin is installed in your WordPress website:

      • Log into your WordPress website’s dashboard as an administrator
      • Click on Plugins in the left dashboard navigation column
      • Look and see if Akismet is listed – if it is – and it is not activated you can proceed to the Akismet Setup step below – otherwise
      • Click on Add New under Plugins in the dashboard navigation column
      • If you don’t see Akismet in the plugins, then in the text box to the right of the work Keyword in the row starting with Featured type in Akismet – then click on its Install Now button. Do not activate it yet.

Akismet Setup

To set up Akismet you will need an API code from the Akismet site. The first step in that process is to navigate to:
https://akismet.com/plans

This (as of the time of this writing) brings you to a page that should look similar to the screenshot below.

Akismet offering pricing page
Akismet offering pricing page

To get the free version of Akismet comment spam protection, you will need to click on the Get Personal button on the above page.

Once you’ve done that, you should see a page similar to the one below. Before attempting to fill out anything on this page, we need to set that $36 / YEAR to $0 / YEAR. Click on the $36 / YEAR box and drag it to the left.

Akismet Default $36 per year page
Akismet Default $36 per year page

Dragging that $36 / YEAR box to the left should change the page to display something like the one below showing 0$ / YEAR. You can also see that the information to fill in has changed.

Akismet $0 per year page
Akismet $0 per year page

Now fill in the information completely. Note that you need to be able to check all three checkboxes indicating the following:

      • you don’t have ads on your site
      • you don’t sell products/services on your site
      • you don’t promote a business on your site

If these are the case, then you will qualify for a free, personal plan.

All you have to do once you have gotten this far is follow the directions on the page below.

Akismet signup complete page
Akismet signup complete page

Finally, it is suggested that while on that settings page in Akismet, you can choose to show the number of approved comments beside each comment author and choose whether to show a privacy notice or not. Then just click the Save Changes button and you are on your way!

Charles Tips – Checking Your Site

Something many folks overlook is occasionally checking their website’s functionality. I recommend doing this every couple weeks, but at minimum once a month.

Most websites and the servers they are on are subjected to ongoing software updates. Unless you are paying an additional fee for maintenance checks, it’s normal for things to occasionally break due to updates.

Most website owners are not paying additional fees for such maintenance. This means you really need to take the time to check:

– that the site appears to work properly
– that your hours of operation are correct
– that any website forms are working
– that email addresses are correct

The site operation and forms are most susceptible to software updates. If you have a good web developer, the fixes will happen quickly and it will not cost you too much.

Website maintenance should be thought of like automotive maintenance. We get oil changes. We get inspections. We even make modifications and do repairs to keep our vehicle operating the way we want. And our older vehicles can cost more to upkeep – just like older websites. As websites age, more work needs to be done to keep them secure and working as originally intended.

So check your site every now and then to keep things working and have the correct information out there!

Charles Tips – Engagement

Engagement, in military terms, is described as a fight or battle between armed forces. In web terms, engagement could be thought of as the process of getting an idea across to accomplish a goal.

There are a couple major goals with websites, as I see it. One is to simply share information. Another is to sell products. Make no mistake about it – whether you are selling widgets or ice-cream or trying to increase your congregation – the goal is the essentially the same – getting people engaged.

The first, sharing information, definitely is a precursor to the second. I’d like to focus on the second here.

Websites that are more engaging with their visitors will encourage more sales. With that in mind, it follows that engagement is a result of information and aesthetics.

Aesthetics costs for a website can vary greatly. Graphic design can be time consuming. This equates to higher labor costs. Information in written form, however, is usually the least expensive part of website development. Text can usually be pasted into web pages. This is not usually as labor intensive. Having more information in text format on a website usually equates to more exposure to the public. This is because website visitors can arrive using search engines. And the search engines find your site based upon pertinent content – mostly text.

In a nutshell, if you want an engaging website – which will increase your probability of success on the web – make sure there is plenty of information in text form on it. Search engines will help get folks there and your aesthetics can do the rest.

Charles Tips – Blogging

A popular website sales pitch over the past ten or so years has been about blogging. Many web developers believe that blogging is an absolute must to get found on the web. However, believing doesn’t necessarily make it a fact.

Whether blogging will be a benefit your particular web presence is complicated. There are a number of factors to consider.

A major factor is that blogging requires time to be effective. The time has to be spent by someone entering blog material pertinent to your business or topic into your website. Otherwise you have to pay someone to keep up with it.

Keeping blogs interesting to keep site visitors engaged is another ongoing endeavor. Site visitors won’t return if the material doesn’t hold their interests.

The real power of blogging lies with search engine placement. Search engines rank websites on how pertinent they are to a particular topic or search terms. Search terms are generally words or phrases people type into search engines when they are looking for something. The more pertinent – the higher the ranking. Having more pertinent material on a site increases ranking.

So when considering whether a blog is right for your web presence or not, bear in mind that a blog must be an ongoing, continuing effort. It may be just as effective to simply have a lot of static material on your site explaining details about all your offerings.

Charles Tips – WordPress Proficiency and Training

We’ve mentioned the term WordPress previously. Over 1/3 of all websites on the planet are built using WordPress. It is the most popular website platform. The platform is the environment in which a piece of software is executed.

An important aspect of website operation is determining whether the platform is optimized for your WordPress coding. That’s difficult for most people other than server operators to know. We recommend you find out two things from your web developer:

First is whether the latest version possible of PHP is used. That’s the actual programming language WordPress is written/coded in. PHP doesn’t have to be the very latest, as there are always new versions being developed. However, your WordPress themes and plugins may not work on the very newest version. But if you are using a version of PHP 5.x you may be asking for security issues. If the plugins and themes won’t run on the newer PHP 7.x then you really need to consider upgrading your site to use newer plugins or themes. WordPress itself is kept up better than most software and works great with the very latest PHP versions.

Second is to check that your WordPress installation is running on a Linux based system. Over twenty years in this business has shown us that there are far fewer issues with WordPress operating in Linux based servers rather than Windows based servers.

Hopefully your web developer is proficient with WordPress through experience and training. He or she should know the answers to these questions. If not, we routinely reassure our clients on such matters.

And, finally, the CharlesWorks team wishes you and yours a very safe and happy 2020!

Charles Tips – 3-4 Day Maintenance Response

Web services providers are really not much different than most trades. Response times can vary widely. Most good tradespeople can give you an idea of when they are going to get a job done for you. If they’re too busy for you then you’d normally just find someone else.

One of the major concerns we hear expressed in the web services field is about the general lack of timely service. Before dealing with a web company you should know if it’s a one man show – which dictates whether they can respond quickly to most maintenance requests.

My belief is that small changes should be done within 3-4 work days – if not sooner. If a web company does not have staff to be able to do this in that time-frame, that should raise a red flag. A one person company will always have issues should several of its clients require service during the same time frame. One person cannot be truly reliable to be there every time you will need them.

Unfortunately for most, they don’t find out the service will be poor until they are experiencing it. Not to worry – just make the switch then. A good company has backup staff on board to see to it you are taken care of. Do what’s best for your business – deal with reliably staffed web companies who will have people to help you when you need it.

Charles Tips – Partial Hour Webwork Billing

We hear lots of hype about how the economy is doing so great these days. However, it isn’t necessarily true for all and many have to watch their spending.

Paying expensive expensive maintenance fees
It’s better in YOUR pocket!

One thing to watch is minimum labor/service rates. Checking out how you’re billed for webwork can save you a lot on money over time.

You gain the most advantage for yourself by finding a web company that bills by the minute. Billing by the full hour – or even worse yet – a minimum of more than an hour – is the absolute worst for you as an end web client.

By the minute billing means if a task takes 14 minutes you are billed for 14/60 of the hourly rate. While some complicated website tasks take lots of time – but smaller tasks usually do not take long to do – like changing phone numbers, updating hours, adding or taking down specials, minor modifications to how something looks and the likes of that.

There are companies that will bill you for only the work they do for you – billing you by the minute.

I started doing it that way from the time I started my business in 1998. The business experienced considerable growth. One day, a competitor in my field told me I was “shooting myself in the foot” by charging that way. I ran into him a number of years later. He wasn’t in the web business any more.

There are many companies out there that do business fairly. If you’re paying minimum labor times or so called maintenance plans, then my suggestion is to look for a web company that will treat you fairly. You’ll save a lot of money in the long term.

Charles Tips – The big SEO Scam

I’ve mentioned SEO (Search Engine Optimization) throughout many articles. While it is important – I believe it’s the most abused area of website development.

SEO scammers are great liars
SEO scammers are great liars

It’s important for your business website to be found in the search engines. That is best and most inexpensively done by having pertinent material in your website so the search engines see your website as pertinent or closely related to a topic.

There are many unscrupulous individuals and companies out there selling just plain bogus SEO. It’s often impossible to discern the truth. There are no regulations or meaningful certifications in this field.

As an example – let’s say you receive a dozen Viagra spam messages in a month. Does that mean you need it? Certainly just because a number of spam messages are saying you need something doesn’t turn it into a fact.

Why would you believe the same about SEO regarding your search placements on the Internet? Our web clients are bombarded with spam and with phone calls saying they need this and that for their websites. Some fall prey to these sales pitches and some even go out of business as a result of spending hundreds of dollars each month on scams.

Your web developer should care about you as a client – should want you to be as successful as possible and not up-selling you right out of business.

The worst part of the SEO scams is they can oftentimes hurt your placement with the search engines.

Don’t fall prey to the scamsters selling these bogus “services”. Check with your web developer FIRST about such offers to find out if they are for real or whether you actually need them.

Charles Tips – Nightly Website Backups

Your website is an important investment. Whether you made it yourself or paid to have a professional develop it for you – you wouldn’t want to lose it. We have taken on clients who were with the largest company in the world who lost their website because of having no backup. The terms for doing business with that company even state they are not responsible for the loss of the website.

Nightly Backup Server

I couldn’t imagine not backing sites up. Nowadays the technology is ever present to back everything up. In the not too distant past, hard drives were much more expensive than they are now. Hard drive space is extremely inexpensive nowadays – so there’s no excuse for a company to not make backups.

One third of today’s sites are on a platform called WordPress. Security updates happen often and changes can be readily made to WordPress sites – so they need backups at least every day. Whether there’s a server catastrophe or simply one of your employees blowing up your site while making changes – it can be recovered.

Definitely protect your website investment by hosting with a company that provides daily backups of your WordPress website every night for at least a month. That will avoid having to restart your website from scratch.

Charles Tips – An Email Contact is Essential

This week is a closely related follow up to last week’s article. As I mentioned then about a lack of a phone number, it seems like it would go without saying that a website trying to sell something should have an email contact someplace on it.

Last week I was referring to a web developer’s website with no telephone number or email address on it. Some developers put forms on their sites to try to get out of displaying an email address. The main issue with forms – besides the fact that form output is more often than not considered spam by many mail servers – is that people generally don’t want to fill them out. It’s much easier these days to click on an email link and send off an email saying exactly what you want to say. Of course you can speak it even more clearly but email may be the next best thing.

If you can’t find an email address to contact someone, my advice is to just move along to the next prospective web developer on your list. You want to deal with a web development company that makes it easy to be reached.

Charles Tips – Leaving a Voice Mail

Do I really have to say a web developer simply has to have a phone contact where one can at least leave messages?

As unbelievable as it may seem, there are those out there without a listed phone contact. I saw a website recently where there was no telephone number or email address on it to reach someone for service. I know you won’t believe it when I tell you that individual has been in business for many years.

The owner asked me how I managed to get so many clients and grow CharlesWorks to handling thousands of websites. I couldn’t resist mentioning there was no contact information on the website. The response was they didn’t want lots of junk emails and people knowing their phone number.

It reminded me that back in 1998 I started CharlesWorks because I wanted to help as many people with their web related needs as possible. I knew from having been in business earlier in my life that there are always going to be spam phone calls (just like spam emails). But that’s part of the cost of doing business.

So think twice if you can find a phone number to talk to someone.

Charles Tips – Forming Reciprocal Relationships

It is great to get referrals from others. That’s why it’s important to deal with a web company that understands your community and reciprocates by referring business to you. I always ask folks I meet when the last time was that they received referrals from the web hoster or web developer before moving to CharlesWorks. Usually the answer is never. I am amazed to usually find out at that point that even their local folks they give their web business to don’t bother to refer folks back to their own clients.

You need a web developer that does that as a rule. You need a developer that one or more of its staff are in high powered networking chapters and will refer business back to their own clients.

That’s what reciprocity is all about. You need a web company that practices that at every opportunity.

One small way CharlesWorks does that is through its CharlesWorks Directory. We help our clients get found on the web and increase their web traffic by keeping information about them on thousands of sites on the Internet.

If you have been feeling that your relationship with your web company is rather one sided, it’s time to deal with one that cares about you!

Charles Tips – Better Business Bureau Accredited

When exploring who to have build your web presence or do your SEO (Search Engine Optimization), look to see that the web company you’re considering is an accredited member in good standing with the BBB (Better Business Bureau). The BBB does a lot of your homework for you. It actually checks out businesses for things like the fact that they really are in business and what the company’s website states.

This can be very important: make sure the company really is accredited by checking for them on the BBB website. There are many unscrupulous companies out there that place a BBB logo (with is a copyright infringement) on their site and have never even applied for BBB accreditation.

Companies must apply to and pay a fee to pass accreditation member of the BBB. Once again, these are all factors that point to the integrity of the company – it’s reliability – its dependability. You want a company that is going to help you and that thinks about its web clients – so the web company’s BBB accreditation is very important.