Security Tips We LOVE to Keep Your WordPress Site Safe.

Security Tips We LOVE to Keep Your WordPress Site Safe.

You just realized your WordPress website was hacked. What do you do? This post will describe what you can do, and how to setup a site, so that you will be less likely to get hacked.

Developing websites we’ve supported quite a few clients when their site became compromised and we have plenty of practice restoring and recovering websites. With our clients we value the importance of planning which includes setting up preventative measures to avoid getting hacked in the first place. If we do have a website that’s been hacked, here’s what we typically do.

How to Recover a Hacked Website

When your site is hacked there are three important things to do:

  1. Prevent the intrusion from happening again
  2. Backup your site
  3. Locate and eliminate the hacked content
  4. Locate and eliminate the intrusion point

Prevent the intrusion from happening again

It can be tempting to first try and fix your content, but if someone gained access to your system and is still there, then you want to quickly prevent more harm from being done before fixing the existing damage.

The first simple thing to do is to have admins change their passwords and then change your salts. Changing your salts will kick everyone currently logged in to WP-Admin out. With new passwords in place, they will not be able to log in again.
If you cannot quickly get hold of an admin to have them change their password, demote them to a lower permission role.

Once this is done, you should review users with admin access and update users with access to your site. You can find a comprehensive summary of WordPress Roles and Capabilities here. You should use the principle of least privilege. If someone doesn’t need the access level they have, give them a lower level permission. Don’t give people a higher access level, “just because they might need it.”

Additionally, have at least admins enable two factor authentication (2FA). This will prevent a stolen password from being used to login.

Backup your site

Next, do a quick backup of your database. This backup can help you figure out what went wrong. The backup can be used in a controlled environment to find the hacked content.

In addition to these technical gates, think about who might have access to your site that shouldn’t. For example are the accounts of former employees still active? Are there any shared accounts being used?

Locate and eliminate the hacked content

The first step is to determine the nature of the attack. For example, if the contents of a post have been changed, then the database is affected. If one post is changed, assume that others have been too. Attackers will often change many posts in the same way. A common example is to inject a script tag that redirects to a particular url. In this case you can search the database for the url.

A very useful tool to search the database is wp cli. A WordPress database search will print out the references to the string you’re searching for.

If images are modified on the server, then you can recover these by reverting to an older image assets backup. We tend to use Updraft Plus for backups. We backup sites we monitor to AWS S3 using permissions that allow write but not deletions to the bucket. So even if a hacker gets into wp-admin, they cannot delete our Database and Assets backups. Our code is in version control.

Locate and eliminate the intrusion point

This can be the most difficult step. It is mostly careful detective work. A good starting point is to update WP Core and all plugins to the latest versions.

Sometimes – especially if permissions are not set correctly on a server – the contents of WP Core, themes, or plugins can be changed. If you have things version controlled, this can be remedied by discarding the differences. Many security plugins such as iThemes Pro – can monitor for file changes.

How to set up a secure WordPress site

At the end of the day, the single most important thing to have is scheduled backups. If you have code, database, and uploads backups, then you can recover from just about any website hack.

Also, you won’t have to recover from hacked site very often if you setup your site in a secure manner. Here’s a checklist to keep WordPress Core up to date:

  • Keep all your plugins up to date
  • Install and use a security plugin such as iThemes plugin
  • Perform regular code scans of any newly installed plugins
  • Install and use a backup plugin such as UpDraft Plus
  • Do not allow multiple people to share the same login
  • Use the principle of least privilege in giving people their roles and capabilities
  • Block IPs as needed
  • Use Cloudflare as needed
  • Do OWASP scans for preventative maintenance

Having your site hacked can be a very stressful event. Making sure that you are doing the things required for a secure WordPress site ahead of time, and spending some time reviewing what to do in case your site is hacked will help ease your mind and make you more prepared.

How to Increase Deliverability Rates by Using a Transactional Email Service

How to Increase Deliverability Rates by Using a Transactional Email Service

Want to increase email deliverability? If you’re not using a transactional email service to send emails from your website, read on.

Overview

There are certain things that appear simple at first, but turn out to be more difficult and complicated than you imagined. Sending emails from your website is one of these things.

To see why this is so, we first have to understand the types of emails sent from a website. There are two broad types of email a business sends: marketing emails and transactional emails. Marketing emails are things like newsletters. There’s no reason to complicate your website by putting it in charge of marketing emails. On the other hand, transactional emails are emails that are sent to users based on what they do on your site. An example would be a purchase confirmation email.

Let’s take the example of a WordPress site. WordPress has a default mail functionality that calls PHP’s mail method. On many servers, this method already works out of the box. If it doesn’t, it’s relatively easy to install Postfix to get basic Message Transfer Agent (MTA) functionality. There are several general issues with sending emails directly from an on server MTA:

1. Deliverability
2. Price
3. Convenience

Deliverability

This is the single most important reason to use a transactional email service. It’s not professional to ask users to look in their spam folders for your emails, and this is what you’ll have to do unless you implement a bunch of things that email services include out of the box. To setup proper email delivery from your server, you’ll have to add an SPF record to your DNScreate, configure & implement DKIMcreate a DMARC recordideally have a dedicated ip, and setup reverse DNS and PTR records.

When a developer tells you, “Oh, yeah, I can install Postfix so WordPress will send email. It’ll take me half an hour,” they’re likely not including all of the above, which means your emails to customers might end up treated like spam. This leads us to the second reason. Using a commercial product can seem more expensive than using built in server functionality, but it’s actually cheaper.

Price

Many commercial services have generous free tiers. If you consider the hourly rate of a developer as part of the price needed to setup email properly on a server so that it delivers reliably, then server email can be much more expensive than a service. Why pay a software engineer to reinvent the wheel?

Additionally, the total cost of owning a mail server doesn’t stop at the setup. Once you have a server you must patch, maintain, monitor, and – when something goes wrong – fix it. Problems with email queues are numerous. When something goes wrong with your email server, you’ll be in charge of scheduling and overseeing that it gets working again. These are things you do not have to take ownership of with an email service. Overall, an email service will not only be cheaper than an MTA on your server, a service will also be more resilient.

Convenience

Your first impression may be that it is more convenient to use server email. After all you don’t have to create an account or compare services. But we’ve already covered the fact that there are complications to setting up email delivery from your server. Additionally, once you get setup with an MTA, you’ll appreciate the many built in helpful features of transactional email services. With an email service, you can review previously sent email, track who opened their emails, and often look at more granular analytics – like click tracking. You can also create reusable templates.

Email services also handle the html and text portions of emails correctly. They make it easy to add opt out links to your emails. These are things that can be done manually, but again it’s more work.

Picking a Transactional Email Service

At Solid we often lean on Mailgun, but there are many services to choose from. Take some time to compare pricing and functionality among services like MailgunAmazon SESSendgridMandrill by MailchimpPostmarkSparkpost, and many more.

Here are some of the questions you should ask when picking a service:

  1. Is the api well documented?
  2. Does the service have a well supported WordPress plugin? (assuming you’re using WP – if not, is the service easy to integrate with the platform you’re using?)
  3. What kind of data and analytics does the service have?
  4. What is included in their free tier?
  5. How does pricing change based on volume?

Which of the previous services you choose is probably less important than being aware of transactional email services and using one!

Top 5 Signs You’re Not Planning Enough

Top 5 Signs You’re Not Planning Enough

Your project is important and you want to get started fast, but creating a plan takes time and effort. An experienced digital agency will help you understand the payoff for pausing and planning.

More planning up front will not only ensure a better result, it’ll save you money too.

It may earn an agency more money, sure, since projects without a predefined structure tend run longer due to lack of planning (earning them more revenue in change orders and scope expansions), but a premiere web design agency will look at the bigger picture, and set off only once a course has been charted.

Some digital agencies will embark on a project without nearly enough planning, not beholden to structure or process—this is dangerous and short-sighted.

A thoughtful action plan will quite simply result in faster turnaround and better results, which, in turn, will build a level of trust and increase the chances you may go back to that same agency when it comes time for the next project. In the long run you will both prosper with better planning.

Here are the top 5 signs that you’re not planning enough:

1. Unrealistic Timeline

If you have an overly optimistic timeline, be ready to finish later than scheduled. A top-notch agency will immediately flag an unrealistic timeline.

Beware if you get zero push back on an aggressive timeline.

Either the agency you’re working with doesn’t care that they won’t deliver on time, or they’re not experienced enough to know that the plan is unrealistic. The best way to know if a timeline is aggressive or not is to detail it out as much as possible. Work backward from your launch date and add milestones and deadlines to a calendar.

2. Undocumented Milestones

Unless your project is only going to take one day (yeah, we didn’t think so), you need to setup realistic milestones. Milestones help you and the entire team check in on the project and make sure things are moving along at the right pace and in the right direction.

Bonus: Milestones also force you to break a large project into smaller chunks leveraging the divide and conquer algorithm.

3. No Written Plan

It’s easy to gloss over things when describing and agreeing to something in words, and many holes in a plan become apparent when you write things down.

  • Write down your deadlines and milestones.
  • Write down your nice-to-have features,
  • Your must-have features,
  • Your internal dependencies,
  • Your external dependencies,
  • Your next steps,
  • Your questions,
  • And anything else you can think of.

Whether you end up using a commercial grade project management solution or just note cards, the important thing is that you get things written down. This will force you to be more realistic, and will help you communicate your vision to others.

4. Lack of Success Metrics

Make sure you’re clear about what success looks like. Having clear metrics helps everyone on the project make solid decisions. Each project has a scope, a budget, and a timeline. You can only fix two of these. The third will be a function of the two you pick. It important that everyone knows the fixed parameters. For example if a short timeline and a well defined MVP are the success metrics, then everyone on the team should be comfortable with asking for more resources, even if they increase the budget.

On the other hand, if a low budget and a short timeline are the success metrics, then everyone on the team should be comfortable simplifying the end product if a feature will cost too much or take too long. Imagine what wild success will look like and describe it to your team. Help everyone work toward success by deciding what to keep track of and measure.

5. No Buffer Time Built In

Finally, no matter how much you plan, things will go wrong. The more complicated your project, the greater the dependencies, the bigger the team, the more things will go wrong. Since both you and your digital agency are highly motivated to complete a project, it can be easy to fall into the trap of being overly optimistic. You’re trying to hit a deadline for a big launch, and your agency is trying to finish a project for the final payment, but you’re in for a rude awakening if you’re not include a buffer in your project plans.

Planning is hard work. A premiere digital agency can guide you through creating a quality plan. In the end, planning will save you money and allow you to deliver products with a higher impact.

Google Tag Manager as a Marketing Tool

Google Tag Manager as a Marketing Tool

To update a script or pixel on your marketing website, are you forced to fire off an email to your digital agency/IT team with a request for the relevant updates, or are you using the right tools to get the job done quickly and efficiently?

The Two-Minute Rule

Following the Two-Minute Rule allows you to get stuff done right there and then, instead of taking up brain space and having to track items on your to-do list. To update a script or pixel on your marketing site, do you have to fire off an email to your digital agency with a request for the relevant updates, add a to-do item to verify when completed, and then wait (much longer than two minutes) for a reply? If so, you’re not reaping the benefits of Google Tag Manager (GTM).

Google Tag Manager

Google Tag Manager (GTM) is JavaScript that you can use to dynamically load content onto your site. The content is broadly defined as “tags” (script elements, code snippets, and images). Since it is a Google product, its feature set is extensive. You can think of it as a single hard-coded script element that can be used to pull in other pieces of code and images on defined pages at defined events.

Getting Started

You’ll want to set up a GTM account and include the GTM script on all your pages. If you’re using WordPress, this is easy to do with Google Tag Manager for WordPress. Once you have GTM installed, you can start adding scripts on the fly.

There are several parts to adding a script:

  1. Create a Tag
  2. Add a Trigger
  3. Preview
  4. Publish

Creating a Tag

There are 50+ ready to go tags from Google Analytics to Google Optimize to AdRoll to HotJar. If your tag is not listed, you can add custom scripts or images.

Adding a Trigger

Triggers control when a tag is included on a page. The simplest trigger – available by default – is the All Pages – Page View trigger. Custom triggers include page views of specific pages, clicks on elements using CSS selectors, scroll depth, etc.

Previewing

Click on the preview link and visit your site. This will automatically open a panel where you can see whether your tags are being added and triggered.

Publishing

Once you’re satisfied that everything is working the way you want, publish your changes. GTM keeps track of things with versions. This makes it easy to roll back and understand what is live.

Another feature that helps with publishing is workspaces. When you’re working on a new change, that change is in draft mode. Workspaces allows you test multiple possible changes by putting each one in a different workspace. This is generally only helpful on large teams.

[Bonus Tip] Chrome Extension

Another tool to help you with the publishing of tags is the Chrome extension. It’s an easy way to verify the tags on a page.

Summary

There’s a lot more to GTM. You can use variables and multiple environments if you want to test your changes in a staging environment.

The entire workflow can seem overwhelming. Remember, the end goal is the freedom to manage your own pixels and scripts, so the learning the ins and outs will be well worth it.

However, for more complicated scenarios—and to strategize about the general approach to use—you’ll still want to rely on the marketing expertise of your digital agency. Those discussions will feel much more fulfilling and valuable than, “Please update my HotJar id from 12345 to 7890.”