Google pagespeed insights headache.

Google pagespeed insights headache.

Today on Episode 24, Web Hosting Podcast. Are you obsessed with page speed ranking? Speed is always a great thing to have but the realization is, getting that perfect score is almost impossible with a website. Megan joins me to discuss some things that may cause your site to be slow. We also dive into pagespeed insights and discuss some surprising and shocking results we got.

 

What can make your website slow?

  • Slow hosting environment
  • Images too large
  • No caching setup on website, expires
  • long database queries
  • Running old versions of software, PHP, Apache, CMS software (WordPress, Drupal, Joomla, etc..)

If you use google pagespeed insights or pingdom website speed test, you may have got a low score for your website. A low score would be something in the 60-70 range. Anything above a 80 would be considered a pretty good score. I just want to point out that you should not obsess about getting a perfect score.

google pagespeed insights

Pingdom website speed test

Both of the pagespeed tests use a score from A (great) to F (fail). Of course you want to try and get all A in your grade score. But sometimes it is just not possible.

For a base line, I installed a default version of wordpress (4.9.8) on a domain I own. Right after installing, I ran both google pagespeed and pingdom website speed tests. The site is being served over SSL using the default free cPanel SSL certificate.

Google – Mobile = 70
Google – Desktop = 92

Pingdom = Overall 88 (B)

When you first run the test, you will get a list of currently applied optimizations as well as improvement recommendations.
My list of currently applied optimizations on a default install are as follows. NOTE: these may be different depending on your hosting providers setup and environment.

Avoid landing page redirects
Enable compression
Minify HTML
Optimize images
Prioritize visible content

From the list, you can see that I do not have redirects for the landing page, I have gzip compression enabled, my html is minified, my images are optimized, and I have content that is visible that is prioritized. But what does this all mean?

Landing Page Redirects :
This occurs when you redirect the main site the user is going to, to another page. Google provides some great examples.
Here are some examples of redirect patterns:
example.com uses responsive web design, no redirects are needed – fast and optimal!
example.com → m.example.com/home – multi-roundtrip penalty for mobile users.
example.com → www.example.com → m.example.com – very slow mobile experience.

Enable Compression :
We actually discussed this in the very first episode and it is worth noting again. Compression will shrink down elements before sending them to the browser. This saves bandwidth and can improve site speed by sending smaller elements through the internet. You can enable gzip compression in cPanel by going to “optimize website” and click on compress all content.

Minify HTML :
According to google here is what they mean by Minify HTML:
Minification refers to the process of removing unnecessary or redundant data without affecting how the resource is processed by the browser – e.g. code comments and formatting, removing unused code, using shorter variable and function names, and so on.
You should minify your HTML, CSS, and JavaScript resources:
To minify HTML, try HTMLMinifier
To minify CSS, try CSSNano and csso.
To minify JavaScript, try UglifyJS. The Closure Compiler is also very effective. You can create a build process that uses these tools to minify and rename the development files and save them to a production directory.

Optimize Images :
This rule triggers when PageSpeed Insights detects that the images on the page can be optimized to reduce their filesize without significantly impacting their visual quality.
This means that I do not have a image that is to large and scaled to fit the area. Do not scale images in your web framework. Always scale the image before uploading.

My initial run of items that needed improvement.

Reduce server response time
In our test, your server responded in 0.64 seconds.
There is not much to be done here. That is almost 1/2 a second for a response time. It could certainly be better, but this value will shift up and down depending on a lot of factors. If this value is higher than 1 second, then you may have a overloaded server.

Eliminate render-blocking JavaScript and CSS in above-the-fold content
Your page has 1 blocking CSS resources. This causes a delay in rendering your page.
None of the above-the-fold content on your page could be rendered without waiting for the following resources to load. Try to defer or asynchronously load blocking resources, or inline the critical portions of those resources directly in the HTML.

Leverage browser caching
Setting an expiry date or a maximum age in the HTTP headers for static resources instructs the browser to load previously downloaded resources from local disk rather than over the network.
This is simply setting a cache header or expires header. We covered this in Episode 1.

Minify CSS
Compacting CSS code can save many bytes of data and speed up download and parse times.
Like the Minify of HTML above, this is the same only for CSS. Removing objects and comments that are not needed will shrink the file size and allow the file to be served faster.

Minify JavaScript
Compacting JavaScript code can save many bytes of data and speed up downloading, parsing, and execution time.
Like the Minify of HTML above, this is the same only for JavaScript. Removing objects and comments that are not needed will shrink the file size and allow the file to be served faster.

Now here is where things get sketchy with these reports. Remember, my initial scan was Desktop 92, Mobile 70. On my next run, the test was worse and the only thing I changed was the .htaccess to allow for caching (See below). Now with this single change in place, my score is Desktop 90, Mobile 57. What gives here? Dropping 2 points on desktop after applying a fix makes no sense, and even worse is mobile dropping 13 points. To make matters worse, running the test a 3rd time with no changes except caching results in even lower numbers. Desktop 89, and Mobile is back up to 64. So lets make some more changes and see what happens.

Browser caching in .htaccess file
# 3 Months
<FilesMatch “\.(flv|gif|jpg|jpeg|png|ico|swf)$”>
Header set Cache-Control “max-age=7257600”

# 1 Week
<FilesMatch “\.(js|css|pdf|txt)$”>
Header set Cache-Control “max-age=604800”

Deleted two plugins
Hello Dolly and Akismet

Added
w3 total cache.
For this plugin, I enabled and then set the following options to turn them on. The first time I enabled this plugin, I got a 500 error. I had to remove the browser cache line from above, then the site rendered and I was able to adjust the settings for w3 total cache. Once the settings were saved, I was able to add the browser cache from above and things worked fine.

Page Cache enabled and using Disk : Enhanced
Minify enabled and using Disk : Enhanced
Database Cache enabled and using Disk
Object Cache enabled and using Disk
Browser Cache enabled
Fragment Cache set to disk

Click on Save All Settings and purge any cache by going to Performance in the top menu and Purge all caches.

After removing those two plugins, and adding w3 total cache my scores are as follows on the first run.
Desktop 97
Mobile 93
These numbers held after repeated attempts over several hours. It is still a mystery as to why the numbers dipped so bad after just adding caching, which should have helped the numbers not hurt them.

The changes above resulted in only needing two fixes, according to google.
Eliminate render-blocking JavaScript and CSS in above-the-fold content
Leverage browser caching

I am not going to worry about the first one, Eliminate render-blocking JavaScript and CSS. But what gives with the second one, I thought we added browser caching already. Well, we did, but there are some things you may not want to cache, or in this case W3 total cache does not want cached. The file in question is a minified JavaScript file, and it is likely that this file will change over time as you build your website and add plugins. If you cache a file that is known to change, then your users may not get the new file until the cache expires. So be aware when you want to cache files, make a note on which ones might change regularly.

With these settings my pingdom website speed score went from 88 (B), to 96 (A).

As you can see it is pretty simple to get some good scores, if you are worried about that. And you should be worried about some of them. Browser caching, minify files, everything helps improve the user experience. But focusing on getting that 100 is a lofty goal and not practical for a website that has valuable content. Try and keep it real by getting in the 90+ range and resolve the issues you can fix. W3 Total Cache is one of the easiest plugins to setup and use just to get these speed benefits and get your score up. There is no coding it is all done for you.

IDNS deceptive practices, IGTV is now live, cPanel now supports git.

IDNS deceptive practices, IGTV is now live, cPanel now supports git.

Today on episode 22 of Web Hosting Podcast. iDNS misdirection, this is a public service announcement for the alleged service provided by iDNS. This company may send out actual mail to you in an attempt to trick you into renewing your domain name with them. IGTV (Instagram TV) is now live, did you even notice? cPanel now supports git.

IDNS

IDNS is a company that sends out actual mail when your domain is close to renewal. IDNS, or Internet Domain Name Service, sounds pretty official and the letter looks even more official. However this is not a bill and is an attempt to trick you into moving your domain to their registry. This letter looks so official that it has tricked many people into sending them money. IDNS, sends out these letters in an attempt to trick you into paying their exorbitant fees for domain renewals. A standard domain renewal from a legitimate company is averaging $10 for a .com, however IDNS tries to get you to pay $45 for each domain. This is then compounded by a fee if you want to move away from IDNS. I think we will start to see fewer of these letters since the GDPR is in place and effectively hides some of the required information IDNS needs for these mailings. If you get one of these letters be sure to send it to the shredder.  Here is what these letters look like.

IDNS-Deception
IDNS-Deception

Git on cPanel

cPanel 72 now allows you to host git repositories as part of your cPanel account. This is great news for those of us that need to use git to share and track files.
From cPanels documentation page.
The Git™ Version Control feature allows you to easily host Git repositories on your cPanel account. You can use Git to maintain any set of files (for example, a website’s files and assets, a software development project, or simple text files). Here is a link to cPanel documentation.  We will likely discuss Git in a future podcast episode in more detail.

IGTV

IGTV is part of Instagram or Facebooks attempt to bring video to the social media giants platforms. This is very different than the current use of Instagram stories which are only limited to 15 seconds and expires after 24 hours. IGTV allows users to upload videos up to 10 minutes or 1 hour for verified users and these do not expire after 24 hours. This medium, in my opinion, is very different than having a youtube channel. IGTV is really trying to go after the “In Real Life (IRL)” moments, where youtube is more of a “produced” format. That is not to say you can’t do produced video on IGTV, it is just not as easy of a workflow. IGTV and Instagram in general is for a cell phone viewing audiences where the viewing device is vertical. Being mobile first is Instagrams strong suit. As it is mobile views account for over half of the current watched content online and is expected to grow to 78% by 2021.

Why is IGTV important for you or your business?

I was very doubtful about IGTV at first. I watched some videos from people I follow and watched some information on IGTV on youtube. It took me a while to see the potential and understand what all the excitement was for this platform. The vertical format is very hard for me to get use to, I do prefer the tabloid viewing option of youtube. However, putting all of the issues I have aside I think this is a great platform for businesses or personal. Almost everyone is going to have a cell phone and that is all you need to get started. This makes the starting cost nothing, granted you can do the same thing with youtube but I think most people expect a higher quality video on youtube. Starting up a IGTV channel is super simple. Just go to instagram.com, login and click on the IGTV button, then click on the “get started” button. From here you have to create and setup your channel. This is just like setting up a youtube channel. Once this is done you can start uploading your content. Make sure your video is in the vertical format. You can also make a custom thumbnail for your video, along with a title and description when you upload.

Currently Instagram has reached the 1 billion monthly active user total. That is billion with a b, per month. Put that in perspective. If you are able to reach 1% of 1% of those users, that is 100,000 new customers for your business. Since this platform is very new, you can get ahead of your competition by putting out great content. Here are some ideas you could try.

Video about you and your business. Make sure to include any social media links, website links, etc..
Micro vlog. Instagram is perfect for doing a small micro sized vlog series. You could show behind the scenes elements of your business.
Public Service announcements. These could be short snippets about product awareness or new items you are offering on your storefron.
Flash sales. Test your Instagram reach by having a flash sale only through Instagram.

These are just samples of ideas, but I think you get the idea. I am planning on using IGTV for podcast promotion and public service announcements for security and product updates. So follow me on Instagram so you can get notifications of new videos.

IGTV Specs and info:

PCI DSS Changes to TLS and Chrome 68 marks sites as not secure.

PCI DSS Changes to TLS and Chrome 68 marks sites as not secure.

Today on episode 21 Web Hosting Podcast. PCI (Payment Card Industry) changes that have come into affect. These changes make a dramatic shift to the encryption standard that you may not be aware of. If you are on a older operating system, and even some new ones, you may be left out in the cold and unable to get email or see your website. Chrome 68 is coming this month and if your site is not using https, then your visitors will start to see a “not secure” message. Moving your site to https should not break your budget with free SSL (AutoSSL) by cPanel.

What is PCI DSS (Payment Card Industry Data Security Standard)?
Payment Card Industry Data Security Standard applies to companies of any size that accept credit card payments online. If you accept credit cards as a form of payment for anything online, then you need to host your data securely with a PCI Compliant hosting provider. This is not the same as accepting PayPal payments on your website. This is strictly for credit card payment processing. Normally this is done through a payment gateway like authorize.net or others.

PCI DSS (Payment Card Industry Data Security Standard) changes for this year.
Primary change of interest happened on June 30th, 2018. This change made old and outdated forms of SSL/TLS no longer secure by standard. What this means is a higher level of encryption is now required if you are doing any form of credit card processing. This change has the potential to block out users on old outdated operating systems. It will also have the potential to disrupt your email workflow if you are not up to date on your email application. All forms of connections should be using a minimum of TLS 1.2. This means http(s), email, and ftp(s) have to be using TLS 1.2 to make a connection.

How this may directly affect you and your customers.
TLS 1.2 is a pretty old standard (2008), with TLS 1.3 on its way. However, some operating systems do not support TLS 1.2. This includes computers, tablets and phones. If you are currently not using a updated operating system, then you may not be able to send or receive email through your PCI compliant host. This is the most typical scenario I have seen. Most browsers have supported TLS 1.2 for a number of years. However, it has only been recently that IOS, for example, has supported TLS 1.2 in their own mail app.

What to do if you can’t get email or visit your site anymore.
Ensure you are running the most recent version of your operating system of choice. This means upgrade to Windows 10 or the latest Apple OS X. Simply updating Windows 7 to its latest release is not advised. You really need to run the latest operating system version. This also goes for any tablets or phones you may have. Once the latest version is installed you will likely not have any problems. For supported browsers for TLS 1.2, Firefox, Edge and Chrome support the latest TLS standard. For email clients, mail.app (on latest version of OS X 10.13) thunderbird and windows 10 mail.

Chrome 68 will start showing “Not Secure” for sites using http:// this month.
This should come as no surprise to anyone that develops sites or owns their own site. For the past 2 years google has been warning people that this day was coming (queue ominous music!). Google has even said your SEO ranking will suffer if you are not using https:// on your sites. If you are still some of the minor few that have not moved to https for your site, do not delay any longer. Web Hosting Podcast has discussed in many episodes how to use a free SSL certificate if you are on cPanel called AutoSSL. This is a SSL certificate process that is 100% free and will allow you to move to a more secure https. Gone are the days of having to purchase a SSL certificate every year, there really is no reason to not be using https for your site today. For more information on AutoSSL listen to these previous Web Hosting Podcast episodes.

Here, here and here

Beginner steps to launching a new website.

Beginner steps to launching a new website.

Today on episode 20 of Web Hosting Podcast. Beginner steps to launching a website. We will cover all the steps needed to go from concept to launch, for the beginner. It is now easier than it has ever been to get a brand new website online and serving content. Have you wanted to make the jump and have your own website? Follow along and learn how to get your own website online.

0. Brainstorm
Choosing the purpose of the website, whether you are going to sell something or just blog, is an important step. This will likely direct your choice on a domain name to use. After all, you want your domain name to reflect the sole and purpose of the web site you are going to launch. Outline and brainstorm what you are going to do with the site first. This includes things you may do later after launch. For example, if you are just going to blog now, but think you might like to sell some merchandise later on. Take this into account and write it down. Don’t leave any detail out. This process will also help you decide what software to build your website with.

1. Domain name.

Your domain is your site address or URL. For example, webhostingpodcast.com is my domain. A domain should be easy to remember and not very long. After all, you don’t want your visitors to have to remember a long confusing URL. For example, webhostingpodcast.com is long but a memorable and easy to remember name. However, the-greatest-web-hosting-podcast-of-all-time.com would be very hard to remember and contains characters that are diffficult. I normally recommend that you not use odd characters or misspelling in domains, unless you have to. This makes it harder to remember.

Domains have to be registered and purchased. This is more like a lease than a purchase. You have to renew the domain every time it comes up for renewal. This could be every year if you chose to register the domain for 1 year. Ultimately it depends on the length you decide. Domains can vary in price depending on what you choose. Typically they are about $14 per year.

2. Hosting.
Hosting is where your site lives and is served from. A good web host is key here. Do not skimp on choosing a great and dependable web host. Often, you can purchase your domain and hosting at the same time. But be aware of the potential hidden costs of doing this. A lot of times a host will give you a free domain for signing up for web hosting. Looking at what the cost to renew that domain per year is important. You don’t want to be surprised when you get a domain renewal charge. There is nothing wrong with registering your domain with one company, and hosting your website on another. You just have to remember that you will have 2 different bills. You can also use a online website builder like, wix, weebly, squarespace or blogger. If you don’t want to have your own personal domain (URL) then these might be a logical choice for you to put some online content. However, if you want the ability to fully customize and optimize your web site along with email, ftp, and other services, then web hosting will be needed.

Also, keep in mind that the actual website software you choose may affect your choice of host. If you are using wordpress, which most people do, then you will want to find a web host that is well equiped and educated about wordpress.

3. The website itself.
Most people starting out will want to use something simple. I highly recommend that you use Worpdress to do this. It is by far the number one blogging platform, but it does so much more. If you want to sell trinkets online, there is a plugin for that (woocommerce), if you want to do photo blogging there is a plugin for that (NextGen Gallery). If you can think of it, then there is likely a plugin for it. If you want to change the look of the site but are not a coding expert, you can just add a new template (these are the wordpress of themes). There are hundreds and possibly thousands of free templates available to change the look of wordpress, just check those ratings before installing anything you find.

If you have chosen WordPress for your site, then you likely will want to choose a WordPress specific host. These are hosts that have trained staff to help you sort out issue. Their servers are optimized for WordPress sites. They often have a simple way or even a automatic way to install WordPress as well as keep it updated automatically. These are the things that often trip people up and make you want to pull your hair out or shut down your website. You take your car, likely, to a certified mechanic when it has issues. Do yourself a favor and take your WordPress site to a Worpdress specific host. There are a lot of them out there to choose from that are reliable and knowledgeable.

For those that want a no fuss site and want to use the online site builders, here are a few that I have used in the past. Keep in mind that this will not give you the ability to have email on your domain. This means that @thedomain.com email addresses will not be available to you without doing more work and spending more money. You will still need to sort that out by using google or other means.

These are free or paid options that do not require a domain name use them.

wordpress.com
Blogger.com
Squarespace.com
weebly.com
wix.com

 

Is VR, virtual reality, part of your website design strategy?

Is VR, virtual reality, part of your website design strategy?

Today on Episode 19 of Web Hosting Podcast. Is VR, virtual reality, part of your website design strategy? You could be missing out if you are not. With the release of the Oculus Go last month, high end VR experiences have come to the masses. You can take advantage of this by including VR elements easily on your new or current website. Also a very interesting thing happened over the weekend.

A interesting thing happened recently. I was notified by haveibeenpwned.com, that my email address was seen on a hacked site. Listeners may remember that this site was mentioned in Episode 13 as one of the useful tools segment. The site happened to be ticketfly, which was recently hacked and had all of its information released. The interesting part about this the fact that I was notified by haveibeenpwned.com, before news of ticketfly being hacked was released. If you are worried about your online data, and you should be, then I would recommend taking advantage of the free service provided by haveibeenpwned.com.

What is Virtual Reality (VR)?
Virtual reality, as defined by wikipedia is : “a computer-generated scenario that simulates experience through senses and perception.”
I don’t think all experiences have to be “computer generated”, remember those stereographs from the 1800’s? To me those were a form of Virtual Reality. Also, Viewmaster, made a toy that you could put in round slides that presented you with magical worlds. These were not computer generated or had anything to do with computers.

What is the difference between VR and 360?
360 video or pictures are elements wrapped in a sphere. Think of a big bubble that you sit in where the media is projected around you in a sphere, this is 360. Virtual Reality, is stereoscopic depth, interactive elements as well as immersion. The term VR and 360 are used interchangeably, they are decidedly different. Here is a great article on the main differences from Vimeo https://vimeo.com/blog/post/virtual-reality-vs-360-degree-video

Why is VR important for your website?
Remember when everyone thought siri, alexa and google home were just fads and would never take off not to mention the iPod. Now it is reported that 55% of homes have a smart voice device. VR is in its infancy, but it should certainly not be ignore. With the release of the Oculus Go, tether free VR is available to the masses. Lets also not forget that google street view is widely used and constantly adding locations. Google is doing a great job of covering the entire world. If you have a business, you can put your location on street view which will allow your customers to view inside your business. This works on desktop, phones, and VR headsets. I currently use this to view new locations I want to visit. It might be a restaurant, board game store, or a pub.

Types of VR devices.
Google Cardboard – uses a cell phone and lenses. This is like a viewmaster type device.
PlaystationVR – Sony released the Playstation VR headset to be used with a Sony Playstation 4.
HTC Vive and Oculus Rift – These are gaming PC driven tethered headsets. These require powerful gaming PCs and are physically connected to the computer by long cables. These are the top end VR experience.
Oculus Go – This is a simple stand alone headset. It offers a great experience for users and is not tethered to any device. The purchase price is very low at $200.
Other/Windows Mixed Reality – There are a few other devices out there that require a PC that uses windows mixed reality and are tethered to the PC.

History for me of VR.
First use of a streograph as a child. These date back to the 1800’s and used like photos to simulate a 3D (virtual) picture when viewed through a stereograph. Quite a thing to see if you have never used one before.
Then I purchased a viewmaster branded google cardboard device for my iPhone.
Stepped up to HTC Vive in 2016 – still currently in use.
Oculus Go, now used almost daily as a web browser to experience new things and new places.

How I use VR now.
Playing immersive video games on PC.
Browsing the web on oculus go. There are a lot of websites that support VR and have VR elements as well as 360 elements.
Viewing Street View and virtual tours on both VR headset (Oculus Go/HTC Vive) as well as iPhone and Computer.

What devices do I use?
HTC Vive
Oculus Go
Computer Monitor

Website design use cases.
Brick and mortar businesses
Product visualization
Location tours of your establishment

Other use cases for VR workflow.

Handicapped
visually impaired
agoraphobia

Software to help you develop for VR.
Great article on software for VR website developers. Link
Vizor.io – 360 Photo Editor.
Cupix.com – Create beautiful tours in VR from photos.

Sample 360 Photo I took.

Harden and secure wordpress, using managewp.com and GDPR.

Harden and secure wordpress, using managewp.com and GDPR.

Today on episode 18 of Web Hosting Podcast, I continue the discussion of the wordpress hack dissection. I have been asked, since the last episode, about ways to harden and secure a wordpress install and what I recommend to do about managing updates. Also in this episode, GDPR (General Data Protection Regulation), Are you ready for the coming changes on May 25th?

GDPR New rules for EU take affect May 25th, 2018 – Official Link
The most important pieces that change here
WordPress 4.9.6 was released with GDPR specifically in mind. Release Notes

Simple ways to keep your wordpress install safer.

  1. Keep your wordpress install updated. Plain and simple. Have a update schedule and stick to it. Some plugins need the core of wordpress updated before it will be allowed to update the plugin in question. If you are on a old version of wordpress, it is very likely your plugins are outdated as well and possibly contain exploits used to hack your site.
  2. Don’t use plugins that are outdated or no longer maintained. These could easily have old exploits that leave you open for a hack and they will never be updated. The plugin could also be purchased by a hacker group, which has happened, and they add code to exploit your install. If you see a plugin that has not had updates for many years then suddenly has 1 update recently, be wary.
  3. Use strong passwords and don’t use the default username “Admin”
  4. Use a plugin to block failed login attempts.
  5. Move wp-admin url to something else.
  6. Ensure the PHP version you are using is still being maintained. If you are using PHP 5.x series, you really should migrate to PHP 7.x.
  7. Use common sense. Don’t login to your wordpress site, even over HTTPS, in a shared wifi environment. This would be coffee shops, bars, the mall, etc.. Even over HTTPS, information can be intercepted.

 

If you are new to wordpress and managing updates, you can use an external management application that provides additional services.  I personally use managewp.com for this task.  It has many features (listed below) and is 100% free for unlimited domains.  Best of all, well maybe not best, they gave Web Hosting Podcast a coupon code to use after you sign up.  Use WHPOD after you enter in your billing details, this will apply $10 to your account so you can try the paid options for nothing.

Initial questions about managewp that I am often asked by listeners and pretty much anyone that will tolerate me talking about this product.

Q: why would i want to use it?

Q: how difficult is it to signup?

Q: do i need to be a techie to set it up?

Q: how much for basic services?

Q: how much is x feature?

Q: can i get help?

Q: Is it secure?

Current pricing for a site is free for unlimited domains. This free plan includes the following addons.

  • manage updates, plugins and themes
  • Monthly Cloud Backup
  • 1-click login
  • Performance Check
  • Security Check using sucuri
  • Collaboration
  • Analytics with google
  • Manage Comments
  • Code Snippets
  • Maintenance Mode
  • Client Report
  • Vulnerability Updates
  • Templates

The following addons are paid options per month per site. Total price for all Premium addons is $8/mo.

  • Premium Backups $2 +.13 per GB of traffic.
  • Clone (requires Premium Backups)
  • Safe Updates (requires Premium Backups)
  • Templates (requires Premium Backups if creating a template from a current site)
  • White Label $1
  • SEO Ranking $1
  • Uptime Monitor $1
  • Advanced Client Report $1
  • Automated Security Check $1
  • Automated Performance Check $1

Plugins I currently use the paid versions of:

Premium Backup – I schedule a nightly backup to their backup location and a weekly backup to DropBox. I also use “safe updates” which allows me to perform a backup before I run a update, then verify the screen image of before and after the update to determine if I need to roll back.

Security – This allows me to schedule a scan of my site daily. This not only scans my site for issues, it also checks for vulnerabilities in plugins and checks the web of trust to ensure my site is not listed on any “not safe” databases.

Uptime Monitor – This sends me a email and text message if my site goes offline, but not only that it also verifies that a specific keyword is found on my site. This helps let me know if my site has been defaced, which would still mean it is up and online.

SEO Ranking – I paid for this just to see how it works. This allows you to set up to 100 keywords and track them for your site with SEO.

Advanced Client Report – I also paid for this to see how it works. This allows me to get a weekly report for my site. it tells me what has been updated, SEO and Analytics reports as well as security audits. It pulls all the information from the plugins active in my account and sends me a nice little report every week.

Plugins I don’t pay for.
Advanced Performance – I already spend a lot of time using pagespeed tools to get the most performance I can. I am always tweaking things. It is just easier for me to trigger a Performance Check manually since I am always in my managewp dashboard.

My total monthly cost is $6. $2/mo. for Permium Backups, $1/mo. for Uptime Monitor, SEO, Client Reports and Security Check.

 

 

Dissection of a WordPress hack.

Dissection of a WordPress hack.

Today on episode 17 of Web Hosting Podcast, Megan and I, dissect a website hack we have been working on. We discuss the how, the what and ways to prevent future hacks. We also discuss the defacement of webhostingpodcast.com and how I recovered the site so quickly. And remember those quick tips I use to run? They are coming back in a new way!

Podcast phone line 971 249 2359 is manned by me on Thursdays 9AM PST – 12PM PST. Feel free to call in and press (2) to reach me directly during those hours. If you want to just leave me a message anytime, press (1) and it will send you directly to a voicemail box.

Dissection of a WordPress hack we have been dealing with, the topics we cover are.

How we think it happened.
How we cleaned it up.
What could have prevented it.

Info on what we found from sucuri, regarding this specific website hack.

You will find the plugin I used to find that the wordpress core files had been modified. This plugin is since abandoned by automattic (the makers of wordpress, woocommerce and jetpack to name a few) but it can still be used. You need to download the hash file for the version of wordpress you are using. I would just like to point out that other external and filesystem based scans did NOT find this hack. Only by careful examination of the output of the exploit scanner were we able to find the source of this hack. It is no longer enough to just scan with one tool and think the site is clean. I recommend that you scan with multiple sources if you think you have been hacked, or if a hack keeps coming back after being cleaned. I also, and I can not stress this enough, recommend a daily backup of your website. There are many tools out there that will help you obtain a regular backup to a external location, such as dropbox, s3, ftp, or google drive. There is no reason to not have this setup for your site.

This is the plugin link 
And this is the location of the hash file on github.

Opus Interactive on location interview

Opus Interactive on location interview

Today on episode 16 of Web Hosting Podcast, I venture out on location to talk to Shannon and Eric about their company Opus Interactive.  We also now have a phone number for the podcast for you to call into.

Opus Interactive is located in Hillsboro, Oregon at the Infomart Datacenter, this is the same world class facility that Linkedin chose to house their infrastructure. Opus Interactive has additional locations in Portland, Silicon Valley and Dallas with more coming online. The Hillsboro facility is 345,000 square feet and has 24 MW (megawatts) of power. That is enough to power almost 4,000 homes according to some sources. I would highly recommend that you visit their website for more information on Opus Interactive and the services they provide.

We now have a google talk phone number that you can all into the show on. On Thursdays, from 9am PST – 12PM PST, I will be taking calls. If you have a question, idea, or just need some guidance, feel free to call the number and press 2 when prompted. This will put you into a queue that will allow me to take your call on a first come first served basis. If you would like to just leave a message, you can press 1 and I will get that voicemail emailed to me. Please make sure to let me know if I can put the recording into the podcast. If you are not comfortable with that idea, then no problem, just let me know. Since this number is a google talk number, I have no idea how well it will work. This is an experiment that I have wanted to try for quite a while, please keep that in mind.

Web Hosting Podcast Phone:
971 249 2359

How is your web host possibly failing you?

How is your web host possibly failing you?

Megan Ferrell of websites503.com joins me to discuss,

How is your web host possibly failing you?

 

  • Security communication – security (awareness of vulnerabilities), transparency of security information. Notification of security changes in the industry that could affect you and your potential customers. This would include things like PCI, GDPR , SSL/TLS changes just to name a few.
  • General information – weekly or more updates via newsletter with information that is valid and current. Not just a “hello we are alive, spend money please” Can be done via social media or blog posts as well.  As long as it is active!
  • Keeping old software versions alive – old no longer supported versions of php, apache, mysql, etc with no hope of moving off of them. Ensuring your host provides current versions of software to ensure you are running current.
  • No other service options – not providing services you may need to grow (marketing advice, development advice, update services, moving to SSL)
  • Proactive and not reactive – notifying you that your site plan may need to be increased before it becomes a problem for you. Notifying you that you are running outdated software before it becomes a big problem for you. Working with you to ensure you are taken care of before things become your problem to deal with.
  • Easy to contact – whether via email, online chat, slack, phone call or smoke signals it should not be difficult to get a correct answer. The support person should be proven to be industry leaders, after all you are paying the hosting company to provide professional and competent employees.
  • Documentation – good current documentation, knowledge base, videos

 

Security news!

Security updates for drupal 7.X and 8.X that are critical!
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.
Drupal Info Here

WordPress 4.9.5 addresses some security and bug fixes.

WordPress versions 4.9.4 and earlier are affected by three security issues.
WordPress Info Here