Author: engineertim

Harden and secure wordpress, using managewp.com and GDPR.

Harden and secure wordpress, using managewp.com and GDPR.

Today on episode 18 of Web Hosting Podcast, I continue the discussion of the wordpress hack dissection. I have been asked, since the last episode, about ways to harden and secure a wordpress install and what I recommend to do about managing updates. Also in this episode, GDPR (General Data Protection Regulation), Are you ready for the coming changes on May 25th?

GDPR New rules for EU take affect May 25th, 2018 – Official Link
The most important pieces that change here
WordPress 4.9.6 was released with GDPR specifically in mind. Release Notes

Simple ways to keep your wordpress install safer.

  1. Keep your wordpress install updated. Plain and simple. Have a update schedule and stick to it. Some plugins need the core of wordpress updated before it will be allowed to update the plugin in question. If you are on a old version of wordpress, it is very likely your plugins are outdated as well and possibly contain exploits used to hack your site.
  2. Don’t use plugins that are outdated or no longer maintained. These could easily have old exploits that leave you open for a hack and they will never be updated. The plugin could also be purchased by a hacker group, which has happened, and they add code to exploit your install. If you see a plugin that has not had updates for many years then suddenly has 1 update recently, be wary.
  3. Use strong passwords and don’t use the default username “Admin”
  4. Use a plugin to block failed login attempts.
  5. Move wp-admin url to something else.
  6. Ensure the PHP version you are using is still being maintained. If you are using PHP 5.x series, you really should migrate to PHP 7.x.
  7. Use common sense. Don’t login to your wordpress site, even over HTTPS, in a shared wifi environment. This would be coffee shops, bars, the mall, etc.. Even over HTTPS, information can be intercepted.

 

If you are new to wordpress and managing updates, you can use an external management application that provides additional services.  I personally use managewp.com for this task.  It has many features (listed below) and is 100% free for unlimited domains.  Best of all, well maybe not best, they gave Web Hosting Podcast a coupon code to use after you sign up.  Use WHPOD after you enter in your billing details, this will apply $10 to your account so you can try the paid options for nothing.

Initial questions about managewp that I am often asked by listeners and pretty much anyone that will tolerate me talking about this product.

Q: why would i want to use it?

Q: how difficult is it to signup?

Q: do i need to be a techie to set it up?

Q: how much for basic services?

Q: how much is x feature?

Q: can i get help?

Q: Is it secure?

Current pricing for a site is free for unlimited domains. This free plan includes the following addons.

  • manage updates, plugins and themes
  • Monthly Cloud Backup
  • 1-click login
  • Performance Check
  • Security Check using sucuri
  • Collaboration
  • Analytics with google
  • Manage Comments
  • Code Snippets
  • Maintenance Mode
  • Client Report
  • Vulnerability Updates
  • Templates

The following addons are paid options per month per site. Total price for all Premium addons is $8/mo.

  • Premium Backups $2 +.13 per GB of traffic.
  • Clone (requires Premium Backups)
  • Safe Updates (requires Premium Backups)
  • Templates (requires Premium Backups if creating a template from a current site)
  • White Label $1
  • SEO Ranking $1
  • Uptime Monitor $1
  • Advanced Client Report $1
  • Automated Security Check $1
  • Automated Performance Check $1

Plugins I currently use the paid versions of:

Premium Backup – I schedule a nightly backup to their backup location and a weekly backup to DropBox. I also use “safe updates” which allows me to perform a backup before I run a update, then verify the screen image of before and after the update to determine if I need to roll back.

Security – This allows me to schedule a scan of my site daily. This not only scans my site for issues, it also checks for vulnerabilities in plugins and checks the web of trust to ensure my site is not listed on any “not safe” databases.

Uptime Monitor – This sends me a email and text message if my site goes offline, but not only that it also verifies that a specific keyword is found on my site. This helps let me know if my site has been defaced, which would still mean it is up and online.

SEO Ranking – I paid for this just to see how it works. This allows you to set up to 100 keywords and track them for your site with SEO.

Advanced Client Report – I also paid for this to see how it works. This allows me to get a weekly report for my site. it tells me what has been updated, SEO and Analytics reports as well as security audits. It pulls all the information from the plugins active in my account and sends me a nice little report every week.

Plugins I don’t pay for.
Advanced Performance – I already spend a lot of time using pagespeed tools to get the most performance I can. I am always tweaking things. It is just easier for me to trigger a Performance Check manually since I am always in my managewp dashboard.

My total monthly cost is $6. $2/mo. for Permium Backups, $1/mo. for Uptime Monitor, SEO, Client Reports and Security Check.

 

 

Dissection of a WordPress hack.

Dissection of a WordPress hack.

Today on episode 17 of Web Hosting Podcast, Megan and I, dissect a website hack we have been working on. We discuss the how, the what and ways to prevent future hacks. We also discuss the defacement of webhostingpodcast.com and how I recovered the site so quickly. And remember those quick tips I use to run? They are coming back in a new way!

Podcast phone line 971 249 2359 is manned by me on Thursdays 9AM PST – 12PM PST. Feel free to call in and press (2) to reach me directly during those hours. If you want to just leave me a message anytime, press (1) and it will send you directly to a voicemail box.

Dissection of a WordPress hack we have been dealing with, the topics we cover are.

How we think it happened.
How we cleaned it up.
What could have prevented it.

Info on what we found from sucuri, regarding this specific website hack.

You will find the plugin I used to find that the wordpress core files had been modified. This plugin is since abandoned by automattic (the makers of wordpress, woocommerce and jetpack to name a few) but it can still be used. You need to download the hash file for the version of wordpress you are using. I would just like to point out that other external and filesystem based scans did NOT find this hack. Only by careful examination of the output of the exploit scanner were we able to find the source of this hack. It is no longer enough to just scan with one tool and think the site is clean. I recommend that you scan with multiple sources if you think you have been hacked, or if a hack keeps coming back after being cleaned. I also, and I can not stress this enough, recommend a daily backup of your website. There are many tools out there that will help you obtain a regular backup to a external location, such as dropbox, s3, ftp, or google drive. There is no reason to not have this setup for your site.

This is the plugin link 
And this is the location of the hash file on github.

Opus Interactive on location interview

Opus Interactive on location interview

Today on episode 16 of Web Hosting Podcast, I venture out on location to talk to Shannon and Eric about their company Opus Interactive.  We also now have a phone number for the podcast for you to call into.

Opus Interactive is located in Hillsboro, Oregon at the Infomart Datacenter, this is the same world class facility that Linkedin chose to house their infrastructure. Opus Interactive has additional locations in Portland, Silicon Valley and Dallas with more coming online. The Hillsboro facility is 345,000 square feet and has 24 MW (megawatts) of power. That is enough to power almost 4,000 homes according to some sources. I would highly recommend that you visit their website for more information on Opus Interactive and the services they provide.

We now have a google talk phone number that you can all into the show on. On Thursdays, from 9am PST – 12PM PST, I will be taking calls. If you have a question, idea, or just need some guidance, feel free to call the number and press 2 when prompted. This will put you into a queue that will allow me to take your call on a first come first served basis. If you would like to just leave a message, you can press 1 and I will get that voicemail emailed to me. Please make sure to let me know if I can put the recording into the podcast. If you are not comfortable with that idea, then no problem, just let me know. Since this number is a google talk number, I have no idea how well it will work. This is an experiment that I have wanted to try for quite a while, please keep that in mind.

Web Hosting Podcast Phone:
971 249 2359

How is your web host possibly failing you?

How is your web host possibly failing you?

Megan Ferrell of websites503.com joins me to discuss,

How is your web host possibly failing you?

 

  • Security communication – security (awareness of vulnerabilities), transparency of security information. Notification of security changes in the industry that could affect you and your potential customers. This would include things like PCI, GDPR , SSL/TLS changes just to name a few.
  • General information – weekly or more updates via newsletter with information that is valid and current. Not just a “hello we are alive, spend money please” Can be done via social media or blog posts as well.  As long as it is active!
  • Keeping old software versions alive – old no longer supported versions of php, apache, mysql, etc with no hope of moving off of them. Ensuring your host provides current versions of software to ensure you are running current.
  • No other service options – not providing services you may need to grow (marketing advice, development advice, update services, moving to SSL)
  • Proactive and not reactive – notifying you that your site plan may need to be increased before it becomes a problem for you. Notifying you that you are running outdated software before it becomes a big problem for you. Working with you to ensure you are taken care of before things become your problem to deal with.
  • Easy to contact – whether via email, online chat, slack, phone call or smoke signals it should not be difficult to get a correct answer. The support person should be proven to be industry leaders, after all you are paying the hosting company to provide professional and competent employees.
  • Documentation – good current documentation, knowledge base, videos

 

Security news!

Security updates for drupal 7.X and 8.X that are critical!
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.
Drupal Info Here

WordPress 4.9.5 addresses some security and bug fixes.

WordPress versions 4.9.4 and earlier are affected by three security issues.
WordPress Info Here

Robert Indries of dgstudio.com is our special guest to talk marketing, development and hosting.

Robert Indries of dgstudio.com is our special guest to talk marketing, development and hosting.

In this episode I talk with Robert Indries of dgstudio.com about marketing, development and web hosting.

dgstudio.com is a full service creative agency for your business brand and website.

Robert, gives some great advice about getting your marketing brand out there. He provides several tips for things you can do for free as well as what not to do.

If you would like to be our next special guest on web hosting podcast, fill out the contact form here and we will make it happen. Please be sure to include a topic you would like to discuss.

Migrating your site to SSL : HTTPS with installatron. Useful website tools to use for your site.

Migrating your site to SSL : HTTPS with installatron. Useful website tools to use for your site.

Useful website tools to use for your website.

https://www.ssllabs.com/
This is a useful site to check your site for proper ssl settings. You will get a grade once the report is done. An “A” is the best, while a “B” would be acceptable, you should really try and get the “A” grade. I would also recommend when you do your test that you click on the check box that says “Do not show the results on the board”, unless you have a perfect score you want to show off.

https://haveibeenpwned.com/
This site is useful to check if the email you use for logins has been seen on hacked lists. It is also very useful to check the security of passwords you use for logins.

https://www.whatismyip.com/ – list your current IP address

http://www.whatsmyip.org/ – Not to be confused with the .com version of the site. Many useful tools from gzip testing, to password generation. Not as useful as it once was since it does not seem to handle https based websites. But the DNS tools and password generator is quite useful.

https://checkgzipcompression.com – another tool for checking to ensure your site is using gzip compression. This one works with https based sites.

Speed test – google and http://www.speedtest.net/

https://slack.com – Team focused chat with many useful options.

Moving a site to ssl with installatron one click installer. This assumes you are using cPanel with autossl enabled.

1. Test your site to ensure you have a ssl certificate installed. This can be done by going to https://yourdomain. If you your site loads with no errors you can proceed. Some common issues you may run into, site is not fully secure and ssl mismatch. You may need to resolve these errors before you proceed.

2. Inside of your cPanel account, create a new subdomain using the subdomain tool. You will need to wait for the server to generate and install the free SSL certificate for this subdomain. You can test this just like step 1 above.

3. From inside of installatron, clone the live site to the new subdomain, but make sure to select the https version of the subdomain. This should only take a few minutes depending on the site size. This will create a complete copy of your site and move it to the subdomain you created. You can now test the site and fix any issues you may have by going to the subdomain https site. For example, https://subdomain.yourdomain

4. Once things look good on the subdomain, you can go into installaron and clone the site back to the live site but use https version in the drop down.

5. Once the live site is cloned back to https, test again. Things should have been resolved when you used the subdomain, but there may be some lingering links or code that may need to be changed.

At this point your site should be using a valid SSL certificate. If you are uncomfortable doing these steps you may want to contact your developer or your hosting company to see if they can help you out. I would also recommend that you have a full backup of your site before proceeding with anything that is going to change your site. This would include installing plugins, updating core site files, etc… A backup is a simple way to ensure you have a way to get back to a known working state.

Please understand that you use these instructions at your own risk.  I do not acceptable responsibility for anything you do to your website.

Commonly used web hosting terminology.

Commonly used web hosting terminology.

I discuss some of the more basic web hosting terminology used.  This is the link I used for the glossary of terms.

This episode may be a little basic for some listeners, but I want to make sure that everyone knows the terminology and language that we talk about. My hope is to bring some listeners up to speed that may be confused by some of the terminology used in hosting. Again, this episode may not be fore everyone.

Additional information you should know:
Google will be marking all sites that DO NOT use https, ie http, as not secure starting in July 2018.  This will happen with chrome 68. If you are not using https on your website, you have a limited time to get this going. What this means is users to your site will start to see a “not secure” icon in the title bar.  This has the potential to scare away your users/customers.  If you are currently not using https, your SEO is most certainly being affected, this is another reason you really should be using HTTPS.

Gutenberg is coming to WordPress 5.0 are you ready?  For those of you that may not know, gutenberg is the new editor that is coming out in wordpress 5.0.  There is a current test release you can install through a plugin.  I would not recommend doing this on a live site, it is still quite beta and breaks a lot of things.  It is coming though, so if you have a test site I would recommend installing it there and take it for a spin. More info on WordPress and gutenberg can be found here.

This podcast now has a facebook page.

Marketing Automation with Mautic

Marketing Automation with Mautic

What is Mautic?

Mautic is a marketing automation platform.  There is a paid version at mautic.com and a open source self hosted community version at mautic.org
First, lets talk about marketing automation.  If you are familiar with applications like, hootsuite, hubspot and mailchimp, then you likely have already seen or used a marketing automation tools.  The idea or concept is simple, marketing automation is the act of using software to automate marketing actions.  This alleviates the repetitive tasks that are executed during a marketing campaign.  These could include, email, social media, and other actions related to marketing your online presence.
Mautic is either a paid solution or a self hosted open source solution.  I am going to specifically discuss the mautic.org version or self hosted version.

Requirements:

PHP 5.6.19 php 7.0 supported
Mysql with innodb 5.5.3
Web server: apache 2.x, nginx 1.x , iis

Pro:

Free with a paid option, active development and updates. Active community. Addons for just about anything you can think of. Works both in desktop browser and mobile friendly.

Cons:

Not the easiest to install. Must setup cron jobs correctly. Documentation is a little lacking in clarity. Easy to get overly excited about all the options, sidetrack syndrome.

mautic includes 31 integration plugins installed by default (list below).  This can be expanded by installing additional plugins from the mautic marketplace located here.  There are also many ways to integrate common CMS applications into mautic, like wordpress, magento or woocommerce by using CMS plugins.

Mautic plugins available after install.

Amazon s3
Clearbit
ConnectWise
Constant Contact
Dynamics CRM
Facebook
FourSquare
FullContact
Gmail
Google+
GoTo Suite
HubSpot
iContact
Instagram
Linkedin
MailChimp
Mautic Focus
OneSignal
OpenStack
Outlook
Pipedrvie
Rackspace
Salesforce
SugarCRM
Twillo
Twitter
vTiger
Zoho
I personally have been using the twitter plugin and a plugin for wordpress.  The wordpress plugin allows my contact form data to be inserted into mautic.  I use contact form 7 and the associated mautic plugin to do this.  The twitter integration allows me to gather twitter data that is permitted by the twitter API and capture it inside of mautic.
The email portion of mautic allows you to do targeted email marketing using contacts you collect.  The collection process can be any way you choose.  A simple example would be from a contact form on your site, or maybe through a e-commerce platform that would allow you to collect your customers contacts for future campaign targeting.  How you choose to get the contacts is up to you and your platform of choice.

Workflow concepts in mautic:

This is a big subject that I am still learning about.  One of the interesting features of mautic is the ability to create a workflow of actions based on rules and triggers you setup.  For example, I collect information from twitter.  I can then decide to collect those twitter users inside of mautic.  My rules I have setup collect information from hashtags.  I use two distinct hashtags to collect my target.  #wordpress and #webhosting, are my chosen tags to capture, and once a contact is pulled in, I can then define an action.  These actions can be used to trigger other actions.  For example, when I capture a contact through twitter their base points are 1, if they use the hashtag #wordpress they are given 2 more points, another 2 points for using #webhosting, and another 2 points if they mention me on twitter.  If a contact reaches 8 points, I can choose to execute another action, if I have their email address I can send them a personalized email.  Since I am collecting leads through twitter, I have their twitter name, I can now sent the contact a personalized tweet when they reach 8 points.

Forms and PopUp on your site:

With mautic, you can create static assets (Images, pdf), forms, dynamic content, and landing pages.  This allows you to collect contact infomation by offering them a pdf, for example.  You can have pop overs to promote something through the website.  These are done by first creating your component, then adding a small bit of code to your site.  Other ways of doing this is through plugins, wordpress has a supported mautic plugin that is free to use.

Other ideas:

e-commerce (woocommerce), target users from your store that order more than X times, you define what X is.  Example: if you have a customer that orders 3 times, then you could send them a custom coupon code for being a loyal customer.  If they order 5 times, maybe send them a free gift.  You can also organize your customers by location.  Maybe you want users that order 5 times that are located in the United States to get a free gift, while ignoring customers outside the defined area. Capture lead information in exchange for a free PDF download.  This is often used by marketers that want to make something available but not charge for it.  Capturing the lead becomes the actual cost and your contact database can be one of the most valuable assets for any business.  Since mautic also uses the MaxMind GeoLite2 database, you can track IP addresses that come to your site.  This gives a a very fine grain way to track customers point of entry.  This same information can be obtained through normal web analytic software as well, no concern on privacy there.  There are many many different ways you could use mautic through your current site.
Conclusion: Mautic is a excellent platform if you put the time in to setup, learn and use it.  The learning curve can be a little steep for a new user, but the time you spend with it will pay off if you stick with it.  Being a free application, the price is right.  If you are looking for a way to do marketing automation, you really can’t go wrong with mautic.  My only regret is that I do not have a way to try the premium paid version of the software at this time.

Final note.

I attempted to record a part about creating the cron entries for mautic.  It was a train wreck and after hearing it, I decided to remove it from the episode.  I fully plan on creating a youtube video that will cover cron entries.  It was just too confusing to explain things with only audio.
SEO Search Engine Optimization with Megan Ferrell

SEO Search Engine Optimization with Megan Ferrell

SEO, Search Engine Optimization

Listen as I get schooled by Megan Ferrell of websites503.com about SEO, Search Engine Optimization. Megan gives the listener some great tips and advice on how to improve your SEO ranking. Listeners of the podcast may remember Megan from episode 4 , where we discussed 10 website security tips.

Some of the questions and topics we cover on this episode are.

What is SEO?
Process to start doing SEO on your website?
Getting ranked by google and other search engines?
Some of the tools that are needed to achieve this?

  • google webmaster tools
  • google analytics
  • sitemap file
  • same tools for other search engines like Bing.

Are other search engines important? Bing, DuckDuckGo, etc..?
Is a social media presence important to SEO?
Does site speed play into SEO?
3 things that anyone could do right now to increase their SEO presence?

Some useful links.

Official Google webmasters blog
Google webmaster youtube
Google Analytics
Google Webmaster Search Console

Disaster plan or success planning your website.

Disaster plan or success planning your website.

Do you have a web site disaster plan in order?
I am betting you likely don’t.

Why is a disaster plan important?

The unknown is ever present in the world of technology. With the rise of malware and CPU defects, the chances of your site going down by unseen forces is getting higher every day. You literally could wake up one morning and your site is no longer online, or worse it is being held for ransom. Add into the mix the number of web hosting companies that go out of business or are sold to another company. If you don’t have a worse case disaster plan in place, it is my opinion you are not doing yourself any favors. It is very easy to put together and can be accomplished by anyone. This would be like having an emergency go bag if you live in a earthquake zone.

What are some key things you need to have on your disaster plan?

Login details for your Domain and where it is registered (username, password, phone number and support email address).
It may or may not be registered with the same company that hosts your website. I would make a document that includes your login details, contact phone number and support email address. Put this along with the others we will be covering into a envelope and seal it, then put that in a safe place.

Login details for your hosting account (username, password, phone number and support email address).
This is the location where your website is actually being served from. Put this information in the same envelope as the rest of the ones we are covering. It is also important to have a phone number and support email address along with your login details.

A current backup or archive.
We have discussed this several times on this podcast. You should have a current backup or archive you can work with of at least your website, and possibly of your whole hosting account. If you have been backing up externally or manually copying to a local disk drive, put this information and location of the backup in the envelope with the other information.

Now that you have your login details sorted out, you need to have some basic DNS information. I personally like to have a complete zone listing of all of my DNS entries. These are things like;

  • What are my nameservers and where are they pointing? Nameservers are vital to knowing where your zone record is being kept. If your nameservers vanish, your domain vanishes from the internet.
  • Where does www and yourdomain.com point to?
  • What are my MX records?
  • Do I have a custom record that is used for connecting to my mail server? For example, do you use mail.yourdomain.com and if so where is it pointing too?
  • Are there any other records I need for my site to be online? Custom records for a cdn, custom txt records that have been added, SPF records? There are many types of records that can be added to DNS. Some of them are for email, some are for proving you own a domain (google validation comes to mind). All records should be tracked and kept with your disaster plan records. You never know when you may need to recreate a zone entry.

 

Success plan not unlike the disaster plan.

What happens if your site starts getting a large amount of traffic. Good for you, bad for your hosting company if your on shared hosting. I have seen this type of thing happen time and time again. A article you may have written, or a product you are offering gets picked up by national news or celebrity likes your product. This is great news for you, but this can often result in your site going down or even being taken offline by your hosting company. How do you deal with a “scuccess” hit often involves the same things as a disaster plan. You may find yourself needing to move to a new host rather rapidly. Have those contact information and login details at the ready in your disaster plan packet. Lets just call this the “What if” packet.

If you are just experiencing some temporary increased traffic, meaning you don’t think it will last for very long as the hype dies down. There are a few steps you can do to help with the site traffic increase, which will likely help with server load.

  1. Use a caching service like cloudflare. We have discussed this in the past. Basic cloudflare services are free and it only takes a minute to setup. This will act as a buffer between your host and the people trying to access your site.
  2. Make sure you use expires and headers so files are cached. Another topic we have discussed in the first episode.
  3. Make sure you are compressing the site files with mod_deflate. See episode 1 for more details. Or listen to the end of this episode for the quick tip.
  4. Enable a caching plugin in your framework. Something like wp super cache or w3 total cache for wordpress will save you a lot of headaches with a sudden spike in site traffic. This will also lower server load by reducing the mysql queries required to load your site by making some of the site pages almost static in nature. This will in turn keep your host happy. This is not the same as cloudflare caching service.
  5. Serve a static site during the increase in traffic. This one is a little more tricky, but it is definitely possible. By removing the need to have mysql and php render pages, your site will load faster and have almost zero load on the server. This requires planning ahead however and having static pages ready to go.
  6. Work with your hosting provider to see if you can to keep your site online. If they are less than helpful, then reach out to the world and get a recommendation for a new host. A good host will want you to grow and be a part of your growth process. If they just suspend your account because you are successful suddenly, then they are impeding your growth and should be removed from the equation. If the host offers some suggestions to you, no matter if they sound complicated, and want to work with you in providing even a temporary solution to the situation, then you should listen and see if they can help.

Things to NOT do. Do not allow your host to move you to a tiny VPS of your own. This is the number one thing I see and it will kill your site, but save your hosts butt. If your site is already creating a problem on a very large shared servers with possibly many CPU cores and many Gigs of ram, what good is moving you to a 1 core and 1 gig of ram VPS going to do. They just want you off their shared server as fast as they can, they are not offering a solution but passing the buck to you and making a few bucks in the process. You site will never stay online in a small VPS unless you have someone that you can call on to make massive tweaks to the VPS itself, install specific software and configure it, this often requires a system administrator/engineer to do.

Do NOT try and block the inbound traffic that is being generated, this includes changing the URL, blocking IPs in .htaccess or server firewall. You want that traffic to come in, if there are elements on that page that require external resources, like a facebook or twitter feed, remove that code during the spike in traffic. These can potentially slow down your page speed.

The biggest take away I want to share with everyone is to be proactive and not reactive. Whether it is a disaster plan or a success plan, the “what if” scenario should be on the minds of everyone. And if you are not ready for it, it can be devastating to your site, your finances and even your emotional state. Like any other disaster preparedness scenario, regaining control of the situation as fast as possible will allow you to continue on with your life. It will remove stress and worry. If you get an email from your hosting provider saying, “your site has been shutdown because….” you will know how to proceed because of your planning. Take some time out of your busy week and determine the best way to handle your “what if” scenario, it will make your life a lot better. If you have already put together a “what if” packet, then please share your experience and tips you may have with me. I would love to hear about them.

Quick tip today is gzip compression in cPanel, you can also see a video I did on this here.