“Failure to comply with Section 508 of the Department of Justice’s ADA (American with Disabilities Act) Standards for Accessible Design could expose your company to hefty fines, the risk of expensive criminal and civil litigation as well as a reputation for being unfriendly to the disabled.” https://userway.org/
I’m going to make a rant here. Forgive me (or just don’t read if you’re not up for a Sam Rant™).
Cheap website builders really upset me. For a number of reasons.
We’re working on a couple of large church website revisions for clients this week. These are content-heavy sites with numerous pages that are all info-dense with text, video, audio, podcasts, galleries, and just about every measure of content you can imagine. They are both complicated builds with lots of moving parts. So, we are constantly doing checks and QA (quality assurance) tests to make sure everything is working. Building websites of this scale might be sold as an easy thing to do on Super Bowl ads, but they are definitely not easy or “quick” things to do if you want to do them right.
One of the pitches I make to clients like this when they want to know what Harrelson Agency does differently that they couldn’t get done if they just used Wix or Squarespace or Weebly or one of the many other “website builder” apps is the care and attention we give to details such as Search Engine Optimization, mobile user experiences, payments and online giving (those %’s really do add up when you start receiving online donations), and security. It’s not that the website builder apps don’t offer those services, but items like SEO or mobile experience and especially website security tend to be the last things that someone volunteering to build your site checks (if at all). Plus, there are just better tools that last longer if you know what you’re doing, which is a cost saver over time. That’s especially true of security in 2018 and 2019.
However, one of the newer pitch items I’ve been including out of my own interests and passion is accessibility. I’ve always been interested in the subject, but that became especially true during my time in the classroom as a teacher. I frequently became frustrated with books or apps or computers or websites that students were forced to use but designed specifically with no regard to accessibility or usage issues. Over the last few years running Harrelson Agency and working heavily on website builds and designs with companies, individuals, churches, and nonprofits I’ve noticed that accessibility definitely takes a back seat to other concerns. That’s ESPECIALLY true with resource-strapped and budget limited churches and nonprofits.
However, that should not be the case. In my mind (that’s admittedly full of “too much righteous indignation” as a mentor once chided me), churches and nonprofits should be leading the way to make their websites true open doors to the public in a way that does not discriminate against anyone, including those who need usage, visual, or auditory accommodation to participate in that invitation.
1 in 5 Americans experience permanent or temporary usage, auditory, or visual disability
7.6 million Americans are auditory impaired
8.1 million Americans are visually impaired
2.2 million Americans suffer seizures and epilepsy
2 million Americans are blind
19.9 million Americans are motor impaired and cannot use a computer mouse
Technology is most powerful when it empowers everyone.
Apple is one of the most forward thinking and acting tech companies when it comes to raising awareness of accessibility issues for users. It’s one of the reasons I truly love that tools such as iPad are available for students and all people who seek to participate in the global experience that is the world wide web.
Why aren’t churches talking the similar language and instead forcing everyone to fit through a very narrow door and definition of visitor abilities? We wouldn’t do that in the physical world. It’s time to take the digital world just as seriously and stop passively discriminating because of poor website build decisions.
Take your website’s functionality seriously and allow it to empower and welcome ALL. It’s a matter of mixing philosophy with theology with technical know how. And the trick is that it won’t even cost you that much, but you’ll gain so much more and perhaps share the love of God with someone who is looking for a real open door.
After its removal from the WordPress plugin repository yesterday, the popular plugin WP GDPR Compliance released version 1.4.3, an update which patched multiple critical vulnerabilities.
These are pretty popular plugins in the SEO world… I imagine lots more of these “supply chain attacks” exist due to older but still popular plugins being sold or leased:
If you have any of these plugins running on your site, we recommend that you remove them immediately and that you make sure that SEO spam hasn’t been injected into your site. Even though one of them, WP No External Links, has been updated to remove the backdoor, it has been closed, so it will never be updated again in the future.
We use Wordfence as a default on all new WordPress client sites that we create for good reason. Here’s a scary reminder that while building a website has become quick, easy, and relatively cheap your company / nonprofit / church / community group should not take WordPress security for granted with cheap hosting and no one overseeing these sorts of things:
This is the highest volume brute force attack we have seen to date. It may also be using the fresh credentials that were provided in the database released on December 5th, so it may achieve a higher than normal success rate. Please spread the word among the WordPress community to create awareness of this new threat.
Pretty staggering July stats from Wordfence regarding attempts to log in to WordPress installs with guessed user / passwords. People still don’t use secure passwords (or more preferably a password manager)…
The average number of daily brute force attacks increased 21% from last month, which was up substantially from May. Daily attack volumes were incredibly stable throughout the month, with no big peaks or valleys. It’s almost like the attackers went on vacation and left their malicious bots running on autopilot.
One of the items Harrelson Agency itemizes on invoices when building out a new client website (particularly when using WordPress or Drupal) are maintenance and security updates for the year.
It’s not a major cost, but I often receive questions about the charge and whether or not it’s really necessary. That’s particularly the case when dealing with churches, nonprofits, and small businesses who are on tight budgets and looking to save every penny possible (and understandable). However, it’s necessary and I always counsel our clients (of all sizes) to understand what that cost entails and why it’s beneficial in the long run.
Regardless of the amount of traffic your website receives, if your site is self hosted and using software such as WordPress or Drupal, you have to make sure you or your website manager are doing regular updates of plugins and versions, as well as making sure there is some sort of security software in place to manage firewalls, login attempts, IP attacks etc.
If you accept online donations or payments via your website, this is especially true. If you host any sort of “member directory” or registration information or personal details of your congregants or customers, this is especially true. That’s not depending on the size of your church, nonprofit, or business.
This week, press (and governments) around the world are reeling from the explosive release of the Panama Papers. This is the largest leak of private documents ever, and exposes a number of world leaders and companies and their potentially illegal financial transactions. It happened because of outdated software with known vulnerabilities:
“FORBES discovered the firm ran a three-month old version of WordPress for its main site, known to contain some vulnerabilities, but more worrisome was that, according to Internet records, its portal used by customers to access sensitive data was most likely run on a three-year-old version of Drupal, 7.23. That platform has at least 25 known vulnerabilities at the time of writing, two of which could have been used by a hacker to upload their own code to the server and start hoovering up data. Back in 2014, Drupal warned of a swathe of attacks on websites based on its code, telling users that anyone running anything below version 7.32 within seven hours of its release should have assumed they’d been hacked.
That critical vulnerability may have been open for more than two-and-a-half years on Mossack Fonseca’s site, if it hadn’t been patched at the time without updating website logs. It remains a valid route for hackers to try to get more data from the firm and its customers. On its site, the company claims: “Your information has never been safer than with Mossack Fonseca’s secure Client Portal.” That boast now looks somewhat misguided.”
So yes… in 2016 it certainly matters that you have good passwords and good security on your personal online accounts as well as those of your church or business.
Don’t wait until it’s too late and have to deal with the ramifications.
I am often asked by Harrelson Agency clients and potential clients if they should use a WordPress.com site or have us build and host a WordPress site for them. Money is often a main concern, as you can pay $100 – 120 a year for a pretty solid WordPress.com site without much fuss. A hosted WordPress site can cost anywhere from a few hundred dollars to thousands of dollars in building costs, and more for hosting and programming. As with anything, discuss the costs upfront with the agency or company building your site if you go the self-hosted route.
There are advantages to the “set it and forget it” style of a WordPress.com website financially, but there are also a few other variables to consider if you’re looking to have a serous presence on the web and translate that into bigger goals for your company. Remember, WordPress started off as a blogging platform. While you can manipulate a WordPress.com site into a more “professional” looking business or church or group site, it’s not always easy depending on your needs and skill level.
If you do self host, you can use custom / commercial themes, plus all other free themes that exist. You can modify, customize, or do anything that you’d like with your site. With WordPress hosting, you’re limited to a set of free themes that exist in the theme repository. Also, you can’t modify the CSS or other codes within the theme. If you’re looking to customize the site with scripts and customizations (as an author / speaker / consultant / business etc) it’s definitely advantageous to be on your own server. This includes everything from being able to do custom embeds of media to accepting payments to contact forms etc.
Simply put, there are (often mission-critical) things you can’t do with WordPress hosted sites that you can do with a self-hosted site.
Plugins are also a big deal, especially as the web matures. You can upload any free, paid, or custom plugin that you want with a hosted site. This allows you to really maximize WordPress’ potential as a content management system and expand that functionality. With a WordPress.com site, you’re not allowed to upload any free, paid, or custom plugins. Everything from search engine optimization (especially needed in 2015) to handling social media sharing to newsletter delivery to some really cool media handling plugins to how your site displays posts etc are covered. Here are a few popular plugins, but I have a standard 10-15 that I typically install on a new site and highly recommend for flexibility and security and making WordPress more than just a blogging platform.
Of course, spending $99 once a year is a nice idea and provides a sense of regular expense if you’re looking into a WordPress.com site with ads turned off and a custom domain (and a little extra storage). There is a higher initial cost for a WordPress hosted site (typically anywhere from $2,000 to $35,000 for most group, church or business sites depending on many variables). However, the cost of a self-hosted WordPress site over the span of a few years evens out and you get a much “nicer” custom experience that is built around your own brand. This also frees you up from being shackled to whatever changes WordPress.com might or might not make as it evolves as a commercial arm of the larger WordPress ecosystem, as we’ve seen just this week … although the changes are all very positive this time. I’ve never had a client want to go back to something like a hosted service after they realize the options available and how the site “pays for itself” over time.
Maintenance is a very big concern for security and speed reasons these days, or at least it should be an absolute top priority. That does require that you keep your site updated, have backups, keep SPAM controlled and keeping your site optimized. That’s something we do for clients, of course. WordPress.com frees you up from that worry or need for maintenance, so that’s a plus for that side of things. However, like everything else, it’s a tradeoff between convenience and the ability to make something truly “your own” in terms of appearance and functionality.
The biggest point I always make when comparing what we can do with what WordPress.com hosting offers is that I believe you really cannot maximize the potential of your site / blog / online presence / long term branding unless you have access to the additional functionality of plugins and the ability to maintain custom modifications (and get down to the nitty gritty code based level allowing for you to make the site look and act like you’d like for it to). Being able to take payments, offer audio / video / text media downloads etc are all big benefits of what we offer with a self-hosted site, but the biggest benefit is that it’s “your” site and belongs to you, whatever may come down the road.
Good thoughts from Om here about the place of having your own website (whether it’s at WordPress.com or a self hosted WordPress installation for more flexibility) and feeding the beast:
Some Thoughts on the New WordPress.com and Mac App – Om Malik: “Most of those platforms are built to be silos, Facebook and Instagram being the worst offenders. Their approach is a threat to the open web as much as the rise of the app-centric internet. As someone who feeds the monster, I should have the ability to keep a copy of what I create. To stay relevant, WordPress.com has to become not only a publishing tool but also a means for me to route my sharing. Its role is that of an information router. I am looking forward to what talented developers do with the new capabilities of WordPress.com.”
We create, host, and manage a number of sites for churches, non-profits, community groups, and businesses. As a part of that, we also spend a good deal of time “behind the scenes” keeping these websites safe and secure. Our clients often don’t realize how much work that entails in 2014 / 2015 with the ongoing proliferation of sophistication and the sheer numbers of bots and bad folks looking to exploit poorly constructed sites or social media accounts to use for other nefarious purposes (nor should they).
Setting up a WordPress site on your own is not hard to do. You have to find a host, click a few selections for your server, then run through the install. It’s gotten tremendously easier over the years. However, if you’re setting up a self-hosted WordPress site, you have to take security seriously.
For example, the screenshot above is just a small sampling of the attempts to “brute force” access to this site from this morning. There are hundreds of these everyday for this site and I see thousands daily for some of our larger clients. You’ll notice the attempts are all trying to gain access to the site with the username “admin.” Before WordPress 3.0, the default for new site installs was to use “admin” as the username. Combine that with the terrible passwords that most people online use, and it’s not hard to see that with enough permutations, the math is there. It’s fairly easy to buy a list of the most commonly used passwords on the web if you know the dark parts of the web to look, as well.
Here are my surface level and generic recommendations if you do decide to set up a WordPress site for your church, group, or business after about a decade of working in this area…
1) Don’t use admin as your login username for WordPress or for any other account whether it will just be you logging in or a team of people.
2) Don’t use a short or “dictionary” phrase password. Use something unique to you and combine numbers, letters, etc as much as you can. That’s not fool proof and there’s research showing that doing so isn’t as effective as it was previously, but it’s still a good practice. Even if you’re “bad at passwords” as most humans claim to be, figure out system for a stronger password. It’s worth your time and it’s important no matter how small or large your site or social media account will be.
3) Use a good plugin such as Sucuri to keep track of security audits, reviews, and monitoring. Again, it’s worth your time and easy to set up email alerts for certain events.
4) Keep track of installed plugins and make sure that no one has installed a plugin that is actually a piece of malware or using your WordPress install for nefarious purposes. This is important especially if you are working with a number of people on a WordPress site and sharing a common user account rather than setting up various users (which you should do for a number of reasons).
5) Update, update, update. Keep your WordPress version, plugins, and themes as updated as possible. That usually means at least a couple of times a month.
Of course, there are many other things to consider but I get this question frequently and wanted to make my initial thoughts easy for others to find. Setting up a WordPress site is a great idea and it’s not terribly difficult. However, do it the right way and make sure you are keeping your brand, visitors, and users free from any potential threats that you can avoid with a little time investment.
One of the main things I want to do more in 2014 is post on my blog. It’s a daily fight with Facebook, Instagram, Twitter etc.
However, this has been my web home for over ten years now an I need to start treating it better.
Great post by Matt…
Blogging is harder than it used to be. We’ve gotten better at counting and worse at paying attention to what really counts. Every time I press Publish the post is publicized to Facebook, Twitter, LinkedIn, Path, and Google+, each with their own mechanisms for enumerating how much people like it.
