Even Hackers Take Summer Vacations

Sam Harrelson on August 10, 2017

Pretty staggering July stats from Wordfence regarding attempts to log in to WordPress installs with guessed user / passwords. People still don’t use secure passwords (or more preferably a password manager)…

The average number of daily brute force attacks increased 21% from last month, which was up substantially from May. Daily attack volumes were incredibly stable throughout the month, with no big peaks or valleys. It’s almost like the attackers went on vacation and left their malicious bots running on autopilot.

via The July 2017 WordPress Attack Report

Why Your Church or Nonprofit Website Needs Regular Security Updates

Sam Harrelson on April 6, 2016

hacked

One of the items Harrelson Agency itemizes on invoices when building out a new client website (particularly when using WordPress or Drupal) are maintenance and security updates for the year.

It’s not a major cost, but I often receive questions about the charge and whether or not it’s really necessary. That’s particularly the case when dealing with churches, nonprofits, and small businesses who are on tight budgets and looking to save every penny possible (and understandable). However, it’s necessary and I always counsel our clients (of all sizes) to understand what that cost entails and why it’s beneficial in the long run.

Regardless of the amount of traffic your website receives, if your site is self hosted and using software such as WordPress or Drupal, you have to make sure you or your website manager are doing regular updates of plugins and versions, as well as making sure there is some sort of security software in place to manage firewalls, login attempts, IP attacks etc.

If you accept online donations or payments via your website, this is especially true. If you host any sort of “member directory” or registration information or personal details of your congregants or customers, this is especially true. That’s not depending on the size of your church, nonprofit, or business.

This week, press (and governments) around the world are reeling from the explosive release of the Panama Papers. This is the largest leak of private documents ever, and exposes a number of world leaders and companies and their potentially illegal financial transactions. It happened because of outdated software with known vulnerabilities:

“FORBES discovered the firm ran a three-month old version of WordPress for its main site, known to contain some vulnerabilities, but more worrisome was that, according to Internet records, its portal used by customers to access sensitive data was most likely run on a three-year-old version of Drupal, 7.23. That platform has at least 25 known vulnerabilities at the time of writing, two of which could have been used by a hacker to upload their own code to the server and start hoovering up data. Back in 2014, Drupal warned of a swathe of attacks on websites based on its code, telling users that anyone running anything below version 7.32 within seven hours of its release should have assumed they’d been hacked.

That critical vulnerability may have been open for more than two-and-a-half years on Mossack Fonseca’s site, if it hadn’t been patched at the time without updating website logs. It remains a valid route for hackers to try to get more data from the firm and its customers. On its site, the company claims: “Your information has never been safer than with Mossack Fonseca’s secure Client Portal.” That boast now looks somewhat misguided.”

Source: From Encrypted Drives To Amazon’s Cloud — The Amazing Flight Of The Panama Papers

So yes… in 2016 it certainly matters that you have good passwords and good security on your personal online accounts as well as those of your church or business.

Don’t wait until it’s too late and have to deal with the ramifications.

Should You Use WordPress.com or Host Your Own WordPress Site?

Sam Harrelson on November 24, 2015

I am often asked by Harrelson Agency clients and potential clients if they should use a WordPress.com site or have us build and host a WordPress site for them. Money is often a main concern, as you can pay $100 – 120 a year for a pretty solid WordPress.com site without much fuss. A hosted WordPress site can cost anywhere from a few hundred dollars to thousands of dollars in building costs, and more for hosting and programming. As with anything, discuss the costs upfront with the agency or company building your site if you go the self-hosted route.

There are advantages to the “set it and forget it” style of a WordPress.com website financially, but there are also a few other variables to consider if you’re looking to have a serous presence on the web and translate that into bigger goals for your company. Remember, WordPress started off as a blogging platform. While you can manipulate a WordPress.com site into a more “professional” looking business or church or group site, it’s not always easy depending on your needs and skill level.

If you do self host, you can use custom / commercial themes, plus all other free themes that exist. You can modify, customize, or do anything that you’d like with your site. With WordPress hosting, you’re limited to a set of free themes that exist in the theme repository. Also, you can’t modify the CSS or other codes within the theme. If you’re looking to customize the site with scripts and customizations (as an author / speaker / consultant / business etc) it’s definitely advantageous to be on your own server. This includes everything from being able to do custom embeds of media to accepting payments to contact forms etc.

Simply put, there are (often mission-critical) things you can’t do with WordPress hosted sites that you can do with a self-hosted site.

Plugins are also a big deal, especially as the web matures. You can upload any free, paid, or custom plugin that you want with a hosted site. This allows you to really maximize WordPress’ potential as a content management system and expand that functionality. With a WordPress.com site, you’re not allowed to upload any free, paid, or custom plugins. Everything from search engine optimization (especially needed in 2015) to handling social media sharing to newsletter delivery to some really cool media handling plugins to how your site displays posts etc are covered. Here are a few popular plugins, but I have a standard 10-15 that I typically install on a new site and highly recommend for flexibility and security and making WordPress more than just a blogging platform.

Of course, spending $99 once a year is a nice idea and provides a sense of regular expense if you’re looking into a WordPress.com site with ads turned off and a custom domain (and a little extra storage). There is a higher initial cost for a WordPress hosted site (typically anywhere from $2,000 to $35,000 for most group, church or business sites depending on many variables). However, the cost of a self-hosted WordPress site over the span of a few years evens out and you get a much “nicer” custom experience that is built around your own brand. This also frees you up from being shackled to whatever changes WordPress.com might or might not make as it evolves as a commercial arm of the larger WordPress ecosystem, as we’ve seen just this week … although the changes are all very positive this time. I’ve never had a client want to go back to something like a hosted service after they realize the options available and how the site “pays for itself” over time.

Maintenance is a very big concern for security and speed reasons these days, or at least it should be an absolute top priority. That does require that you keep your site updated, have backups, keep SPAM controlled and keeping your site optimized. That’s something we do for clients, of course. WordPress.com frees you up from that worry or need for maintenance, so that’s a plus for that side of things. However, like everything else, it’s a tradeoff between convenience and the ability to make something truly “your own” in terms of appearance and functionality.

The biggest point I always make when comparing what we can do with what WordPress.com hosting offers is that I believe you really cannot maximize the potential of your site / blog / online presence / long term branding unless you have access to the additional functionality of plugins and the ability to maintain custom modifications (and get down to the nitty gritty code based level allowing for you to make the site look and act like you’d like for it to). Being able to take payments, offer audio / video / text media downloads etc are all big benefits of what we offer with a self-hosted site, but the biggest benefit is that it’s “your” site and belongs to you, whatever may come down the road.

Why WordPress Still Matters

Sam Harrelson on November 24, 2015

Good thoughts from Om here about the place of having your own website (whether it’s at WordPress.com or a self hosted WordPress installation for more flexibility) and feeding the beast:

Some Thoughts on the New WordPress.com and Mac App – Om Malik: “Most of those platforms are built to be silos, Facebook and Instagram being the worst offenders. Their approach is a threat to the open web as much as the rise of the app-centric internet. As someone who feeds the monster, I should have the ability to keep a copy of what I create. To stay relevant, WordPress.com has to become not only a publishing tool but also a means for me to route my sharing. Its role is that of an information router. I am looking forward to what talented developers do with the new capabilities of WordPress.com.”

Don’t Use Admin As Your WordPress Username

Sam Harrelson on December 15, 2014

We create, host, and manage a number of sites for churches, non-profits, community groups, and businesses. As a part of that, we also spend a good deal of time “behind the scenes” keeping these websites safe and secure. Our clients often don’t realize how much work that entails in 2014 / 2015 with the ongoing proliferation of sophistication and the sheer numbers of bots and bad folks looking to exploit poorly constructed sites or social media accounts to use for other nefarious purposes (nor should they).

Setting up a WordPress site on your own is not hard to do. You have to find a host, click a few selections for your server, then run through the install. It’s gotten tremendously easier over the years. However, if you’re setting up a self-hosted WordPress site, you have to take security seriously.

For example, the screenshot above is just a small sampling of the attempts to “brute force” access to this site from this morning. There are hundreds of these everyday for this site and I see thousands daily for some of our larger clients. You’ll notice the attempts are all trying to gain access to the site with the username “admin.” Before WordPress 3.0, the default for new site installs was to use “admin” as the username. Combine that with the terrible passwords that most people online use, and it’s not hard to see that with enough permutations, the math is there. It’s fairly easy to buy a list of the most commonly used passwords on the web if you know the dark parts of the web to look, as well.

Here are my surface level and generic recommendations if you do decide to set up a WordPress site for your church, group, or business after about a decade of working in this area…

1) Don’t use admin as your login username for WordPress or for any other account whether it will just be you logging in or a team of people.

2) Don’t use a short or “dictionary” phrase password. Use something unique to you and combine numbers, letters, etc as much as you can. That’s not fool proof and there’s research showing that doing so isn’t as effective as it was previously, but it’s still a good practice. Even if you’re “bad at passwords” as most humans claim to be, figure out system for a stronger password. It’s worth your time and it’s important no matter how small or large your site or social media account will be.

3) Use a good plugin such as Sucuri to keep track of security audits, reviews, and monitoring. Again, it’s worth your time and easy to set up email alerts for certain events.

4) Keep track of installed plugins and make sure that no one has installed a plugin that is actually a piece of malware or using your WordPress install for nefarious purposes. This is important especially if you are working with a number of people on a WordPress site and sharing a common user account rather than setting up various users (which you should do for a number of reasons).

5) Update, update, update. Keep your WordPress version, plugins, and themes as updated as possible. That usually means at least a couple of times a month.

Of course, there are many other things to consider but I get this question frequently and wanted to make my initial thoughts easy for others to find. Setting up a WordPress site is a great idea and it’s not terribly difficult. However, do it the right way and make sure you are keeping your brand, visitors, and users free from any potential threats that you can avoid with a little time investment.

Blogging Still Matters in a Social Media World

Sam Harrelson on January 5, 2014

One of the main things I want to do more in 2014 is post on my blog. It’s a daily fight with Facebook, Instagram, Twitter etc.

However, this has been my web home for over ten years now an I need to start treating it better.

Great post by Matt…

Blogging is harder than it used to be. We’ve gotten better at counting and worse at paying attention to what really counts. Every time I press Publish the post is publicized to Facebook, Twitter, LinkedIn, Path, and Google+, each with their own mechanisms for enumerating how much people like it.

via The Intrinsic Value of Blogging | Matt Mullenweg.

Things We Love: WP to Twitter Plugin

Sam Harrelson on May 26, 2013

You might have noticed that we do auto-posting of things on the blog here to our @harrelsonagency Twitter account. To do that, we use the awesome WP to Twitter plugin for WordPress:

WordPress › WP to Twitter « WordPress Plugins: “WP to Twitter automatically posts Tweets from WordPress to Twitter using your URL shortening service to provide a link back to your post from Twitter.”

That’s a great free plugin, but the paid version called WP Tweets Pro is even better:

Your PRO Marketing Tool for WordPress and Twitter: WP Tweets PRO: “What can WP Tweets PRO do for you? It takes the great posting capabilities already available to you in the free plug-in and expands them: allowing you to publish to different Twitter accounts for each author; to schedule up to 3 re-posts of your Tweet at an interval of your choice; and, with a delay between publishing and Tweeting, gives you the ability to review your tweets before they go out.”

We’ve been very happy with the ability to post up things and have them go out to individual author tweet streams automagically. Plus, the reposting of tweets is somewhat of a necessary evil in 2013 with the inundation of information.

For $30, that’s awesome.

If you’re on WordPress and looking for an easy to use plugin to help you manage Twitter, this is the one for you.

Reminiscing About What the Web Was

Sam Harrelson on December 14, 2012

From 2008:

The vanishing personal site – Jeffrey Zeldman: “Our personal sites, once our primary points of online presence, are becoming sock drawers for displaced first-person content. We are witnessing the disappearance of the all-in-one, carefully designed personal site containing professional information, links, and brief bursts of frequently updated content to which others respond via comments.”

From this week in 2012:

The Web We Lost – Anil Dash: “The tech industry and its press have treated the rise of billion-scale social networks and ubiquitous smartphone apps as an unadulterated win for regular people, a triumph of usability and empowerment. They seldom talk about what we’ve lost along the way in this transition, and I find that younger folks may not even know how the web used to be.”

We’ve lost a great deal indeed.

Lots to ponder between these last four years and these two complimentary bookends on the handing over of our namespaces and personal sites to venture capital funds, eager stock buyers and corporate silos.

And yes, I miss Technorati as well.

New in WordPress 3.5

Sam Harrelson on December 7, 2012

We’re super excited about the upcoming release of WordPress 3.5 as we use the insanely flexible and competent WordPress content management platform for our own blog as well as a a number of client sites (especially in the affiliate and performance marketing world).

MediaTemple, who we use for hosting this site and can’t recommend enough to others who need server hosting, has put together a great post about the new features of WordPress…

(mt) Media Temple » Weblog » Blog Archive » What’s New in WordPress 3.5: “WordPress 3.5 is set to be released this Monday, December 10! What can you expect from the new upgrade? In this article, we will cover the basics of the new default theme, Twenty Twelve, the new Media Manager, and some lesser known but very useful features that will be a part of 3.5.”

We’ll post our experiences with 3.5 next week after we’ve had a few days to kick the tires.

WordPress A/B Testing with Simple Page Tester

Sam Harrelson on December 5, 2012

Shawn Collins points out a nifty WordPress plugin for split A/B testing on affiliate sites or any landing page that requires optimization…

A/B Testing: “For the uninitiated, split or A/B testing is a process where you serve up different versions of your page to different visitors to determine which is more effective.

I’ve tried various ways in WordPress and found they were largely a hassle, until I came across the Simple Page Tester plugin.”

I’ve tested Simple Page Tester with a paid search campaign as well as a Facebook Ads campaign linking out to a micro-site lead generation page and it definitely does the trick.