By Lionel Thomas / WebsiteWebsite SecurityWordPress / 0 Comments

WordPress and other Content Management Systems (Joomla, Drupal etc…) allow us to leverage technology so much, many website nowadays are created by either the business owner themselves, non-technical personal or just a website designer. This opens up websites to many security issues, where they are either not kept up to date, don’t have security added (or not setup properly) and may not even have any backups of their website.

Previously, I helped a Website Design company that had 42 of their clients websites hacked, plus an additional 8 websites from another website design company sharing their server. Looking into the issue, the hacking started 4 years ago and only recently became aggressive, the server and websites lacked security, and was not kept up to date. Their security had more holes than Swiss Cheese and the hackers had a field day. The websites and server where fixed, yet the cost to have implemented the security was insignificant to the cost the fixed the issue. Also, once a server has been hacked to this extent, it is best to move the websites to another server, as there is always the chance something is left behind to regain entry.

In another scenario, a new client had a website with a security plugin, yet it wasn’t setup and still allowed the basic Brute Force attack freely, and was actively having attempts to hack in every day. Luckily, it was a novice hacker and the website was secured before entry was gained, yet it shows a little knowledge can be dangerous with security. When implementing security, you need to know why you are doing what you are doing; adding a Security Plugin doesn’t mean it will work for every scenario, especially if it is not setup properly.
I hear this a lot, “my website is hosted with X, they would look after the security right?”, No hosting company will look after all security issues. If you own a website or looking after one, you need to know what security if any has been setup for your website & server and to also know what security is needed.

Joomla (8 Year Old Vulnerability)

Recently Joomla had a vulnerability that affected all versions for the last 8 years; meaning nearly every website needed to be updated as the vulnerability was actively being exploited. In this scenario, there are precautions that can be taken, such as firewalls or security layers that help prevent issues occurring, until the website can be updated. Yet, as stated above as many websites have non-technical personal maintaining it, there is a great lack of website security, opening up websites to being hacked.

WordPress 4.4.1 Update / Plugin Vulnerabilities

The 4.4.1 update to WordPress fixes a XSS (Cross site Scripting) vulnerability. This vulnerability is now known in the wild, meaning if you have not update your WordPress website you need to ASAP.

WordPress Plugin Vulnerabilities

All of the following have vulnerabilities, these have been fixed in their latest version, so if you have not update ensure you do ASAP.

  • Commentator plugin version 2.5.2 and older
  • WordPress Download Manager 2.8.7 and older
  • Simple Download Monitor 3.2.8
  • Simple Ads Manager 2.9.4.116

Key Note

Research and Training is needed by companies that have a website into what is required to keep not only the website safe, communications from the website and any data they retain of users.

With an aim to improve website security, I have listed various system and plugins that can be used to improve website security; note that these still need to be setup correctly and kept updated to the latest version to be of benefit; plus, there are more areas of owning a website such as the server that do need to be hardened to help maintain an adequate level of security.

Cloud Flare

(www.CloudFlare.com)
A group of web-masters started to collaborate many years ago to create a Database of Hackers, Spammers and the like so they could filter out traffic to improve security of websites. Cloud Flare sits between your website and the users of your website, it is extremely useful and includes CDN, Optimization, Security, Analytics and website Apps; in short it will assist in the Security, may make your website load faster, reduce the load on your server, give you traffic statistics and allow you to add specific features with ease. It has a Free and Paid version. The Free version is very good, yet if you have a large website you want to keep healthy, look into their paid version.
There are several WordPress, Joomla etc… Security Plugins I will do a write up about in my next article. If you need help or would like the know about these security details, send me an email (lionel@vofer.com.au) and I will update you on the details.

Vofer

Websites, Online Marketing (PPC/SMM) and Cyber Security
www.Vofer.com.au

It’s been a while now that Mobile usage to find businesses overtook Desktops in both local and Google searches. 80% of People searching for a business on their phones are looking for the location or contact number, and while responsive websites work on Mobile and are classified as Mobile Friendly, they usually are not Mobile User Friendly. Meaning that responsive websites hide or push down the most important content people are looking for to the lower sections of the website. Do not make the user search for what they need.

A business mobile website should have the Location and/or Contact Number/Email prominent at the top of a website or their main Call to Action, depending on the business. Rule of thumb if you have a business people would be looking for the location of or needing to contact, you need to supply this information for the end user in an easy to access location at the top of the website, which is displayed when the website loads; drop-down menus and the like are not user-friendly and the more clicks or searching a potential customer or client needs to do, the less likely they are to go through with it.

The dynamics and flow of you main call to actions needs to be researched in relation to the demographics. For example, having the Location link straight to a Google Map if only one location is good for convenience, yet linking to a page with the Location in text with a Map is good in the way that it allows the user to copy the Location to use with their own GPS system. With this sort of thing it will depend on the demographics of the end user, as more efficient mobile users may know how to share the Google map location the copy from it if needed.

If you don’t test, measure and repeat you will not be able to make a judgement on the best solution for your business.

Also, never forget that they are on a Mobile Device and you can enhance user experience with the user’s location and don’t forget Facebook check-ins, reviews and more Social spread techniques.