.htaccess housekeeping

As some general protection for WordPress sites hosted with me, or with HeartInternet, adding the following code to the top of your .htaccess file should help reduce the chances of your wordpress site being hacked.

# Update PHP to version 7.3
AddHandler application/x-httpd-php73 .php

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Regular Backups

One of my clients had their website hacked yesterday, this was through their WordPress login, and seems to have occurred as a result of some vulnerabilities on their own computer, likely releasing their username and password. No other sites on that server so far seem affected.

The client hadn’t made any recent backups of their WordPress database, but had years of content on their website.

The hackers had put some sort of automated program to add three sections of JavaScript on every page, post, and image description. This accounted for nearly 750 instances of spam content that had to be carefully removed.

They’d also added themselves as a new user under the email wordpressadmin@test.com

Hackers had then changed the site URL within WordPress to automatically bounce users through a bunch of affiliate pages on alternative websites, also meaning that you can no longer log in to the WordPress console.

Fortunately though, they left the main content of the website intact (just with the extra spam content). I also still had full access to the server data itself, as do all my clients.

After editing the .sql database directly to remove the redirect, I was then able to log back in again to the WordPress console, generate new passwords for all users, and remove the extra spam user that had been added.

After realising how many instances there were throughout the website of the spam content, I felt it was going to be easier to again modifying the SQL database file as plain text, to remove all instances of the JavaScript addition, and restore the site to its previous state (using the ‘find and replace feature in plain text notepad editors).

This could’ve also been done via the WordPress console using the ‘tools/export site’, and then importing the site back again after are removing all existing content. But that would’ve meant removing all existing content temporarily, and I’d rather do the comparatively quicker change of just updating the database file directly.

I have subsequently also made a collection of backups in different forms for the client.

This problem the first appeared as just the site taking an age to load, so it seems as though we caught it early.

But please, make regular backups in multiple locations of all of your key data, whatever that is.

If you don’t want to lose it because of a hardware or software glitch, or a hack like this one, having a recent backup really is the best option.

Changes to your email

If you’re using your domain name to host your emails with us (rather than using Gmail, or similar, for example), as of September 2019, any mail client sending via SMTP through the mail server associated with your domain name, should use port 587 instead of ports 25 or 465.

Details on how to change this will vary on your mail client, but we’ve detailed some of these further down this article.

It is also advisable to use STARTTLS for your encryption method.

Outlook

  1. Select File
  2. Select Account Settings
  3. Select Account Settings from the dropdown
  4. Select your email account from the lists in the Email tab and select Change
  5. Select More Settings
  6. Select Advanced
  7. Change the Outgoing server (SMTP) option to 587
  8. Change the encryption types on both IMAP and SMTP to STARTTLS
  9. Select Ok
  10. Select Next
  11. Once tests have completed select Close and then Finish

Windows Mail

  1. Start Windows Mail, click the Tools menu at the top of the window and then click Accounts.
  2. Select your account under Mail, and then click on the Properties button.
  3. Go to the Advanced tab, under Outgoing server (SMTP), change port 25 to 587.
  4. Click the OK button to save the changes.

Outlook Express

  1. Start Outlook Express, and then select Accounts from the Tools menu at the top of the window.
  2. Double click on your email account.
  3. Under the Advanced tab, change the Outgoing server (SMTP) port 25 to 587.

Thunderbird

  1. Select Tools
  2. Select Outgoing Server (SMTP)
  3. Select the server for this account then Edit
  4. Change the port to 587
  5. Change the Connection Security option to STARTTLS
  6. Change the Authentication Method option to Normal Password
  7. Enter your full email address as the User Name
  8. Select OK
  9. Select OK

Mac Mail

  1. Select Preferences
  2. Select Accounts
  3. Select the Outgoing Mail Server (SMTP) drop down menu, then Edit SMTP Server List
  4. Select the SMTP server for this account
  5. Change the Port to 587
  6. Select OK

iPhone

  1. Go to Settings
  2. Select Passwords & Accounts
  3. Select your email account
  4. Select the Account
  5. Under OUTGOING MAIL SERVER select SMTP
  6. Select the server
  7. Update the Server Port to use 587
  8. Select Done
  9. Select < Account then Done

Android Mail

  1. Open the Email App
  2. Select Settings
  3. Select Account Settings
  4. Select the account you wish to change
  5. Scroll down to More Settings
  6. Select Outgoing Settings
  7. Change the port to 587 and the Security Settings to STARTTLS
  8. Select Done

Designing for Accessibility

accessibility-posters-set.pdf

Some really great information, developed by a friend, and now with Home Office recommendations.

These posters cover the following access needs:

  • Autism
  • Deafness and hard of hearing
  • Dyslexia
  • Physical or motor disabilities
  • Visually impaired – low vision users
  • Visually impaired – screenreader users
  • Anxiety

You can access the full suite of documents in a number of languages, through the following link:  https://github.com/UKHomeOffice/posters/tree/master/accessibility/dos-donts

Wix.com Review

I’ve been hearing a number of people talking about the easy build system called wix.com over the last few years.

wix-com

With around 62 million users at present, they’re clearly making great progression in offering websites that are comparatively easy to build for the novice

What surprised me however, in some recent technical support for a client, was the cost of the various ‘optional add-ons’ available through their system, and also their comparative ineffectiveness.

What Wix currently offers:

  • For around $45, you get to display the ‘built by wix’ advertising on every one of your webpages (at the top right, and the base)
    • You can upgrade to their next package at around twice the price, to remove that advertising (but it still seems to appear on mobile phone and tablet browsers)
  • You can have your own domain name for around $15 a year, but to have email addresses hosted by Gmail at your domain (ie info@mydomain.com, sales@mydomain.com, etc.), are $5 per email address per month!  (this kind of email forwarding from your domain to Google should not incur such high prices, particularly when the set-up is a simple one-off automated digital process, and there’s no actual hosting of email bandwidth by Wix.com).
  • They offer a ‘Shout Out’ option to send newsletters to your subscribers.  This is limited to 5,000 emails per month (which is reasonable).  However, as part of the email tracking, the email appears in the recipients inbox as a remotely hosting image of your email text (effectively a screen grab of an html email).  Thus your email is not accessible to people with various visual impairments (the actual text cannot be easily extracted by character screen readers), the text itself is not scalable for different browsers (for your small mobile phone screen, your tablet, or your desktop, etc.).
  • You can of course ‘design your own website’ (although if you’re not a skilled designer, experienced with usability and accessibility, etc. this is fraught with likely errors).
  • Worst of all, is the way your website is displayed within your browser source code.  They claim Search Engine Optimisation using an AJAX method.  However, if you click on ‘view source’ of any page of a wix.com website, you’ll see a mass of code loading remote areas of content, but effectively no real text content within your browser.  This does make it more difficult for search engines to naturally ‘crawl’ your website pages.  In fact, the only ‘real’ content of your website kept in plain text (hidden deep in all the superfluous code) links purely to the hosting of wix.com.
    • In essence, if you have regular text on your website, for easier accessibility by all, you want to display this in as little superfluous code as possible.  The more code you hide your content behind, the longer the page will take to load (bad for limited bandwidth on mobile phones), the harder it will be for search engines to index (thus lower search rankings), and the harder it will be for people with some disabilities to use your website (which can be a breach of the Disability Discrimination Act amongst others).

So what can be done instead?

  • With very limited experience, you can build a free website in WordPress instead, using a free OpenSource ‘theme’ design which can also be modified easily to your preferred colours and layout.  Or you can buy more customised themes ‘off the shelf’ from various developers, or even have your own unique design commissioned.
  • You can have your own domain hosted with a reputable reseller, with as many email accounts as you want, for a fraction of the Wix.com prices (often free with many standard hosting packages)
  • You can send newsletters via MailChimp more effectively (which is also free for up to 12,000 emails with up to 2,000 subscribers)
  • And your website content will be more accessible, across multiple device options, with cleaner code, which should also appear higher on Google natural search results, with faster load times, and fewer errors.

Please do get in contact if you have any queries.

Domain Registration Scam

The scammers are back out again, now by email.

This time, trying to get us to pay 5 times the regular price, for a domain name we already own, under the misdirection that if we don’t, we’ll loose it’s search engine submission.

Once again, this is a load of *%#!

Firstly, the email address it’s sent to, is the default email for all our hosted domains, at no point was it used to subscribe to any list (as detailed below).  They are not a ‘Search Engine Optimisation Company’, they are scammers.

If you receive any email similar to this, do not click on any links.

———-

ATTENTION: IMPORTANT NOTICE
Domain SEO Service Registration Corp.
Order#: 616860
Date: 12/10/2014
EXPIRATION NOTICE

DOMAIN: ———–
Notification Offer
EXPIRATION DATE: 12/18/2014

Bill To:  ———–
Domain Name: ———–

Registration SEO Period:

Price:$64.00

Term:

———–      01/01/2015 to 01/01/2016        1 Year

SECURE ONLINE PAYMENT

Domain Name: ———–

Attn: ———–

This important expiration notification notifies you about the expiration notice of your domain registration for jasonparlour.net  search engine submission. The information in this expiration notification may contain confidential and/or legally privileged information from the notification processing department of the Domain SEO Service Registration. This information is intended only for the use of the individual(s) named above.
If you fail to complete your domain name registration jasonparlour.net  search engine service by the expiration date, may result in the cancellation of this domain name notification offer notice.
PLEASE CLICK ON
SECURE ONLINE PAYMENT

TO COMPLETE YOUR PAYMENT.
Failure to complete your domain name registration jasonparlour.net  search engine service process may make it difficult for customers to find you on the web.
CLICK UNDERNEATH FOR IMMEDIATE PAYMENT
PROCESS PAYMENT FOR
jasonparlour.net
SECURE ONLINE PAYMENT
ACT IMMEDIATELY

This domain registration for ———– search engine service notification will expire 12/18/2014.

Instructions and Unsubscribe Instructions:

You have received this message because you elected to receive special notification offers. If you no longer wish to receive our notifications, please unsubscribe here or mail us a written request to Domain SEO Service Registration Corp., 5379 Lyons Rd. 452, Coconut Creek, FL 33073. If you have multiple accounts with us, you must opt out for each one individually in order to stop receiving notifications notices. We are a search engine optimization company. We do not directly register or renew domain names. We are selling traffic generator software tools. This message is CAN-SPAM compliant. THIS IS NOT A BILL. THIS IS A NOTIFICATION OFFER. YOU ARE UNDER NO OBLIGATION TO PAY THE AMOUNT STATED UNLESS YOU ACCEPT THIS NOTIFICATION OFFER. Please do not reply to this email, as we are not able to respond to messages sent to this address.

Hiding content with OpenCrypt

If you’re using a WordPress website (such as www.digi-pole.com) and provide secure member content using the build system called ‘OpenCrypt‘, then whenever WordPress is updated, the modifications to the source code gets overwritted, and the hidden text is no longer hidden (although items stored in the secure members area is still secure).

The file you need to update is:

/wp-includes/post-template.php

Around line 302, you should see something along the lines of:

    if ( $preview ) // Preview fix for JavaScript bug with foreign languages.
        $output =    preg_replace_callback( ‘/\%u([0-9A-F]{4})/’, ‘_convert_urlencoded_to_entities’, $output );

    return $output;
}

This needs to be changed as follows (with the additions in red)

    if ( $preview ) // Preview fix for JavaScript bug with foreign languages.
        $output =    preg_replace_callback( ‘/\%u([0-9A-F]{4})/’, ‘_convert_urlencoded_to_entities’, $output );

   # OpenCrypt Modification
    require “opencrypt_plugin.php”;
    # OpenCrypt Modification

return $output;
}

 

 

Updating the tag cloud text size in WordPress

If you use a WordPress blog system for your website, something which of course is very useful, is the list of ‘tags’ (keywords) you can assign to each of your blog posts.

However, in the current versions of WordPress, whenever you do a WordPress update, it returns the tag cloud to the default settings (ie the size varies considerably, depending on the number of times the tag is used throughout your website):

/wp-includes/category-template.php

Then around line 613, you should see something like the following:

$defaults = array(
  'smallest' => 8, 'largest' => 22, 'unit' => 'pt', 'number' => 45,
  'format' => 'flat', 'separator' => "n", 'orderby' => 'name', 'order' => 'ASC',
  'exclude' => '', 'include' => '', 'link' => 'view', 'taxonomy' => 'post_tag', 'echo' => true
 ;

Simply change the font size of ‘smallest’ and ‘largest’ to your preferred point sizes (the default is normally around 12pt)

I personally prefer to change the smallest to ‘1’, the largest to ‘1’, the unit to ’em’, and then change the ‘separator’ from “\n” to “,\n” (thus adding a comma immediate after each tag, and prior to a space before the next tag).

$defaults = array(
 'smallest' => 1, 'largest' => 1, 'unit' => 'em', 'number' => 45,
 'format' => 'flat', 'separator' => ",\n", 'orderby' => 'name', 'order' => 'ASC',
 'exclude' => '', 'include' => '', 'link' => 'view', 'taxonomy' => 'post_tag', 'post_type' => '', 'echo' => true
    );

How can I improve my natural listing position on Google?

There are of course huge numbers of people claiming to be experts in SEO (Search Engine Optimisation), the largest Search Engine of all of course being Google.


However, the only real Google Experts, are those that actually work for Google right now.  They’re constantly trying to improve their search results, making them more intuitive to humans, and more like human rankings.


People will often find little loopholes on how to artificially improve your ranking position, with ‘black art’ techniques (things that will typically get your website blacklisted from Google, and therefore hidden entirely from view for at least 3 months).  So as I’ve mentioned before, do the things primarily for the human user.. and Google will follow.


So assuming that your website is already accessible to people with visual challenges (and therefore search engines can read it more easily too).. you’ve already made sure all your images have ‘alt’ text.. and of course you have lots of good readable text on each page (especially the homepage), etc.


Google likes a few key things in particular:

  • Old websites (so you must therefore be an ‘established’ business)
  • Websites with lots of good real content, related to the search terms (so you have something worth looking at, when the visitor gets there), especially content that’s updated, and added to regularly.
  • Lots of links to your website from other websites (meaning lots of people like it enough, to want to share it with other people)
So what is your speciality area?  If your business is about hair extensions, talk about it through your integrated blog.  Also, if you’re a geographically based business (ie in Reading), then talk about things going on locally too.


Typically, the more often you update your website, the more often Google (and others) will think it’s worth looking at, which means the higher up the natural search rankings you’ll appear.

So, for example, write about things related to hair extensions, or even anything to do with  hair!  i.e. your thoughts on the Royal wedding, any celebrities you see or know about with hair extensions in the press.. or even “if you’d like to have hair like ‘xxxx’ we have just the hair extensions for you”…  It doesn’t really matter what you blog about, just blog more!
If you can get your website talked about on related web forums (ie the types of forums your clients might read.. ie young mothers’ forums, rock, grunge, tattoo, etc..), with links back to your website, that will help too (try to keep it natural though, when mentioning your website).
You could also reply back on other people’s related blogs, with genuine comments (and links back to your website in the signature).  Any links through newspaper article websites, or the BBC would of course be very good for your natural search ranking.
Having a Facebook Group for your business, that people can ‘like’ is of course also a very popular choice these days, with links back to your website (and photos on your Facebook page too of course).
You could also try shooting a video of you doing what you do best.  Put this on YouTube.. and this can then also help a lot with rankings too (as Google owns YouTube, and seems to really like links from popular videos back to related websites).
All of the above should essentially be free!

Why you can’t believe what you read in spam!

Had another one passed through today, from a company claiming to offer financial reports of the top 600 companies in that particular business sector, which included the client company they were emailing.

However, although this particular client has a limited company in the trading name, all of their trading actually went through a different company entirely, so the company details listed in the email, who was apparently performing in the top 600 of that industry (totalling tens of thousands across the UK), actually has the equivalent of a dormant company!

Would you think it’d be appropriate to provide money to a company starting off with this false information?

This is why it’s so important to not share your primary email addresses with mailing lists (or anyone who subsequently makes a mailing list out of your details).  Once you’re on the spammer’s list, there’s no escape from junk like the one above (apart from shutting the email address down entirely).