Hello Happy Site Owners! This week’s tips include a quick check to see if your site is part of the current DDoS attacks and how to close that loophole that’s on every WordPress site, how to add custom social share buttons in Genesis, progress on WordPress 3.9, an easy way to discover if your site has been hacked, the super performance perks in store when HTTP2 comes out, an update to Sucuri’s CloudProxy Website Firewall service, plugins that have been updated to protect against DDoS and Brute Force attacks, what the real costs are in a theme design project, site User Interface guidelines, why you may not want to use the new 40 million free images Getty just released, a super update to a super post with bunches of super links to take your blogging to the next level, and for dessert, well, you’ll just have to see it. So let’s dive in. Listen to the podcast.
I want to send a huge thank you to everyone who has been celebrating with me this past week. I left my j-o-b as an electronics engineer for the last three decades to focus exclusively on BlogAid as my one and only career. It’s been a long road switching over and meant many sacrifices and a lot of hard work. But it has paid off and now I get to spend my days with great people putting good into the world. I really can’t think of a better vocation. So, thank you again for all of the atta girls, well wishes, and for celebrating with me.
Okay, we’ve got a lot to cover this week, so let’s jump right into the tips.
Do This Now
Update: Be sure to see my full post on how to Disable XML-RPC in WordPress to Prevent DDoS Attack
The first thing I want you to do today as soon as you can is go to the Sucuri website and check out this post. They recently found 162,000 WordPress sites used in a recent DDoS attack, and the site owners had no idea that their sites were being used. None.
On all WordPress sites, there is a little function called XML-RPC turned on by default. It was used in the trackback and pingback intra-notification service to let other WordPress site owners know when you gave a link to your site. Nobody much uses it anymore, but most folks never turned it off.
A lot of you will find this post a little geeky, so let me save you some time. About 3/4 of the way down, there is a section that tells you how to add some code to your theme to block the XML-RPC from being used on your site. You’ll want to place it in your functions.php file. Now, that’s a super important file to your site. So, if you’re not a coder, you’ll definitely want to hire one, or your designer, to make that change. If you goof it up, you could lose access or use of your site.
And then near the very bottom is a link to use their WordPress DDoS Scanner to check to see if your site is being used in the attack. So, definitely do that and make sure your site is in the clear.
Y’all know that I’ve been on a site performance kick lately, and with good reason. And one of the things I’ve mentioned is hard-coding the social share and follow icons into my theme. The plugins for these things are both a performance and security issue. Well, BitDoz has just updated their coding tutorial for hardcoding the share buttons into a Genesis theme so they are responsive. I noticed the one still missing is Pinterest. It really is its own little animal. But, this tutorial will be a good start for the designers who are following me, to check out and see the updates for responsive themes. If you know of a tutorial for adding the Pinterest button too, you’re welcome to share it.
– – – – – – – –
WordPress 3.9 Progress
The developers are making good progress on all fronts with WordPress 3.9.
Audio/video shortcodes – Of particular interest to me is work on the text editor. They have added image based placeholders for audio and video shortcodes. I can’t wait to see what that looks like.
Thumbnails for audio/video – And, they’re looking to turn on a hidden feature for displaying thumbnail images that are attached to an audio or video file. Can’t wait to see that too, although it does require theme support. So, I’ll be digging into the details of that as more become available.
Playlist look– And, they are working on a super generic playlist user Interface as well so it’s theme independent. Looks nice in the screenshots on this post, with the three default WordPress themes.
Drag/drop images – Another tweak will be to drag images directly into the text editor instead of having to open the media manager first. It will still open, but after you drag and drop. I’ll be interested to see if all browsers support this feature.
HTML5 galleries – Support is being added for the way galleries can be handled. They didn’t really give enough specifics on this for me to pass along details, but I will when available.
Performance and Security Tips
How Site Performance and Security Work Together
See how you get double bang for the buck by blocking bad bots.
900 Botnets Ready to Attack Sites
One Tor network is harboring a boat load of hurt for site owners.
In the past couple of days I’ve released two posts that you’re going to want to check out. The first will help you fend off the bad bots and increase site performance while you’re at it. The second one will scare you as much as it did me. When you read it, you’ll fully understand what I mean when I say a tidal wave is coming.
– – – – – – – –
The Google Webmaster Central blog has a nice post on ways to discover if your site has been hacked, and several of them include info you can easily find in Google Webmaster Tools.
I’m hoping all of you have a GWT account and have your site verified there. And that you’ve submitted you XML sitemap. GWT is one of the best friends your SEO efforts can have. So, if you need help with that, let me know.
– – – – – – – –
You know the http part of a URL? Well, that has a standard and we’re currently at version 1.1. But version 2.0 is in the works and it could radically increase page load speed. I want to thank +Stephen J Dow https://plus.google.com/u/0/+StephenJDow/posts for bringing my attention to this post on the Responsive Design blog.
Basically, it would require less server request to deliver the content, including images. And, with client hints, it would get smarter about what the person is using to view the site, including their connection speed and deliver images optimized for that. They didn’t mention when we might be seeing all these improvements, though, but I’ll be keeping a lookout.
– – – – – – – –
Sucuri has made significant improvements to their CloudProxy Website Firewall service since it was released a year ago. For one, they have radically beefed up their DDoS protection, which is one of the things you’ve heard me talking about so much lately as one of the botnet attack types.
And, they have been working hard to make this service compatible with CDNs, which you’ve also heard me talk a lot about lately for improving performance. Now, the CDN I’ve mentioned most is CloudFlare, which has its own firewall on the paid version. It has DDoS protection on all versions, including the free plan. Sucuri does have special instructions for using their service with CloudFlare, but there seems to be too much overlap in some areas with these two products to me. I think it would be a better fit with other CDNs, maybe like MaxCDN, maybe. There’s a little overlap with it too, but maybe not as much. If you have an opinion on that, I’d like to hear it.
If you’re using the Better WP Security plugin, than you’ll need to update to version 3.6.4 immediately. Three vulnerabilities were found. Now, two of them were when the plugin interfaced with other things like InfiniteWP compatibility and FooPlugins Support Form Code. The other issue was with the plugin’s own support form that appeared in the Dashboard. It has been removed and the folks at iThemes are looking for a better way to but it back.
Contact Form 7 has been updated recently to fix a bug that allowed bots to avoid CAPTCHA validation. The current release is 3.7.2
Login Lockdown has also recently been updated to remove the “Login form protected by Login LockDown.” message from within the dashboard and to fix a security hole with an improperly escaped SQL query, and they added in the option to mask which specific login error (invalid username or invalid password) was generated, and added in the option to lock out failed login attempts even if the username doesn’t exist. The developers are getting super serious about this plugin fighting off Brute Force attacks without being a drag on your system. It’s the plugin I use and recommend. To check the new configuration options, go to Settings > Login Lockdown. I’ll probably be making a quick video on this soon too.
I really appreciated this post on Torque by Troy Dean. It’s aimed at designers, developers, and consultants. And the premise is about what to charge a client if you use a premium theme that you only paid $55 for.
My favorite header in this post is that a theme is not a webiste. And then Troy goes on to list all of the things that go into making a website, of which the theme is just one component.
And I got really tickled that the last thing on that list was training the client how to use all of it. Of course, I start with that because a well-educated client can make informed decisions about all of the things on that list and significantly contribute to the success of the site they are about to own, run, and rely on as their 24/7/365 business partner.
– – – – – – – –
A good User Interface, or UI, makes for a higher conversion rate. And the GoodUI.org site has 39 tips with visuals to show you how it’s done. Even if you just scan this post you’re going to get ideas for improving your call-to-action pages. I want to thank +Stephanie Calahan for bringing this post to my attention.
Content Marketing Tips
Images can really make a post stand out on social media. But finding high quality images can be a real drain on both your time and budget. Getty announced that they are suddenly making 40 million stock photos available for free. And while a lot of bloggers are jumping up and down happy, it’s not quite as good a deal as it sounds.
First, you have to use their code for embedding, just like a YouTube video. That may be a performance issue. I haven’t tested it yet. But that’s not the real problem with it anyway. If they ever take that photo down or change their minds and require you to have a paid account to keep using it, poof, it comes off your site.
Second, in exchange for the free image, they can put monetization links on the embed. You get zero profit sharing from that.
And, you cannot use these images on a commercial page. The blog post must be educational or editorial in content. It can’t be a sales page. What I’m wondering about with that is if you have a call to action on the page. Does that make it commercial?
So, if you do this thing, just go into it with eyes wide open. There are even plugins that put a module in your Dashboard that make it easy for you to search for images. But, I won’t be using either. Just sayin’.
– – – – – – – –
+Mike Alton has recently updated his super duper post with even more links. You’ll definitely want to bookmark this gold mine of a resource and be reading on it all week.
Okay, I found this short clip on G+ of an elephant jumping on a trampoline. I don’t know why I find it relaxing, I just do. If you go to YouTube and search for elephant jumping on trampoline, you’ll find the original this was taken from, which has him flipping all around and such. Worth a watch, but definitely not as relaxing. And you’ll find several others with all types of music behind it, which is kinda cool too.
Alright y’all, that’s a wrap for this week’s Tips Tuesday. If you’ve got tips you think will help folks, send them on over to me. And please do leave a comment here on the blog, on iTunes, or on G+. I love hearing from you. Be sure to visit BlogAid.net for more tips and resources and I’ll see you online.