Hello Happy Site Owners!
Tips this week include:
- The new BlogAid Pinterst page
- My upcoming chat with Matt Mullenweg, co-founder of WP
- Why you need HTTPS even if you’re not selling anything on your site
- Update on site hacks via the REST API
- Google Search Console wording change on site update notifications
- Two of my fave plugins no longer supported or removed from the repository
- Follow up on the BlogVault hack
- How Google determines which version of your site to index
- What cPanel partnering with Comodo means for your site and hosting
- What HSTS is and why you have to have it
- Hosts using PHP7 by default now and what you need to watch out for
- And epic list of 134 free stock photo sites
- How and why you need to verify and authenticate your email address with MailChimp
- An in-depth tutorial to block referral spam in Google Analytics
- Why SEO is essential for your business
- A comparison review of StudioPress Sites and Rainmaker
Listen to the podcast
Podcast: Play in new window | Download
Subscribe: RSS
BlogAid Happenings
Happy Valentine’s Day y’all!
BlogAid Has a New Pinterest Home
I hope you’ll be my valentine and show some love by following my new BlogAid Pinterest page.
You’ll find Tips Tuesday there, plus my BlogAid Today videos and so much more.
Chat with Matt Mullenweg Scheduled
You may recall back in December I posted about Why I Yanked VaultPress Off My Recommended List because now you have to install Jetpack to use it.
That post drew a comment from Matt Mullenweg, the co-founder and lead project manager on WordPress.
He offered to schedule a chat with me to clear up any misunderstandings I might have about XML-RPC and how Jetpack actually helps protect against those types of brute force attacks.
Well, he finally scheduled that chat for tomorrow.
Should be an interesting conversation about WordPress security right on the heels of a zero day vulnerability in the REST API and Wordfence’s report on XML-RPC being a favorite way for hackers to run a brute force attack.
You know I’ll keep you posted on how it goes.
Moving Hosts and Converting Sites to HTTPS
It’s been a week full of surprises, research, and conversations with Tier 3 support at some hosts.
I helped a couple of site audit clients migrate away from bad hosts and saw exactly how the new hosts are setting up new accounts now.
You’ll want to hear about the PHP version issues in the Hosting Tips section.
I’ve got a post coming for you soon with more on those Tier 3 support conversations, but we’re all still doing some research. So, when we have final answers, I’ll publish.
I’ll give you hint.
I found code being added to the root files that even the hosts didn’t know about.
Why Do I Need HTTPS If I Don’t Sell Anything On My Site?
It took me a while to jump on the HTTPS bandwagon, especially about the claims that it will make the internet more secure.
But, I’m all in now.
Catch my post from yesterday about why you need to convert your site to HTTPS too, even if you don’t sell anything or take passwords or such, and why you want to do it sooner rather than later.
That’s all the news from around here. Let’s jump into this week’s tips.
WordPress Tips
Sites Being Hacked and Defaced Due to REST API Vulnerability
Every WordPress security site on the internet is covering this story about how hackers immediately jumped on that zero day vulnerability in WordPress 4.7.1 the minute it was publicly announced last week.
I’m betting the overwhelming majority of these are abandoned sites.
And let that be a warning to y’all who have multiple sites on the same cPanel account, including test sites you have perhaps forgotten about. You have to keep them updated too.
Every site on your account needs to be secured and maintained, else it puts every other site on your account at risk.
Removing abandoned sites includes more than just deleting the WordPress files.
Contact me if you need help with that.
There are bunches of posts on these attacks.
Hacked by – WordPress Rest API Vulnerability in the Wild(v. 4.7-4.7.1)
The best post for covering the how and why and what to do about it is from my world class hack specialist, Makis, who runs FixMyWP.com
WordPress REST API Vulnerability is Being Actively Exploited, Hundreds of Thousands of Sites Defaced
WPTavern has a good overview of what’s happening.
A Feeding Frenzy to Deface WordPress Sites
One of the ongoing reports on this from WordFence.
I want you to take note of something in that post.
Only their paid subscribers are getting the most up to date protection.
So, if you’re using the free version of WordFence, your site could be vulnerable for up to a month before they roll out the latest protection to you. And that doesn’t sound like something worth having to me.
Google Search Console Changes Confusing Notification Wording
Google Search Console, formerly Google Webmaster Tools, has been sending notifications to site owners whenever it detects that their WordPress software is out of date. Well, the wording in those notifications has been a bit confusing, or even alarming.
GSC uses a different method to detect the site’s WP version, and it runs behind a little bit in updating itself too.
So even if your site is up to date, you could still get an email from them.
WPTavern has a nice post with more info about the changes in wording and the types of messages you might get.
You do have your site verified with GSC, don’t you?
Plugin Tips
Revision Control No Longer Supported
I’m so sorry to hear this! One of my fave plugins, Revision Control is no longer being supported. It hasn’t been updated in a year already and there is now a note on the plugin’s page in the WordPress repository that it won’t be updated in the future.
There’s no problem with the plugin, and it still works, but it’s time to think about making a change.
There is a way to hard code this into your wp-config file, so that’s the way I’ll be doing it on my sites and for site audit clients from now on.
I’m also hard coding the heartbeat frequency and creating a real cron job instead of relying on WP’s virtual cron, just to keep the clocking ticking regularly.
And this is why I have a loyalty audits program.
Getting an annual site check up is a good thing to do because stuff like this and security is changing all the time.
Once you get an audit, you’ll be eligible for a loyalty audit which is faster and cheaper than the first one.
That’s mainly because your site was all spiffied up and you got the education needed to keep it that way.
Thanks so much to webmaster Ingrid Cliff of Heart Harmony Communications for the heads up on that Revision Control plugin.
WP Fastest Cache Removed from Repo
The developers of the WP Fastest Cache plugin suddenly, and without explanation, removed the plugin from the WordPress plugin repository.
Lots of folks in advanced dev groups that I’m a member of speculated there might be a security concern.
But a couple of them reached out to the plugin creator and discovered that they were in violation of the extremely strict policies that WP has in place for free plugins listed in the repo.
WPFC also has a paid version and obviously something about the free version was not in compliance.
It should be back in the repo soon, if it’s not already.
WP Super Cache Vulnerabilities Patched
Another popular local caching plugin, WP Super Cacher, had multiple XSS security holes that were patched lately. So, if you’re using that, be sure to keep it and all of your plugins updated.
Get a Better Caching Plugin
Read my post on the winners of head to head caching tests on these plugins per host type.
WP Super Cache did not fare well in those tests.
But, the biggest failure I see with them is site owners not turning them on!!!
Lots of plugins have configuration settings. Installing is not enough.
So, be sure to check the settings on all of your plugins so you actually get the benefit of having them on your site.
And seriously consider the benefit of a paid plugin like WP Rocket, that has less headaches and security issues and superior support.
Backup Tips
BlogVault Hack Follow Up
Two of my clients received notification from BlogVault that their sites had been exposed due to the hack at the mother company. But only one of those sites was actually hacked.
The other was on a paid WAF firewall from Sucuri.
I can see the day coming when all of us are going to be on a paid firewall to prevent these attacks.
I’ll be recommending the paid version of CloudFlare most likely, as I strongly prefer their CDN.
HTTPS Tips
Google Indexing HTTPS by Default
Since 2015, Google has been attempting to index the HTTPS version of sites by default, meaning that it checks for that version first as the best one to index.
In this announcement post, they describe the conditions that have to be met for them to determine that you are indeed sending your site links over HTTPS.
They include things like no mixed media, which is the most common clue that the site has not been converted to HTTPS yet.
So, if you can see an HTTPS version of your site, but it hasn’t been converted yet, don’t freak out, even if it looks goofy. Google is not indexing that version. And it’s not likely that any of your site visitors are taking the extra time to type in https in the URL, so they are not seeing it either.
World’s Largest CA Comodo and Web Hosting Platform Leader cPanel Join Forces to Enable Automated SSL Encryption for the Web
This is a big deal and will go a long way into making the internet safer with SSL and HTTPS encryption.
cPanel is a software that hosts use to provide a nice user interface for all of your host activities, plus integration for extra software from host partners.
Well, now cPanel has joined forces with Comodo, which is the industry leader in SSL certificates.
This venture means that all hosts running v60 of cPanel now have the entire server protected via an SSL certificate.
So now, even your login screen to your cPanel is HTTPS.
It also discovers and deploys DV cPanel SSL certificates automatically to all websites, logins and endpoints on the server.
Plus, AutoSSL also renews expiring certificates. So you never have to worry about your free cert expiring.
All of this is great. But, the way they may be doing their certificate authentication is what I’m in discussion with Tier 3 support about right now. I’ll keep you posted on that as we learn more.
What Is HSTS and How Do I Implement It?
My friend Denver Prophit, who is President of StrikeHawk eCommerce, Inc. wrote this post for GlobalSign, which is also an industry leader in SSL certificates.
HSTS is the HTTP Strict Transport Security.
Denver explains more about what HSTS is and why Google has made it a criteria to get accepted on their Chrome safe site list.
Ensuring your site is HSTS compliant is just one of the services I provide in my HTTPS Site Conversions.
Hosts Use PHP7 by Default
Over the weekend I migrated two clients to each of my preferred hosting vendors of SiteGround and A2 Hosting (aff links).
Discovered the hard way that both of them are set to PHP7 by default on all new accounts.
Made a couple of plugins not work. I set the PHP down to 5.6 and all was well. So, just watch for that as we are in this transition period of moving up to version 7. Not all plugins and themes are ready for it. And you may need to think about getting new plugins for those that aren’t on the ball with this.
Content Marketing Tips
Kenny Jahng’s Epic List of 134 Free Stock Photography Websites
Free images are good. And having more places to get them are even better.
Check out this epic list of 134 sites with free stock images.
Be careful, though. Be sure you check the TOS to see if attribution is required.
And, as it is with all free things, be sure to check those downloads for malware or such too.
Authenticate Domain Related Email in MailChimp
Email is a big part of your content marketing, especially if you use it to send folks your blog posts by email.
Thanks so much to webmaster Terry Green of BizEase Support Solutions for clarifying that verifying your domain related email address with MailChimp is different from authenticating it.
And thanks to webmaster John Sawyer of The Small Business Website Guy for providing the how to links for doing that authentication if you use CloudFlare.
He made a nice screencast of the CloudFlare part, because it now controls your DNS records, including those for email MX and TXT records.
Once you get that setup, here’s the tutorial from MailChimp on how to do the rest of it.
This is just one great example of how webmasters are helping each other in our private Facebook group. It is exclusively available to Webmaster Level 6 members in my Webmaster Training courses.
Do come join us and get the help and support you need.
SEO Tips
Block Referral Spam in Google Analytics
You may remember a post I highlighted a couple of months ago in Tips Tuesday with a way to filter out spam bots from Google Analytics. Well, that was the easy way, but the info was a bit out of date.
Neil Patel has an in-depth tutorial on it that is up to date, but it’s a lot of manual labor to set up. And then you have to maintain it periodically.
But, if you depend on accurate analytics for your ad income, you will want to have a look at it.
Why SEO is Essential for Your Business
I know some of you do SEO as an afterthought to your primary visibility marketing, like using Pinterest and other social media to drive traffic.
But, the truth is, you’re turning away free traffic, and lots of it, if you don’t enhance what you’re already doing with just a few SEO tactics that will take maybe :30 seconds to do.
The folks at ManageWP have a nice post on why SEO is essential and how easy it is to add just a few tweaks to maximize it.
I teach even more tips to help you lay a solid SEO foundation on your site that will enhance these beginning steps too.
Look for a new workshop in the near future when I open the DIY SEO course back up to the public again.
Hosting Tips
Is StudioPress Sites Just Rainmaker in a New Outfit?
I’m glad someone finally had the guts to ask this question. I’m especially happy it came from Carrie Dils, as I have mad respect for her as a long-time Genesis user and developer.
She gives us an in-depth comparison of the new StudioPress Sites product compared to the Rainmaker product, which is another managed hosting solution from the makers of Genesis.
Yeah, sure it’s way more than typical shared hosting. But when you look at the cost of other managed hosting services, like WPEngine at $100/mo, then the StudioPress Sites price tag of $24/mo is suddenly easy to swallow.
What isn’t covered in Carrie’s article, or anywhere on the StudioPress Sites website is the traffic limitations.
From previous reviews, it seems that this service caters to those with small traffic. We just don’t know what those numbers are.
And of course, like all managed hosting, there are restrictions on the plugins you can use, but we don’t know any details about that either.
I’m also not sure about whether they provide other necessary services, like backups, DDoS mitigation, and a CDN.
It’s hosted on Synthesis, just like Rainmaker, so maybe more details about those things are available there. I haven’t checked because I just can’t see recommending this to many folks at this time. Most of my clients likely have way too much traffic for that.
Wrap Up
That’s a wrap for this week’s Tips Tuesday.
Find these tips helpful? Share them with your peeps!!!!
Subscribe to all BlogAid Posts
Subscribe on iTunes
Be sure to visit BlogAid.net for more tips and resources and I’ll see you online.