If you are using WordPress SEO by Yoast there is an existing vulnerability to Blind SQL Injection, and you should update the plugin immediately. More details can be found here https://wpvulndb.com/vulnerabilities/7841.
Occasionally I like to recommend WordPress plugins since it is the most widely used blogging platform. In this post I am going to recommend a few plugins to help you better secure your WordPress platform.
UpdraftPlus Backup/Restore – If you have read any of my previous blog posts, you will know I have used a lot of different WordPress backup plugins in search of the perfect backup plugin. Lately I have been using UpdraftPlus in conjunction with a free Dropbox account. I am not ready to call it perfect, but so far it has proven to be very easy to use. You can use it in combination with many different backup programs like Dropbox, Amazon S3, etc., or just simply backup to your FTP account. Here are some more details from the UpdraftPlus plugin description.
UpdraftPlus simplifies backups (and restoration). Backup into the cloud (Amazon S3 (or compatible), Dropbox, Google Drive, Rackspace Cloud, DreamObjects, FTP, SFTP, WebDAV and email) and restore with a single click. Backups of files and database can have separate schedules.
- Thousands of users: widely tested and reliable (over 215,000 downloads). Ranks in the top 0.5% on rankwp.com (70th out of 25,000 plugins).
- Top-quality: ranks 52nd out of 25,000 WordPress plugins for quality on rankwp.com (top 0.25% – last checked 20th August 2013).
- Supports WordPress backups to Amazon S3 (or compatible), Dropbox, Rackspace Cloud Files, Google Drive, Google Cloud Storage, DreamHost DreamObjects, FTP and email. Also (via an add-on) FTP over SSL, SFTP and WebDAV. (Note: Microsoft forbid SkyDrive to be used by backup software). Some examples of S3-compatible providers: Cloudian, Connectria, Constant, Eucalyptus, Nifty, Nimbula, Cloudn.
- Quick restore (both file and database backups)
- Backup automatically on a repeating schedule
- Site duplicator/migrator: can copy sites, and (with add-on) move them to new locations
- Files and databases can have separate schedules
- Failed uploads are automatically resumed/retried
- Large sites can be split into multiple archives
And there is much more.
All In One WP Security & Firewall – I like this plugin because it provides you with a firewall for your blog, a grading system for your security setup, and additional security features like brute force attack prevention. Here are some additional details from the plugin description.
All In One WP Security reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.
All In One WP Security also uses an unprecedented security points grading system to measure how well you are protecting your site based on the security features you have activated.
Our security and firewall rules are categorized into “basic”, “intermediate” and “advanced”. This way you can apply the firewall rules progressively without breaking your site’s functionality.
Below is a list of the security and firewall features offered in this plugin:
User Accounts Security
- Detect if there is a user account which has the default “admin” username and easily change the username to a value of your choice.
- The plugin will also detect if you have any WordPress user accounts which have identical login and display names. Having account’s where display name is identical to login name is bad security practice because you are making it 50% easier for hackers because they already know the login name.
- Password strength tool to allow you to create very strong passwords.
User Login Security
- Protect against “Brute Force Login Attack” with the Login Lockdown feature. Users with a certain IP address or range will be locked out of the system for a predetermined amount of time based on the configuration settings and you can also choose to be notified via email whenever somebody gets locked out due to too many login attempts.
- As the administrator you can view a list of all locked out users which are displayed in an easily readable and navigable table which also allows you to unlock individual or bulk IP addresses at the click of a button.
- Force logout of all users after a configurable time period
- Monitor/View failed login attempts which show the user’s IP address, User ID/Username and Date/Time of the failed login attempt
- Monitor/View the account activity of all user accounts on your system by keeping track of the username, IP address, login date/time, and logout date/time.
- Ability to automatically lockout IP address ranges which attempt to login with an invalid username.
And there is much more…
MVIS Security Center – I like this plugin because it provides a very simple check for your WordPress install. Here are some additional details from the plugin description.
MVIS Security Center is a proactive WordPress security plugin that helps you lock down your installation in three simple and clear steps.
- Update Check: Find out what components of WordPress are vulnerable or need updating.
- User Check: Find out which of your user accounts have problems that pose risks to your website.
- Core Check: Find out which files and settings put your website at risk.
- You’ll receive an e-mail alert as soon as vulnerabilities are identified that affect any of your sites.
- The vulnerability alerts will tell you exactly how to address the vulnerability and become safe again.
- You’ll receive weekly status mails informing you about outdated versions and vulnerabilities in your sites.
I hope you find these WordPress plugins, and as always if you have any questions or comments, please feel free to use the comments section below.
Well I promised I would update my last blog post on my data security experiences with LinkedIn. Let’s cut to the chase – I have several concerns, and here they are.
- LinkedIn’s tech support response is painfully slow. I opened the ticket on March 27. LinkedIn responded on April 8. For those of you counting at home that is 12 days. If you are going to run a business catering to millions of potential users, you need to develop a support system to respond to them. LinkedIn could take some lessons from Amazon.
- They removed the user from following my LinkedIn company page which per their Help Desk, they say they will do. Unfortunately though you do not have the ability to do this yourself, and you have to request for LinkedIn tech support to perform the action – which in my case took 12 days.
- Regarding the user claiming via their LinkedIn profile to work for my company, LinkedIn did nothing about this issue, and here was their response: “If any members indicate they are current or past employees when in fact they aren’t, it’s usually because: 1. They haven’t had the chance to update their profiles. 2. They mistakenly selected the wrong company name when they updated their profile. We generally don’t moderate or validate information that members post, but there are times when we might intervene.”
Number 1 is a problem because when you have a problem on LinkedIn, it looks like it will take a while to get it sorted.
Number 2 is a minor problem, and essentially you are unable to remove people from following your company pages. From a data security standpoint, it only really becomes a problem if the same person is trying to also pass themselves off as an employee of your company.
Number 3 is the larger problem from a data security standpoint, especially for larger companies who are unable to actively monitor all existing employees. You basically have two data security issues here. The first would be someone attempting to pass themselves off as an employee of your company and contacting your existing clients to gain some type of info from them via LinkedIn. The second data security issue would be someone attempting to pass themselves off as an employee of your company and contacting your existing employees to gain some type of info from them via LinkedIn.
So how do you protect yourself? First close your Connections status to allowing those outside of your network to be able to view them. Second do not send any type of sensitive documentation via the LinkedIn internal email system. In this case it helps to have an information classification policy in place to prevent employees from sending out sensitive documents.
As always if you have any questions or comments, please feel free to list them below.
Social marketing has opened the doors to allow smaller businesses to compete with larger businesses on a somewhat level playing field. That being said social marketing has all opened the door for a new level of data security considerations. This will be the first blog post, in a series, discussing data security considerations for social marketing initiatives.
LinkedIn is a business social marketing website, and there are several data security issues you should be aware of when using LinkedIn, but in this blog post I am going to discuss just one issue that is very troubling. Just as people lie on resumes, they can also lie on their LinkedIn resumes.
So what do you do when someone claims to have worked for your company, and they follow your Company Profile page to make it look even more legit? Obviously there are multiple security issues here. Someone could contact connections via LinkedIn passing themselves off as a representative of your company. If you, or someone employed at your company, open your personal connections to be viewable by anyone on LinkedIn, then this person can also access and contact your business connections directly acting as a representative of your company. Personal or business data could be passed to this imposter along with the obvious PR damage that could be done to your company image. So this issue could go way beyond just someone “padding” their resume.
So I will ask the question again – what do you do when someone claims to have worked for your company? Well this issue is actually happening to me right now, and I am going to update you in real time to how LinkedIn responds. Today I discovered someone claiming to work for my company, and they are also following my Company Profile page.
LinkedIn provides instructions here on how to go about contacting them to get the person removed from your Company Profile page, but they do not say what to do when someone is misrepresenting themselves as working for your company. As such I included both issues in my request to remove this person from following my Company Profile page.
Frankly so far I am not impressed with how LinkedIn allows you to resolve this situation. I understand they cannot immediately suspend someone’s account, but there should be a way to escalate matters such as this. I will keep you posted on their response time and how they resolve the issue.
So what can you do to prevent this from happening? Periodically review your Company Profile page to see who is following you, which you should do anyway from a social marketing perspective. In addition you can use the LinkedIn Advanced Search to search for your company name to see how it is being used on LinkedIn.
If you have any questions or comments, please feel free to list them below in the comments section, and I hope to update you soon – at least it better be soon – on LinkedIn’s response.
In a previous blog post, I recommended some backup and security plugins for the WordPress blog. In this post I would like to recommended two additional security plugins for your WordPress blog. Overall WordPress is a fairly secure blogging platform, but there are several steps you can take to increase the security of your blog, and these two plugins can help you take those steps. The last thing you want is for a hacker to bring down or deface all of your hard work. And with that said make sure you are backing up your blog on a regular backup rotation.
Please note the descriptions below come from the plugin websites.
Wordfence Security is a free enterprise class security plugin that includes a firewall, anti-virus scanning, malicious URL scanning and live traffic including crawlers. Wordfence is the only WordPress security plugin that can verify and repair your core, theme and plugin files, even if you don’t have backups.
- Scans core files, themes and plugins against WordPress.org repository versions to check their integrity.
- WordPress Multi-Site (or WordPress MU in the older parlance) compatible.
- Wordfence Security for multi-site also scans all posts and comments across all blogs from one admin panel.
- Premium users can also block countries and schedule scans for specific times and a higher frequency.
- See how files have changed. Optionally repair changed files that are security threats.
- Scans for signatures of over 44,000 known malware variants that are known security threats.
- Scans for many known backdoors including C99, R57, RootShell, Crystal Shell, Matamu, Cybershell, W4cking, Sniper, Predator, Jackal, Phantasma, GFS, Dive, Dx and many many more.
- Continuously scans for malware and phishing URL’s including all URL’s on the Google Safe Browsing List in all your comments, posts and files that are security threats.
- Scans for heuristics of backdoors, trojans, suspicious code and other security issues.
- Checks the strength of all user and admin passwords to enhance login security.
- Monitor your DNS security for unauthorized DNS changes.
- Includes a firewall to block common security threats like fake Googlebots, malicious scans from hackers and botnets.
- Rate limit or block security threats like aggressive crawlers, scrapers and bots doing security scans for vulnerabilities in your site.
- Choose whether you want to block or throttle users and robots who break your security rules.
- Includes login security to lock out brute force hacks and to stop WordPress from revealing info that will compromise security.
- See all your traffic in real-time, including robots, humans, 404 errors, logins and logouts and who is consuming most of your content. Enhances your situational awareness of which security threats your site is facing.
- Real-time traffic includes reverse DNS and city-level geolocation. Know which geographic area security threats originate from.
- Monitors disk space which is related to security because many DDoS attacks attempt to consume all disk space to create denial of service.
Better WP Security
With one-click activation for most features as well as advanced features for experienced users Better WP Security can help protect any site.
As most WordPress attacks are a result of plugin vulnerabilities, weak passwords, and obsolete software. Better WP Security will hide the places those vulnerabilities live keeping an attacker from learning too much about your site and keeping them away from sensitive areas like login, admin, etc.
- Remove the meta “Generator” tag
- Change the urls for WordPress dashboard including login, admin, and more
- Completely turn off the ability to login for a given time period (away mode)
- Remove theme, plugin, and core update notifications from users who do not have permission to update them
- Remove Windows Live Write header information
- Remove RSD header information
- Rename “admin” account
- Change the ID on the user with ID 1
- Change the WordPress database table prefix
- Change wp-content path
- Removes login error messages
- Display a random version number to non administrative users anywhere version is used
Just hiding parts of your site is helpful but won’t stop everything. After we hide sensitive areas of the sites we’ll protect it by blocking users that shouldn’t be there and increasing the security of passwords and other vital information.
- Scan your site to instantly tell where vulnerabilities are and fix them in seconds
- Ban troublesome bots and other hosts
- Ban troublesome user agents
- Prevent brute force attacks by banning hosts and users with too many invalid login attempts
- Strengthen server security
- Enforce strong passwords for all accounts of a configurable minimum role
- Force SSL for admin pages (on supporting servers)
- Force SSL for any page or post (on supporting servers)
- Turn off file editing from within WordPress admin area
- Detect and block numerous attacks to your filesystem and database
Should all the protection fail Better WP Security will still monitor your site and report attempts to scan it (automatically blocking suspicious users) as well as any changes to the filesystem that might indicate a compromise.
- Detect bots and other attempts to search for vulnerabilities
- Monitor filesystem for unauthorized changes
Finally, should the worst happen Better WP Security will make regular backups of your WordPress database (should you choose to do so) allowing you to get back online quickly in the event someone should compromise your site.
- Create and email database backups on a customizable schedule
- Make it easier for users to log into a site by giving them login and admin URLs that make more sense to someone not accustomed to WordPress
- Detect hidden 404 errors on your site that can affect your SEO such as bad links, missing images, etc.
I have recommended AddThis in previous blog posts, and I personally use the AddThis Share toolbar on my main website to allow users to share my articles.
Recently AddThis has added two new tools that will make it easier for you to share your website content. First is the Welcome Bar, and I have added this to my WordPress blog. It is very easy to add via the WordPress Plugin toolbar, and it offers:
- Configurable greetings for visitors from LinkedIn, Twitter, Facebook, and many other sites
- You can customize a call-to action using share, follow, or go to url
- And you can customize the interface, including background color, text color, and button text
- Offers an analytical component so you can see how visitors are using it
What I like most about the Welcome Bar is that is very unobtrusive like many other Follow bars, and you can see what I mean in the image below.
The next tool available is the Trending Content Box.
- Displays newest top social content
- Configurable content types (trending, top shared, or top clicked)
- Configurable time period (day, week, month)
- Customizable interface
- Offers and analytical component so you can see how visitors are using it
Check out these new tools offered by AddThis to make it easier to share your website content.
In last week’s blog post I recommended the comments tool Disqus for small business blogs. Several of you emailed me about how to easily import your current comments from your WordPress blog into Disqus. If you install the Disqus plugin within WordPress, there is an Export Comments button under settings, but it is very slow if it works at all. Here is an easier and quicker way to do it.
1. The first thing you will want to do is install the Disqus WordPress plugin, and sign-up for an account with Disqus. Note: I would wait to activate the Disqus plugin until you are ready to export your current WordPress comments to Disqus because once you activate the plugin, your current comments will not show up. But do not worry, they are not lost. Just follow the next steps to proceed with the export.
2. Next you will go to Export under Tools in the WordPress Dashboard. Select Posts (as seen in the image below), and if you have a large number of posts and/or comments, you can use the date range to narrow it down. In most cases you will not need to do this.
3. Save the XML file to your desktop.
4. Go to the Import and Export page within Disqus, and upload the XML file from your desktop.
And that is it. Just wait until the upload is processed within Disqus, and your existing comments will now be viewable in the new Disqus format on your WordPress blog. As always if you have any questions or comments, please feel free to add them below.
Disqus is a real-time commenting system you can add to your blog. Below is a list of several major features of Disqus.
- Integrates with the major social platforms like Twitter, Facebook, Google, etc so it makes it easier for users to sign-in without having to create a separate account with your blog.
- Allows readers to subscribe, like, and share comments across their social networks.
- Offers a notification system that lets your blog readers know when they have received a reply to their comments, and it allows them to reply directly from their email.
- Provides a spam filter for your commenting section.
- The comments are indexable by search engines so it is SEO-friendly.
- And there are tons of other features as well.
Disqus is compatible across all the major blog platforms. I use WordPress, and you simply download and install the plugin. You can also export your existing comments. Check out Disqus, and as always if you have any questions or comments, please feel free to comment below.
I have always recommended blogging as a key part of a small business online marketing strategy. Blogging allows you to interact with potential clients on your website, is a good way to allow visitors to promote your content, helps with your SEO strategy, and is a good way to provide timely and helpful information to your clients. So with that introduction in mind, here are some blogging tips to help you take your small business blog to the next level.
- Pick a good blogging platform. I prefer and use WordPress, but there are several good platforms out there. See this blog post where I reviewed several blog platforms.
- Do what I just did in number one. Link to your other relevant blog posts, and consider writing a blog post series to keep readers coming back.
- Be consistent. Pick a schedule and stick to it. I used to write daily blog posts, then as I got busier, I slowly dwindled down to a few blog posts each month. If you have a dedicated marketing person for your small business, then a couple of posts each week will be about ideal.
- Write good content. Easier said than done, right! So what is “good” content??? Well it needs to be easy to read, and you need to provide something useful for your potential customers. If you are using your blog for sales and marketing purposes only, you will probably find you have few readers. Consider using your blog to provide tips, how-to posts, and other types of useful information. My blog posts are probably about 95% useful information, and the other 5% is links back to the services I offer on my website. At most I would consider 80/20 with 80% being useful information and 20% promoting your products and services.
- Do not just write for readers, but consider search engines as well. So how do you do this? I use a WordPress plugin call All in One SEO, but essentially you need to provide meta tags for titles and descriptions of your blog posts. Keep your content fresh, and link within your blog posts, websites, and to other websites.
- Use a call to action and encourage readers to comment about your blog post.
- Provide social share buttons to allow readers of your blog to easily share the content with their social networks. See below each of my posts for an example.
- Use eye catching images to show details on what your are writing about or just to break up the content.
- Consider video blogging. Video blogging is especially helpful when you are trying to show customers a how-to.
- Allow guest blog posts to provide a different and useful perspective to your readers.
- Provide a search box.
- Provide an RSS feed.
- Provide a way for readers to subscribe to your blog via email.
- Provide Categories based on the different topics you write about, and write posts to fit into your Categories. See my sidebar for example Categories.
- Use analytics to measure how readers are using your blog, what they are most interested in, inbound links, and how readers are socially sharing your content.
- Check for grammar, spelling, and punctuation.
- And finally promote your blog. Link your blog to your other social marketing networks such as Twitter, LinkedIn, Facebook, etc. Link your blog in free directories. Use tools like Onlywire to publish your blog post to multiple platforms at once.
Follow these tips to create a successful small business blog. And if you have any additional tips, please feel free to list in the comments below.
Promoting your social media networking via your website is an important step in marketing your small business. There are several benefits to doing this.
- Allows your customers to more easily interact with you
- Makes it easier for your customers to promote you through their social networks
- Helps from a search engine optimization (SEO) standpoint – fresh content, link promotion via social networks, etc.
Here are some tips on how to do it.
1. Use social media buttons to link to your main social network websites. Place the images in the top or bottom navigation bar. See number 1 in the image below.
2. Do you have a blog? If so when you create new blog posts, link them from your home page (see number 2 in the image below). It is a good way to show the search engines, in addition to your customers, that you are constantly creating new and valuable content.
3. If you have a blog, also make sure you provide social share buttons to allow your readers to share your content with their social networks.
4. Do you post articles on your website? Do you have an e-commerce store? Do you have a newsletter? Use social share buttons to allow your website users to recommend or share your content. AddThis offers and easy to customize social share toolbar.
Follow these easy steps, and you will effectively promote your social networks via your small business website. Just keep it simple and don’t overdo it.