Last week, I unhacked a website that was actively being wiped as I arrived. Completely wiped. They had gotten complacent and they knew it, and so they thought, lets use AI to bring us up to speed. Sounds great!

Through an unfortunate chain of events, they suddenly needed me. I dropped the book I was reading and ran to my desk to see that when I logged in, files were disappearing in real time. They hadn’t made a backup in too long, and their backup tool had just been deleted.

What had changed? They’d added an AI tool to optimize their site, but that AI tool conflicted with their security software, so they’d deactivated the security without realizing – they had allowed AI to make a management decision–a critical one–whether to be secure. The AI tools they had installed were well meaning. But those opened up his site to vulnerability and now they had a bad actor giving himself root access and deleting everything on the site. Right in front of their eyes, the website vanished. The client was hyperventilating. He almost cried. He was talking about how all of his work was down the drain. (Don’t worry… minutes later, because I’d recognized where the vulnerability was, the damage was contained and the database was back.)

I removed the offending connection and access before it could do any more damage, helped him restore his site, then added a large amount of security. Otherwise there’d be no site today. He only ended up being offline for less than twenty minutes. Our call, including the decompression phase of the call where we just calmed him down, was less than an hour.

The tools that the hacker used? Built with AI. About midway through this process, the client used an AI security tool built into his hosting provider to review his site and found nothing wrong. Hard to find anything wrong with an empty website, I guess.

Everyone out there who values their security needs a good security plugin and a good security consultant who knows how to be smarter than an AI. You need to know when AI is helpful and when you’re about to break everything.

An experienced web professional actually matters.

If you want me to help you with a security review, please get in touch about scheduling. Existing clients go to the front of the list. Again, I’ve got 25 years experience and I’m actually interested in and passionate about what I do. I love helping clients. Also, everything I ever say to you has zero AI involved. I’m real, and I know how to use the available tools the RIGHT ways.

From a website owner’s perspective, Google could have made the transition easier and simpler. Most of my clients were blindsided and frustrated and some came to me for help installing the new system.

I implemented the Google tag manager and ported over all those old codes from every other place they’re using tracking for the clients that asked for my help. One tool to manage it all, one place to remove or add their own codes.

So, if your Analytics code suddenly stopped working, consider the switch to Google Tag Manager, and if you’re using WordPress, install Google Site Kit and manage it all there.

And if instead of doing that, if you need my help getting Analytics working again, let me know. I can help.

Bear that in mind when someone says “for ten dollars a month, here’s an all-inclusive SEO plugin” – optimization needs more than a plugin. It needs a professional. Sure, buy the plugin, it will probably optimize some of the content on your website and boost ranks for a keyword or two. But content is only one of eight factors.

Optimizing a website for search is still very much a thing, but most firms that offer SEO services are actually offering you a tiny part of a large field, or something they’ve wrapped in the label SEO because it’s a buzzword. There are eight primary categories of major overhaul that a website needs to undergo during SEO, some of which can take months of hard work both by a development professional and by your own marketing team in-house. SEO isn’t a quick-fix, may require internal changes at your company, and it’s not something you should entirely outsource.

Here’s what I can tell you about SEO projects. Any real SEO project will take months. It will need cooperation between web professionals and your team. It might require restructure, new content, new relationships, and have some difficult hard costs associated with it. It will not cost you less than… ballpark for the average medium-sized business… $10,000 dollars unless it’s the quick fix variety or you’ve got a very old friend in myself or someone like me.

Yes, you can implement an SEO tool here or there, you can install SEO plugins and improve your ranking, but the vast majority of tools and even SEO professionals are scams. At least 80% of what calls itself SEO is a total waste of money, and anything with low costs is absolutely a scam – because REAL SEO takes a great deal of time and energy on the part of an experienced, focused web professional who knows the difference between actually useful tools and the scams that pose as the real deal.

The internet is THE most competitive arena in the world. If you want to get top billing in that arena, you have to have done more work than the next competitor down the list, and THAT? It costs time and money and experience and sometimes you have to actually become something more worthy top placement – you might have to actually optimize your company, too. It’s not fun to hear it, but you need to if your goal is dominating search.

First, let me recommend that I think you should try to figure out how it works and then use it. But if you want to stay on the Classic Editor, you have the option to install the classic editor plugin and make the interface look the way it used to.

The issue I’m seeing a big uptick in is problems that don’t seem like they’re caused by hacking, but the bug turns out to be some kind of malware. Basically, they’re hacked but don’t know it. There have probably been ten or so clients recently with heavily damaged websites that don’t “seem” damaged from the outside except the forms don’t work quickly anymore or the site is suddenly slowed way down or one software is acting glitchy.

When I lived in the woods, there was a kind of tiny bug that lived in the ground in colonies. So small you could barely see them. They looked like aphids. When they found a larger bug climbing by, they’d hollow it out. The bug still looked like it was climbing on the branch, but it was never moving again because its innards were gone.

A hacked website is usually like that. Looks like it’s there, but not really on closer inspection. The hollowed out husk of what used to be a good site has started:

Running slowly because that website became a triple x redirect spot for some spammer somewhere who wants a clean URL to put into email links so they don’t end up caught in the spam filter.
Or maybe the website doesn’t know it’s covering up a secret directory using up all their bandwidth so that some criminal enterprise isn’t responsible for the images they’re showing, but instead those images are sitting on YOUR site.
Or sending all the new leads to two places instead of just where they should go.

Or or or or or or.

All of these are kinds of malware or hack that I see on websites owned by small to medium sized businesses without their ever knowing. And I’m seeing an uptick in the number of smaller websites this is happening to. The big boys don’t often actually need me to fix things. It’s the guy who built a website fifteen years ago and hasn’t kept it updated who ends up hacked. No, there is almost never a huge “You’ve been hacked!” warning. No, there’s almost never a big laughing skull. Your site just sits there seeming okay, but totally not.

When you leave a big flaw like out-of-date software or no security software, malware eventually finds that flaw and eats its way in. You need to check for it.

How do I recommend that you check for Malware if you’re a small business? Well, search for your website in the “Safe browsing” tool for starters. And then make sure you’re the owner of your website in “Search Console” – previously the webmaster zone at Google. But then, someone needs to pay attention to the notification emails you get from your search console. No amount of software and tools can replace actually noticing that your software is out of date, your site is having glaring issues, or even that you’ve gotten notified that your site is hacked but did nothing because you just filed away the emails. Someone who understands what they say needs to be acting on them.

The above two actions only accomplish one thing: They will let you know if malware on your site is affecting your search rankings. They won’t get find all malware. And they won’t fix any of it but they often advise. It’s a place to start.

Make sure you’ve got a decent security software in place at the server and in any software you’ve installed, and don’t leave sites on old software or allow the server’s core software to stay on old versions. It’s almost always the software that’s the problem when I find malware. Keep it up to date and keep protections on every level.

Yes, this requires putting someone in charge of maintenance. If that’s your webmaster, ask them to keep the software up to date. It’s not something your hosting provider will automatically do.

Aside from issues with software, another weakness is poor passwording. Make your users jump through security hoops. This means, even though some people won’t like it, that you need to require strong passwords, and that you use two-factor authentication (2FA) on any site that collects sensitive information. This is webspeak for “double check”. Those two factors are:
1. You have a username and password, those checked out. So then,
2. the computer goes to double check that you’re okay. It does this by sending an email to your email address, or it texts your phone, or there’s an authentication notice that pops up on your phone from within an app.

If you collect any contact information, you owe your users the kind of security that 2FA provides.

Some of you are saying: I have a full service host, I don’t need this.

You might. There are full-service hosting houses that provide everything about your site from the design to the shopping experience to the hosting space, etc, but those sites can be hacked, too. I’ve seen it. And sometimes it’s on a huge scale and your site just ended up part of a pile of hacked sites on their service. Sometimes you just chose a seemingly good add-on that has a big security hole.

If you’re going for one of those full-service hosts but you collect any user, customer or subscriber details, you have an obligation to your users to upgrade to whatever level includes the best security. Additionally, I’m almost always going to recommend that you leave that all-in-one website service completely if you see signs of any kind of security breach. Rebuild smarter in a different environment. All-in-one hosts are not for complex uses and trying to do that usually results in strangely built, hackable builds.

Anyway, the entire reason I talked to these non-techie business owners of car repair shops and hair salons, bookkeepers and SAHMs with small at-home businesses is that these are exactly the folks most at risk. People without a dedicated on-staff techie watching their website. People most likely to actually have malware sitting on their sites, driving away all the SEO and marketing work they’ve done in the past.

So, if you’re the one man in a one-man shop, it’s a good idea just to follow those two links in this blog post and see if your business is being hurt by having malware on your website.

If you think you have malware and are over your head, you can contact me over at MWM.

Ignore unknown companies with dire fire sale warnings — the situation doesn’t have to be all that bad, and those solutions probably aren’t as good an idea if you have to switch away from YouTube as simply switching to embedding with Vimeo or Brightcove or using self-hosted videos that you place on servers designed for it.

That’s because GeoTrust and Symantec SSLs are about to become untrusted in browsers, unless the company does some very drastic things. Which they might… so if there’s no problem, great. (Read Chrome’s article here.)

It turns out that, per the articles I’ve read, Chrome found out – by running into untrustworthy sites that had been issued certificates – that Symantec was a little too loose and fast with issuance, with some issuing authorities getting slipshod about actually doing the legwork they’re getting paid to do, or were allowing other companies to issue their certificates that didn’t do the legwork (by legwork I mean actually verifying that the cert requester was who and what they said they were), just issued without checking. So the Chrome browser folks decided to no longer trust them. And that’s a big part of the overall population of SSLs out there.

It’s critically important, from an “actual web security” standpoint, that SSLs are trustworthy and real. And that those who have been granted them actually do deserve them. Since a few bad apples got into the system, it spoiled the bunch from the browser perspective. Which means lots of work for us.

So, the way to verify whether or not you’ll need to replace your certificate is to head to a secure page of your site with the web developer tools app enabled in Chrome, and read through the console’s error messages. If you get a message, we recommend switching to Comodo or some other unaffected brand of certificate pronto. Or switch to using Cloudflare premium and their SSL option.

I offer a service to check and replace SSLs, but currently I’m limiting that to current and former clients.

Update: May have been resolved?

How do you solve this? Immediately upgrade you hosting so that your site has a security certificate (SSL) and change settings in your site to activate HTTPS.

Here’s a letter I just sent out to my hosting clients. If you’re another of my clients, but aren’t hosted by me, contact me for details on how to fix this. I’ve had hundreds of clients over the years, and as long as you’re in good standing with whichever company we did business through, this offer still applies:

You are receiving this urgent notification as a hosting client of Matlock Web Marketing. As you know, we do not send out newsletters. This is not a newsletter but an URGENT message about something that needs to occur on your site pronto.

A few of you have reported some website users reaching security errors recently, and after some digging, it was finally worked out why. The web browsers are making a critical security change, but for a very small number of users it’s already started. Google TODAY sent a notification of an urgent and important change they’re releasing in OCTOBER 2017 that will affect the way your website must work. Starting in OCTOBER 2017, Chrome web browser is requiring all websites that contain forms to upgrade to SSL and use HTTPS on all pages with forms and form processors. Any website operating the way all sites have up to now will start generating an ERROR for all their visitors. This means any website where the user can interact with you, such as in contact forms, email newsletter subscription forms, etc. must be HTTPS.

I’ve been an amazon fan since they first came into existence. I enjoy shopping there, and have gotten more than a  few peaks behind the curtain helping people develop Amazon feeds, back in the day, or more recently, helping people debug their Amazon to Shopify stores on their own domain.

There has been a huge shift in what people are being told by the gurus to do to sell physical products direct-to-consumer (basically the B2C model has completely changed). Because Amazon transformed the marketplace from a free-for-all with thousands of domains fighting for placement, and people using Google search to shop for things, to the new model where product shopping is first-and-only done on Amazon by most searchers.

Sure, they do their product research elsewhere, but when it’s time to buy, they’re visiting Amazon directly and shopping there. Mostly. Not always, and not everywhere. But, boy oh boy, that’s a bigger and bigger truth these days, over more and more of the globe.

So, the gurus stopped fighting this. It started a handful of years ago with one group, the Amazing Selling Machine folks, powering out their message. And because their system works if you use it, a lot of other gurus followed suit recommending that physical products be sold on amazon, some offering their own additional twist on the idea. No longer will you find as many of the gurus recommending that you get your self-hosted online store up and get it SEO’d, and build your business up from the ground up, etc. These days, most gurus are trying to sell their own all-in-one pipeline service, or selling you the “secrets” to how to succeed on Amazon. The only course I can recommend from the bunch that discuss Amazon is the ASM one above. It’s pricey but worth it. And now there are a number of gurus talking about how to build successful pipelines on their websites, often leading straight to an Amazon business. (Sometimes I check into these services and find that the technique is to steal someone else’s pipeline and then simply direct traffic to an amazon product. But when I pay for access to these trainings, I’m more and more often finding that Amazon is the eventual recommendation for how to sell physical products.) I’m seeing a real pattern here. Amazon is considered the place to sell physical products. And that’s true. For now.

Note: Sometimes, when a client is using Amazon, they put a long form sales letters on their own domain or into emails, that then directs visitors straight over to an amazon page. Or, they have a shopify site listing all their Amazon products, which is much more rare.

I’ve heard tons of buzz about using amazon seller central to warehouse all products, list all products only there, and basically allow them to manage your business for you, often without any back-up plan of having a separate website to sell those products on independently.  Obviously, we all know that the rules on Amazon for selling elsewhere are VERY strict and tricky.

I have seen most Facebook marketing gurus switch the discussion from “how to drive traffic to your website” to “how to drive traffic to your amazon page”.  I’ve seen dozens of new software tools emerge and boom that are entirely and only for helping to manage an amazon seller central business.

This shows that a LOT of people out there are building amazon businesses, and I’m not recommending against it. I am, however, asking that you consider the long-term. Have a few “what if” fail-safes in place to protect your business. The one you, as a merchant, are building up Amazon with right now. As someone who sees all opportunities online through the SEO prism, I cannot help but see a lot of link-juice, a lot of energy going to promote a website you don’t control.

If you spend thousands of dollars and countless hours building up social media and natural links, those should be going to somewhere that YOU control. That does not include your Amazon page. As most of you know, that can disappear overnight without real explanation or much resort. If you somehow violate Amazon’s rules, which change regularly, your account can disappear overnight. Without an expert to help you, it can be hard or impossible to get that Amazon account back up and running. It’s like if someone simply demolished your storefront one day and you had no way to put it back.

So, do this the smart way. If you want Amazon to do all your inventory management for you, and use them as your sole shop, put up your own store (shopify or similar Amazon-backed front-end that you control) on your own domain and direct at least some of your energy to building up social energy towards that domain of your own. That way, all that energy (in terms of link juice) remains yours if you switch from Amazon to some other physical products management system in the future and you won’t lose the momentum you’ve built.

My two cents for all you AMAZING amazon marketers out there. You’ll want to be flexible if some other site eventually eclipses Amazon. You’re all riding the high right now, but my advice is to plan for possible ebbs in the future.

And for whatever unfathomable reason, a decade has passed and we’re still doing the same thing! Business owners who want my business are STILL not making their websites responsive enough for me to accomplish the goal I came to their site for. Again, your website needs to work, and work well, all the way through the conversion process, on the tiny screens that now access the web in greater numbers than even PCs or laptops.

Users hate scrolling. Users hate squinting at text that’s too small. Users hate when the submit button is off-screen. Users hate when they’re 80% of the way through the process of signing on and your website becomes unusable because you wanted a fancy glossy process that simply won’t work on the simpler interface of a mobile phone.

I can hear you congratulating yourself on having beaten the curve. But, are you sure? Have you really checked? Since late 2013, when mobile devices overtook traditional computers as the primary access point to the internet, business owners have still been slow to update, slow to change over to the new way to do things – and a ton of the shucksters that litter my profession have told business owners that some insta-plug-in would completely solve the process of becoming mobile friendly, with a single quick-fix solution… and then leave huge gaps in their work, or only update the home page. Again, nearly no one offering mobile friendliness updates actually does the job fully and completely, to both Google and (more importantly) your end user’s satisfaction.

Think about why you need to do this. If you’re not reading this right now from your phone, you’re in the minority. But, go ahead and take a look at this page, this blog post you’re reading right now on a mobile device. Take a look at any of my websites on a mobile device. They scale beautifully. No matter what you read them on, they respond as they are supposed to. The menu scales down, the text is still readable. All my forms work and look good from any devices from the largest PC screen to the smallest smart phone. And that’s why I’m still getting plenty of visitors to my sites, and plenty of interest for my services.

Now go find your own website on your phone. The one your business relies on to get things done. Try to make it all the way through the conversion process. Is all the text scaling properly? Are the images appearing as they should? Are you able to use the web forms without headaches?

If not, contact me. You need to update, because you’re probably losing real customers in numbers greater than the cost of updating, simply by not being mobile friendly.

A lot of people are talking about how Google penalized people for not switching to mobile friendly. Yeah, sure. I completely agree with their actions, considering that unfriendly websites are frustrating to the end user, and Google should always keep the end user of their search engine in mind at all times.

So, keep your own end user in mind, and make your website so that it doesn’t slow them down as they try to convert. Get scalable, get mobile friendly, get responsive. Whatever you CALL it, it’s about your end users, and turning your visitors into customers.

If you want to do that, you  need to get your website up to present standards – and in a hurry. MWM’s mobile friendliness updates start at $500, and head up from there based on the website. These are full rebuilds, not temporary patches, and they’re remarkably more future-proof than you’ll get from any patch or plugin. Contact us if you’re interested.

For just a little extra, you can get Facebook and social friendly as well. Ask about that if you’ve been frustrated with ugly links in social media.