I guess it’s not a bad thing though. At the same time I usually see in some forum somewhere other people posting links to the story and then responses from users saying “Thanks, I better check my site”. I’m not exactly sure why people tend to forget that there are malicious users out there ready to attack, but if occasional stories about hacking attacks help keep people on their toes and remind them of this then it’s definitely worth the time.

Waiting To Long Makes You a Target

Let’s quickly take a look at the process an application goes through when developers release a version update. First, a security hole is found. Usually someone reports it, or developers find it, or even a hacker finds it and exploits it. Second, the developers work out an update to patch the security hole. Third, they release the update along with a press release on their site and/or newsletter about the update and the security hole it fixes.

Did you catch that? The final step is to tell everyone that not only is there an update, but what the hole is that the update fixes. So while before the update maybe only one hacker knew about the hole, now as a part of public record any and every miscreant, aspiring or otherwise, can read about the hole. The longer you wait to implement the update the more likely it is for one of these people to find your site.

The reason for this announcement is because developers like myself need to see what is fixed so that we can assess the importance of the update. If it’s just a bug fix for a feature I’m not even using on a clients site, I’ll put off the update until maybe the next one. However, if it is a security patch then I know I need to make a plan to update soon.

3 Rules to Keep Your Website Safe

Naturally even keeping your site up to date won’t always ensure that your site won’t get hacked. So let’s talk about the things you can do to ensure that your business doesn’t end up extinct by way of the miscreants.

1. Always Have Backups- It’s crazy how many people don’t have backups. Just think for a minute how important is your website to you. What’s it’s value? I mean really think about that. Now what are you willing to do to protect it? We often spend a lot of time building it, but we forget about protecting it.I put backups as number one because it becomes an elegant solution. It solves just about any worse case scenario. Hackers? No worries, I have backups. Failed Update? No worries, I have backups. Web Hosting company crashes and disappears? (This has happened) No worries, I have backups of my own. Zombie Apocalypse? Um, well no worries, RUN.Backups can solve a lot of problems. However, you need to make sure that the backups are usable, amazingly enough I have run into backups that couldn’t be restored, make sure they work and you know how to restore them.

   Another issue is to keep them offsite. If something really goes wrong you don’t want them stored on the site you had the problem. A lot of backup systems can send the backup off to an extra GMail account you may have, store them on Amazon, or even shoot them to another FTP location of separate hosting.

2. Do Your Updates- No excuses. If you don’t have backups and you don’t update your application then it’s just a ticking time bomb. You are going to loose your website. At some point it’s going to be a complete mess that is going to cost a lot more to recover.It’s pretty important to update your website properly also. For example, with WordPress, if you have a core update as well as plugin updates, sometimes people upgrade the plugins first. However, if the core has an update most of the time those plugin updates fix the plugins to work with the latest core update, so make sure you update the WordPress core first.The last point on this topic I want to make is you have to update your application. I know I already said this but one thing I hear with some X-Cart users is that sometimes it’s just too difficult to upgrade, there are too many customizations we’ve implemented, it’ll be okay we just don’t have the budget for it. And yet, down the road some day the inevitable happens. And you know what? It’s not fair, I agree with you and I’m on your side, but it’s still a fact of life. If that website has any value to you then update it, if not shut it down.
3. Use a Secure Password- People hate this one, but when a hacker can’t get into your site from a security hole you leave behind they will use the next best thing. An easy to guess password is just asking for trouble. I hear a lot of people complaining about using secure passwords. Granted they are hard to remember but again, is your website worth protecting? An easy password (like the most common one on Yahoo mail was “password” hah) is like locking your car doors when you go in the shopping center but leaving the keys in the door because you don’t like carrying them around with you.Passwords to stay away from are going to be any word that you can find in the dictionary or passwords related to you in some way for example your birthday. Now, when most people think secure password they think a random combination of numbers, letters, capitals, and special characters. Really? How are you supposed to remember all that? I get it, you really can’t remember something that obscure. But that’s why there are password vaults. For example, there is a program called 1Password which works really well for storing and even automatically typing your passwords.Another option is to use much longer passwords, combining 4 dictionary words like “HorseGlueRoofStaple” can be more secure than a random string. However, not all systems let you use really long passwords like this, and you still need to remember them if you have more than a couple so a password vault can still be beneficial, they are at least a lot easier to type.

So now I’d like to hear from you. Do you have a story to help others? Do you have something additional that you do that could be helpful? Let me know in the comments below.

No related posts.

The answer is, if the site is moved properly there should not be any downtime.

How can you move a site without downtime?

Let’s say you are hosting your website over at Hosting Company A, and you decide to move it to Hosting Company B. How can we ensure a smooth transfer without any downtime?

First, you need to realize that your website is just data. And you can have multiple copies of this data all over the internet if you wanted. Naturally, this would be bad for SEO reasons, but in the case of moving your website if we take an exact duplicate of your site at A and place it at B, then there won’t be any downtime.

To understand why we need to take a look at how domains work at least in layman terms.

So how do people visit your website? They just type your domain name into their browser. That’s about it right? Well there is a lot more going on in the background.

Your domain name is really just kind of a shortcut to your hosting company. There really is a lot that goes on behind the scenes. Your domain name references a batch of ‘records’, these records give a series of addresses for all the elements of your website such as email, website, etc.

If you change the references for your domain name to the new hosting company, and your new hosting company has an exact duplicate of the website, then there is no downtime. People visiting your domain name will just get the new address and start viewing the site on the new system, all in the background without them knowing it.

Does this change happen immediately?

No this change of addresses with your domain does not occur immediately. What happens is that the ‘records’ attached to your domain have a Time To Live or TTL.

A TTL is essentially a timer that tells computers such as your visitors how long to keep an address that they get for your domain. What this does is when you visit a domain the address is pulled in the background and you see the site, but if you visit the site again, and again, and again, a new address isn’t pulled each time. Instead, the address is cached for the amount of time the TTL is set.

When you change the reference of addresses for a domain the industry standard is that the TTL is set to 24 hours. So all computers that pull the addresses for a domain will normally keep them for 24 hours and continue going to the same address on repeat visits during that 24 hour period.

So does this mean that all your visitors will have to wait 24 hours to see the site on the new hosting environment? No, actually that’s not what it means.  Let’s say you have a computer visiting your site that has never visited your site. They don’t have any cached records of your old address so they start going to the new address immediately.

Let’s also pretend one visitor came to your site 10 hours before the move. Now they visit again, they will see the old site again, but do they need to wait 24 hours? No, they will only have to wait 14 hours, because 10 hours of the time has already passed.

Are there any side effects to be concerned with?

As you can see there will not be any downtime associated with your website.  There is a period of time, however, where some visitors are looking at the site on your old hosting, and some visitors are visiting your new hosting.

So the side effects are that if you make changes to your site during this 24 hour period of being in ‘limbo’ you should either make them to both sites if it is really urgent, or at the very least your new hosting, which eventually everyone see.

Another side effect would affect your email in much the same way.  Someone sending you email might hit your old hosting, and someone else might send email and have it go to your new hosting.  It is good practice that for the 24 hours your addressing would be in ‘limbo’, to check both servers for email. (NOTE: This is only if you are also moving email, if you host your email with a third party like Google Apps, that may not change so nothing would affect email delivery)

Are there any situations where downtime might happen?

Of course there are always occasions where downtime might occur, but in these cases I usually cause them myself on purpose. Why would I do this you ask?

Let’s pretend you have a eCommerce site. Your website sells products, services or takes orders of some kind.

If you often go a day without an order, or rarely have more than one or two orders a day, then there really is no worries here. You might have to check the email or the order history on the old hosting just to make sure you don’t miss an order, and if you got an order it may take some manual entry to add it to the new hosting.

However let’s say you get 5-10-20-30 orders a day.  Well now you can see the chance you get a stream of orders on the old hosting environment is much more likely. Manually entering that many orders on the new hosting might not be as easy when there are several.

In this case, what I’ll normally do is make a duplicate of the site.  Then shut down the site on the old hosting. Most eCommerce applications have a way to set the store in “Maintenance Mode” so that visitors will see the site is undergoing maintenance and will return shortly.  On the new hosting however, I’ll leave the site turned on, no maintenance mode.

Now what happens is that anyone using cached old addresses, will see the old hosting, and see the maintenance mode.  Anyone already receiving the new address, will see the site live and will be able to purchase your items.

In this case there really isn’t any downtime, you are just preventing people from ordering on the old hosting so that you can ensure you aren’t missing orders, or have to double enter orders into the new hosting. There are methods to ensure that even this doesn’t happen, if you have a talented developer on your side.

Where can I get help?

If you need help with moving a website from one hosting company to another, you can contact me or even visit my services based website at http://www.turbowebs.com/

No related posts.

Maybe it’s your business partner that needs access to something. A technical person that is going to help you set something up. And the hacker in another country that wants to send out spam.

OH WAIT, no that last one isn’t correct.

How do you share your passwords? Send them over email, instant message, some other insecure form of communication. How about just going up to the forums you belong to and posting them? You might as well make it easy.

Send Your Password with 1Ty.me

You probably thought I just spelled it wrong in the title, but no sorry you didn’t find a mistake.

1Ty.me is a service. A simple secured website with SSL for encryption. If you visit the website you’ll find a large text box to enter passwords, secured information, anything you need to share securely.

Hitting the generate link button provides you with a small link that you can share with others. The link can only be accessed one time, and then poof the information is gone.

You can even select “Notify Me When The Note is Viewed” and supply your email address so that you can see exactly when someone views the information.

All communications are over SSL, so it’s fully secured. You don’t have to worry about sending your information out there in plain text to just rattle around the internet.

Can You Trust 1Ty.me?

We don’t even know who these people are after all. What if a hacker created this brilliant website to store passwords for their own use? What if this service becomes compromised and someone gets my information as I’m submitting it?

I don’t just take their security and reliability for granted.

Here’s what I do if I’m sharing a password:

1) Go to 1ty.me and enter only the password and generate link.

2) Email the address, username and link to the password to the individual I’m sharing with.

See how that works? If someone gets the password, that’s all they have. A password without the knowledge of what it is for is pretty pointless.

If someone gets a hold of the email after my associate has viewed the link, all they have is the address and username. They don’t have the password so still no security breach.

Of course, there is a slight possibility that someone could get a hold of the email before my associate has clicked the 1ty.me link. So now they have the address, login, and password. This situation would be incredibly rare. I would hope that whom ever I shared the password with would click the link (which is no longer available), and then email me saying, “Hey the link didn’t work”.

That’s a pretty good indication that something went wrong. I can now change the password that I shared, and in turn look at both my email and suggest my friend do the same. Something is wrong, one of us has a security breach with people accessing our email.

I hope this helps a few of you out there be more secure. I’d love to hear your thoughts in the comments below.

Related posts:

1. How Secure is Your Password?

Government conspiracy? Aliens? Terrorist attack?

No, just a good example of lack of backups. In this case a hacker decided to attack an Australia domain registrar and web host. The hacker brought down 4 of their servers. Brought them down to the point of not being recoverable.

The Aussie firm did have backups, but they were onsite and on the servers attacked. There were no redundant backups. At the end of the day, the web host had no choice but to offer assistance in helping customers move to an entirely different host.

Most of the customers were reporting that their business was completely destroyed. They had to start over, rebuild from scratch. One person was quoted as saying “I couldn’t possibly replicate those years of work again . . . my whole lifes work is gone down the drain.”

Who is responsible for the security of your website?

Well in short, you are. There are no government bail outs coming to you if things go badly. If your web hosting company looses your website, they aren’t going to start replacing that income for you.

You are responsible. And did you know that most shared hosting companies even if they offer backups, don’t guarantee anything? If you read your fine print they may offer it but they have plenty of lawyers sitting around protecting them.

To have effective backups in place it costs money. You can’t pay $4.99 a month and expect a quality backup infrastructure in place. I mean come on, $4.99 barely buys you a full meal deal at McDonalds.

These shared hosting companies offer cheap services, which don’t get me wrong, can be effective for your needs but really you are going to get what you are paying for. Read those numbers again, 4,800 accounts on 4 servers. They are packing in 1,200 accounts per server.

Just imagine sharing your computer at home with 1,200 other people.

You need to get a quality plan of action into place. Figure out what your website is worth to you. How much is it worth to protect it?

So what can you do to backup your website?

Covering the security of your website is like buying insurance. It’s just in case something happens. You have a couple options for this insurance policy.

1) Buy better hosting – There are better more expensive web hosting companies out there. You get what you pay for. With more expensive hosting you can usually expect better performance. A larger “piece of the pie” as you might say. Better services to go with your hosting such as redundant offsite backups. However, your website might not need all of this. If you have low traffic and small performance needs, then you might not need to pay for a lot of extra’s just to get at the backups you need. In the long term this can be an expensive option if you aren’t really utilizing the extra’s.

2) Buy Management Services – You always have the option of hiring someone to either manage your website for you, or at the very least set up some automated form of backup. Web Development companies, like my own TurboWebs, can be hired to either manage your website and keep an eye on things, or at the very least set up a form of automated backups. There are file storage options out there such as Amazon S3 which only cost change every month. I’ve personally set up several sites to automatically backup up regularly, pushing the archive to these storage systems separate from the website itself.

It is very important that you test the validity of these backups though. If you are paying for a one time setup of an automated backup, it doesn’t hurt to occasionally pay the same company to double check these backups. Are they working properly? Can you restore the site on a development server to check that everything is intact? Do you have access to these backups in case something happens?

3) Figure it out on your own – Of course this is the cheapest option. Or is it? I’ve seen several companies that could put valuable time into their own business but instead spend the time working on figuring out technical things such as backups or web development. Some times you don’t have a choice. If your budget is extremely limited there is no other option but to do what needs to be done. Just be aware that this can be a time intensive option. Look back at the previous option and the same questions apply. Are you regularly checking the backups are valid? Can you run test recovery procedures to ensure if you need them they are functional?

Your Website Backup is Like Insurance.

We buy car insurance, home insurance, life insurance, health insurance, but for some reason many businesses forget to insure the safety of their website. You don’t know what could possibly happen. If your website is important to you at all, protect it with the same conviction that you protect other areas of your life.

No related posts.

He has been looking for ways to improve the site and decided to add a “Start Here” section. I’ll go over some ideas for making a start here section as well as a few additional areas of improvement that I noticed while on his site.

Neal Battaglia runs the website SaxStation.com where you can find practical ideas to develop your music and confidence on the saxophone. Get a new take on music, find creative ways to work on your sound and playing, and become the sax player you want to be.

No related posts.

What is W3C?

World Wide Web Consortium (W3C for Short) is an international standards organization founded by the inventor of the Internet, Tim Berners-Lee. They develop standards for which the web is run.

This means they set the rules of coding HTML, XHTML, etc. Having standards is important because it sets rules of what everyone should expect. Each browser and each search engine expects code to match these standards, so that they can understand the page.

Without standards every website could be using an inherently different set of code, and yet call it HTML.

Side note: Email clients render HTML completely different for each client, why? Well they don’t really care about the standards for the web. In this case they are dealing with email, email is different from the web.  The web, email, ftp, are all forms of communication over the Internet.

How Does this Effect SEO?

Search Engine Optimization (SEO) is the process of optimizing your website to be better understood by search engines, in the respect of gaining a listing which is higher in the Search Engine Results Page (SERP).

So we just talked about how the W3C defines the standards that everyone can expect to see for a properly formatted HTML/XHTML page. Now if your website and your code doesn’t meet those standards how well do you think the Search Engines will be able to understand your website?

For a search engine to properly crawl and index your site, it needs to be able to interpret the different elements of your site, such as style, navigation and content. It’s goal is to understand the meaning of the content.

Clean, compliant, expected HTML and CSS code make it much easier for the search engines to determine what is content and understand the meaning of the content.

Do You Need 100% Compliance?

100% compliance is pretty difficult for the most part. If you want to see how your site validates right now you can run over to the W3C Validator tool and just enter your address into the form and see the result. (warning: using their HTML-Tidy script to clean up the code MAY end up with undesired results)

Web Browsers are pretty flexible applications that can handle taking invalid code and still display it properly.  In fact most developers will use some invalid code to get everything to appear just right in all the different browsers.

Search Engines can be some what flexible when it comes to valid code. You do not need to be 100% compliant. This doesn’t mean you shouldn’t care, it means that you should get as close as you can, because it gives you the leg up on the competition. The easier it is for a SE to read your site the more likely your site is to succeed.

If you run your validation and you get a handful of warnings, or maybe just an error or two that isn’t a high priority you will be okay. However, I have run validation scripts before on sites where almost the entire page was ignored because of certain invalid code at the beginning.

Hiring a developer to look over the site and get you a little closer to validated code is well worth it as a part of your SEO strategies. And it’s okay to take into account a few concessions.

Related posts:

1. What is the Right Way to Layout Your Website?

X-Cart handles both types under the same section. If you want to provide special pricing for a certain membership level you would do it in the wholesale pricing area.  If you want to set up bulk pricing for either the general public or certain membership levels you would do it in this area.

The pricing will change automatically on the product page. A wholesale member will see their specific prices when they are logged in. And even the public will see a bulk pricing table and an automatically updating price when changing the quantity.

Managing your price levels is a valuable tool in X-Cart if you want to offer price breaks on quantity purchases.

No related posts.

You’ve probably seen a “Printable Version” link on a few websites. Sometimes they are just a little printer icon, sometimes more. They usually hide out on the top right of the content. If you click it the normal operation is for a new page to load.

This new page is simplified, the backgrounds are gone because they won’t print anyway. Maybe the sidebar will be removed, the header will be gone or simplified.

All this makes the page easier to print. The extra stuff is gone, it’s usually mostly black text so that it won’t chew up your color cartridges.

Why is this separate “printable” page the wrong way?

First, using these could have negative impact on your SEO. The new page is usually a different URL, and yet contains the exact same content. So this means duplicate content. For every single page on your website.

Naturally, there are ways to tell the SE’s, like Google, to ignore these pages. You can use your robots.txt file. Another way is to use “noindex” and “nofollow” meta tags. But keep reading and find out why none of these are necessary.

Second reason why these are the “wrong way” to create a printable version, it’s not really a user friendly way to do things. If someone wants to print your page, wouldn’t it make sense for them to just hit “print”. Why do they have to click a link first?

What is the right way to create a printable webpage?

The right way is to use a separate CSS file. You can actually declare how your CSS files should be used. Specify them for the screen, for print, etc.

Let’s take a quick look at what you might use to declare the CSS:
<link rel=”stylesheet” href=”style.css” media=”screen” />
<link rel=”stylesheet” href=”print.css” media=”print” />

As you can see the first instance is the style sheet declaration for the screen view.  The second line is what will be used by your browser if it’s told to print the same page.

In this print style sheet, you or your trusted developer, can change the presentation of the page to be optimized for print. Changing the header, hiding the sidebar, removing all backgrounds, etc.

This is another example of why using CSS to it’s fullest potential can benefit your website. It alleviates potential SEO issues, separates presentation from content, and makes your site more usable.

No related posts.

But I often see people jump to the wrong conclusions too quickly.

I like to head over to ABtests.com and look at the results of different findings. The information is really interesting to look over. Sometimes you can find interesting little bits of information that might be beneficial to your website, and in turn you can use these ideas to test on your own website for your market.

I Found a Penny on the Ground Yesterday

With the penny that I found I flipped the coin 100 times. Out of the 100 coin tosses, 49 of them resulted in heads.

Today I flipped the same coin 100 more times. The result was that heads appeared 51 times.

Overall I’ve determined that flipping a penny on Thursday results in a 4.08% improvement to heads appearing, over flipping a coin on Wednesday. So from now on if I’m guessing at the outcome of a coin toss on Thursday I’m betting on heads.

It doesn’t take a rocket scientist to conclude that my findings are a little off.

Statistical Chance

In any given test, there is the opportunity that the results can be skewed for no apparent rhythm or reason. We can never really know that a change improved the results or not, all we can do is test and observe the information.

To remove the element of chance from the equation we need more data, more information. If you test only 100 coin tosses you can easily see a difference.  If we test 1000 coin tosses the difference becomes smaller, because chance is being removed.

I often see results on ABtests.com where people are only testing 40 or so conversions. There is no room here to remove the element of chance. At the bare minimum you should only consider picking a winner after 100 conversions. And if the results are too close I’d consider letting it run much longer.

Confusing the Results

Notice above I said that there was a 4.08% improvement. Did that make sense to you? There are two ways to point out the difference in conversion.

1. 2% – in one test it had a 49% chance of heads in the other it had a 51% chance of heads the difference was 2%
2. 4.08% – the percentage amount that 51% is bigger than 49%.  So the math would be 2% divided by 49% resulting in a 4.08% improvement over the 49% original conversion.

Taking numbers at face value can be deceiving. You need context to understand what the numbers mean. The second number makes the results look a lot better than the first number, but in context you see that they mean the same thing.

In the end I won’t be placing my bets on heads any more than I would have in the beginning. Make sure you always test thoroughly, ensuring adequate data. Also, look at the values in context to ensure you understand the information. Small changes should be second guessed, large differences may not be as large as you think, but still worth careful consideration.

No related posts.

The best way to run these I’ve found is to use a plugin that I almost always install anyway. The plugin I use frequently is called WP-DBManager. I frequently install this on a blog because you can use it to create automatic backups of your database, optimize and repair the database and finally run SQL Commands.

You can also run these commands through PHPMyAdmin or other tools, but these aren’t for the faint of heart. Make sure you know what you are doing, or at the very least consult with someone who does.

In order from most used to least:

1) Delete Post Revisions

Post revisions are a great way to go back in time. You or someone else changes a post and it was a mistake you can go back. Try editing an article and don’t like the result you can jump back in time.

But Revisions take up space. If you have 50 articles and 10 revisions each that becomes 550 posts in the database (500 revisions plus 50 real posts). That not only takes up space but it’s more for the system to search through, thus slowing down your website.

Here’s the command that can remove them along with attached Meta information:

DELETE a,b,c FROM wp_posts a WHERE a.post_type = 'revision' LEFT JOIN 
            wp_term_relationships b ON (a.ID = b.object_id) LEFT JOIN
            wp_postmeta c ON (a.ID = c.post_id);

2) Change “admin” Username

Remember the old days of WordPress? When installing it the primary username was chosen for you. By default it seemed to many that you were stuck with this “admin” username. Personally, I don’t like using “admin”. It gives hackers one piece of the puzzle to accessing your website.

It’s no longer the case, but if you’ve been using the old admin login because you thought that’s what you should do, you can’t change that username.  Or can you?  Here’s the SQL Command:

UPDATE wp_users SET user_login = 'New Username' WHERE user_login = 'admin';

3) Disable All Plugins At Once

When stuff happens, it happens quickly and badly. Plugins are often the main culprit. Lots of different plugins from different developers all installed in the same system, sometimes don’t play well together. When this happens sometimes the best option is to turn off all plugins at once and then systematically activate them so that you can find problems.

Be careful with this, sometimes turning off a plugin can drop the data associated with plugin.  In this case it won’t happen, but when turning it back on you might, backups are important. Even if the data is wiped, if the process at least helps you find the problem, then you can restore the backup and have all the information you need to fix the problem.

Here’s the query:

UPDATE wp_options SET option_value = '' WHERE option_name = 'active_plugins';

4) Find and Replace Data

Have you ever been plugging away on articles only to find out you’ve been spelling something wrong all along? Maybe you need to just replace a reference that you’ve used a lot with something else.

With this command you must specify a specific field within a specific table, but it’s extremely powerful in mass replacing about anything, saving you a lot of time. Here’s the SQL Query:

UPDATE table_name SET field_name = 
       replace( field_name, 'string_find', 'string_replace' ) ;

5) Manually Change Your Password

It doesn’t happen very often where you can’t get into an account, AND the forgot password isn’t working. But I have had the occasional client mistype an email address, or due other reasons the password just needs to be changed.

Doesn’t happen a lot but here’s the SQL Command:

UPDATE wp_users SET user_pass = MD5('PASSWORD') WHERE user_login = 'admin';

6) Transfer Posts From One User to Another

Whether you were using the old admin user, and created a new one. Or just need to move posts from one user to another, for any other reason. There is a very simple method to do so. You will need the ID of both users, not the username but the actual ID of the users.

UPDATE wp_posts SET post_author = New_Author_ID WHERE
       post_author = Old_Author_ID;

No related posts.