They’re constantly scanning for outdated installations and zero-day vulnerabilities. Brute-force login attacks hit even the most lightly trafficked sites.

It has become absolutely imperative that site owners take extra security measures. Some of that is done at the server level, but you can do plenty within WordPress itself. In fact, there are a plethora of free plugins out there that will harden WordPress and provide you with an extra layer of protection.

The post The 10 Best Free Security Plugins for WordPress appeared first on Speckyboy Design Magazine.

Those of us who work with WordPress can empathize. The content management system’s (CMS) popularity makes for a tempting target. A deluge of automated attacks is sure to hit every installation.

It has also become clear that there are no bulletproof solutions. Security plugins that scan for malicious files aren’t perfect. They might miss an infected file. And some malware can elude detection.

It’s a reality check for web professionals. Taking proactive steps is a positive thing. But it could create a false sense of confidence. Eventually, you find yourself cleaning up after a successful attack.

Determining the cause of an attack can be difficult. That makes it harder to prevent the next one.

There is an often overlooked tool that can help, however. Tracking backend activity in the WordPress dashboard provides crucial information. And it may save you from a headache or two.

Keeping Track of Who Does What

WordPress websites require maintenance. Plugins, themes, and the core software should be updated as needed. Making frequent site backups is also recommended. But we can go deeper.

Activity tracking provides a different perspective on your website. And it’s not just for detecting intrusions.

Administrators can identify potential workflow issues. And it helps for troubleshooting a “broken” page or undesirable content change.

You can see all manner of information. For example, when a user logs in and updates a page. Or pinpoint when a plugin was installed or deactivated.

And that’s not all. Depending on the activity logging plugin used, you can track the following:

• Content creation, edits, or deletions;
• Failed login attempts;
• Password reset attempts;
• Plugin installation, activation, and deactivation;
• Updates applied to WordPress;
• User creation and deletion;

These actions could be typical user behavior. But they might also be a sign of something more sinister. Reviewing this data will help you confirm what happened.

Note that this data won’t likely tell you how your website was compromised. But it will tell you what actions an attacker took while logged in.

Log Dashboard Activity with a WordPress Plugin

There are several plugins available that track dashboard activity. Security suites like Wordfence and Solid Security (formerly iThemes Security) include some form of this capability.

For this example, we’ll use a niche plugin called Simple History. It’s free and tracks a wide array of activities by default. It also works with popular plugins like Jetpack and Advanced Custom Fields. There’s also an API for logging custom events.

Even better is that Simple History doesn’t require much setup. Install the plugin, activate it, and it just works. A widget will now display on the Home screen. You can see a more detailed log by visiting Dashboard > Simple History.

In addition, the plugin can optionally create an RSS feed. That lets you keep track of activity without having to log in.

Here are a few examples of how the plugin can boost security:

Track User Logins

Simple History will record when a user logs into your site. It will also report any actions the user took.

There are a lot of reasons why this data is helpful. For example, it can help you identify a compromised account.

The plugin provides a timestamp and the user’s IP address. If either of these items looks suspicious, you can take further action. You could then reset the user’s password and alert them to the issue.

Simple History provides details of user logins.

Find the Origins of a Suspicious User

It’s important to know who has access to your website. WordPress has several user roles – administrator being the highest. An administrator can perform potentially-damaging tasks. It could be catastrophic in the wrong hands.

Take note if you see that an unfamiliar administrative account has been created. It could mean that a malicious actor has gained access.

A suspicious user was created. Is it a sign of a compromised website?

How Did That Plugin Get Here?

Website administrators also need to keep track of installed plugins. But new plugins can go undetected. You can use activity logging to find out who installed a plugin and when they did it.

Pay close attention to plugins that have known vulnerabilities. Or those that enable file uploads or running code within the back end.

A malicious actor may install a plugin to take advantage of an exploit. They can use it to install malware, for instance.

Attackers may install plugins to help infect your website with malware.

Be Informed about Content Changes

Websites with multiple authors can get messy. It can be difficult to track changes to content. But knowing what’s changed has security implications.

For example, SEO spam is a popular type of attack. The attack adds hidden content to existing pages and posts. It may also contain redirects to malicious websites.

Simple History logs content changes. You’ll see who made changes, along with when.

The plugin also taps into the WordPress revisions feature. That provides a highlighted view of each change.

This tool may not catch every vector of attack. But it’s another way to stay on top of your content.

Simple History helps you see what content was changed and when it took place.

The More You Know

As it turns out, installing a WordPress security plugin isn’t enough. Your website still runs the risk of being compromised. Indeed, security is a 24/7 responsibility.

That’s why having backend activity data on hand is so important. Sure, it may help you clean up a hacked site. But it may also help you catch suspicious activity before it’s too late.

At the very least, you’ll have a list of user actions. It will come in handy if/when an incident occurs.

It’s just another proactive step we can take to stay safe. And it requires minimal effort. What’s not to love?

The post How Tracking Backend Activity Improves WordPress Security appeared first on Speckyboy Design Magazine.

I’ve been maintaining websites for over two decades. I started with old-school static HTML websites. These days, I work primarily on sites built with WordPress. Much has changed.

For example, websites that use a content management system (CMS) have multiple moving parts. And updating core software, themes, and plugins is the main focus.

The process could be relatively simple – except for one thing: security. The myriad of threats is enough to keep us up at night. It seems to be a never-ending battle against bots, malware, and whatever else is lurking in the shadows.

In short, security has turned website maintenance on its head. Thus, we must consider it when pricing the services we offer. Let’s explore the challenges involved and why it’s driving costs through the roof.

Software Updates Require More Scrutiny

There are routine software updates. And then there are security fixes. The latter should become the higher priority.

It takes effort, however, to discern the contents of an update. Looking at a software’s change log is usually the only way to find out.

This isn’t a big deal if there’s only one application to monitor. But consider a typical WordPress install. It will consist of the core software, plus an untold number of themes and plugins.

You may find yourself scrutinizing a dozen or more change logs regularly. Oh, and multiply that by the number of websites you maintain.

Sure, you could simply hit the update button on each site every day. But it’s important to know what is included with each new version. And it’s also worth browsing support forums to gauge stability.

Testing is also crucial – particularly on mission-critical websites. And even security-related updates should be tested. That’s because, quite often, a security fix isn’t the only item included in an update. Thus, ensuring that there are no compatibility issues is still important.

All of this adds up to a lot of time spent researching and applying updates.

The Need for Third-party Security Tools

Every website is a target. Therefore, taking extra security measures is always worthwhile.

Some tactics, such as the use of strong passwords and locking down file permissions, are free. But third-party tools and services are also a key part of the equation. They often have a cost.

There are a variety of options. Everything from WordPress security plugins to content delivery networks (CDN) that include a firewall is useful. They create an extra layer of protection from malicious actors. As such, one of these tools could be the difference in keeping a website clean from infection.

If you provide web hosting for clients, these types of tools should also be included. It may mean a price increase. But that should be easy to justify. Hardening security is part of the cost of doing business these days.

Cleaning up a Hacked Site Is Unpredictable

Implementing best practices is no guarantee of immunity. A website can still be compromised. And cleaning up a hacked site will eat up your time and resources. That holds whether you do the work or hire an expert.

For one, locating the source of a hack is like finding the proverbial needle in a haystack. There are numerous ways for malware to creep in. And its impact could reach beyond the issues you can see.

Reinfection is all too common. Even when you think that you’ve fully cleaned a website – the same problems can come back at any time. This unpredictability makes it hard to provide accurate time and cost estimates.

A hack can quickly exhaust maintenance contracts that include a specific number of hours. Clients may race past their expected budgets.

With that, a maintenance agreement might be considered a minimum cost. A security breach will throw a wrench into the works and lead to higher costs.

The Cost of Security Can’t Be Ignored

Security has become a major factor in website maintenance. The top priority is to prevent a site from being compromised. But there is also the reality that nothing is 100% effective. Thus, cleanup is also part of the job.

All things considered, maintenance has become a constant. It’s no longer just about making changes to the design and content. Each site must be monitored to ensure that it’s both clean and secure.

These costs must be taken into account. Prices should reflect the effort required to proactively implement security tools and practices. In short, if it costs you time and/or money: pass it along to your clients.

Security is simply too important to ignore. It takes time and money to do things right. And things work best when clients understand what’s involved. Therefore, it’s worth discussing.

The post How Security Is Driving up the Cost of Website Maintenance appeared first on Speckyboy Design Magazine.

WordPress is no stranger to various myths and conspiracy theories. Some people are suspicious of big changes to the content management system’s (CMS) core. And others simply have misconceptions about the ecosystem, community and the overall picture of how things work.

It’s time to set the record straight. Today, we’ll take a look at some of the most common myths floating around in the world of WordPress and attempt to uncover the truth. What will we find? Keep reading to find out!

Myth #1: WordPress Is Slow and Insecure

Let’s start with the double-whammy of performance and security. Social media clickbait often portrays WordPress as seriously lacking in both of these key areas.

The problem with this narrative is that it treats WordPress as a one-size-fits-all CMS. The fact is that, while a stock installation is universal, we rarely leave it that way.

There are so many ways to customize WordPress. For starters, third-party plugins and themes are a huge part of the experience. And seasoned developers may well craft their own. In addition, the CMS can be hosted in any number of different server environments.

Each one of these factors into both security and performance. For instance, equip your website with a bloated theme or buggy plugin and you open yourself up to potential issues. Opting for cheap web hosting can do the same.

Beyond that, WordPress is also incredibly popular. Thus, it has a target on its back from bots and other nasties. Much like hackers write viruses targeting the Windows operating system over others, they aim for WordPress as well. The bigger you are, the more they come after you.

The WordPress project is open-source and has a large number of volunteers who dedicate themselves to, among other things, performance and security. That’s not to say that there’s never a bug or security flaw – but the core software is quite well-maintained.

That said, WordPress by itself is neither particularly slow nor insecure. It’s what we add on to it after-the-fact that can lead to the biggest problems.

Myth #2: Automattic/Matt Mullenweg Own WordPress

There’s long been a misunderstanding regarding the “ownership” of WordPress. At least some of this is due to some self-inflicted branding confusion and a few blurred lines.

It’s true that Matt Mullenweg co-founded WordPress way back in 2003. This is the free, open-source project that can be downloaded by anyone and installed just about anywhere. It’s commonly referred to as “.ORG”, an homage to the project’s domain name.

Mullenweg is still very much active in the project. You’ll see his name pop up as a core contributor for various releases and he often takes part in community discussion. He also works with others in determining the software’s roadmap for future development as well. He does not, however, own the project itself. That is in the hands of the non-profit WordPress Foundation (which Mullenweg founded, by the way).

Now here’s the part that may confuse you. The similarly-named WordPress.com (“.COM”) is a place where you can host a blog for free or buy various levels of hosting. This is in fact owned by Mullenweg’s company, Automattic. And yes, it does run WordPress software.

If you’re curious as to the differences between WordPress.org and WordPress.com, there’s a handy guide to help you sort things out.

So, while Automattic (and thus, Mullenweg) are major contributors to the project, they do not own WordPress itself.

Clear enough? No? It’s best to not try and unravel it all at once.

Myth #3: WordPress Websites Are Too Cheap/Expensive

A bit of crowdsourcing brought this juxtaposition to the forefront. It’s a great example of how varied the perceptions of WordPress can be.

The reality is that WordPress can be either of these things or none at all. So much depends on how web designers choose to market and sell services. Then there is also the matter of how much a specific client is willing to pay. Oh, and project requirements have a good bit of say as well.

WordPress itself is free. And you can certainly grab a free theme, then sprinkle in any number of free plugins. It’s entirely possible to build a website for nothing (or next to it).

On the other hand, you could build your own custom theme that does exactly what you need. Then, invest in some high-end commercial plugins that provide crucial functionality. To top it off, add in some enterprise-grade web hosting. The costs will add up.

WordPress can be made to do as much or as little as you like. A web professional can utilize it to create a massive corporate hub or a simple landing page. There is no single way to do things. Therefore, you can’t really peg WordPress as singularly cheap or expensive. It’s all about what you do with it.

Myth #4: WordPress Isn’t a “Real” CMS

Back in its early days, WordPress was purely a blogging platform. And, despite a whole lot of evolutionary changes since, some people still associate it with this purpose.

Running a super-cool blog is only the start of what a modern WordPress website is capable of. You can leverage the software to serve just about any purpose.

Celebrity eCommerce shop? Check. Major government portal? Check. Home for a corporate giant? Check. Well-known educational institution? Check that one, too.

We could go on and on. The point is that WordPress can be used for virtually any type of website – large, small or in-between.

Now, whether one personally thinks that WordPress is the best tool for a particular use case is up for debate. Everyone has their own preferences. But to say that it’s just a blogging platform is myth.

Myth #5: WordPress Maintenance Is Inherently Messy

When it comes to WordPress maintenance, there are two separate entities to consider:

• WordPress core software;
• Themes and plugins;

WordPress core generally releases a few major updates per year. 2019 and 2020 saw three such releases each. Beyond that, there several minor releases (which update automatically) that patch security holes and squash bugs. Consider core updates as a baseline for maintaining your website.

Third-party plugins and themes are a whole different animal. The number of updates (or lack thereof) is up to each developer. Some larger plugins may push updates every few weeks. Others might not see a change for a year or more.

In theory, the more third-party resources you add to your website, the more there is to maintain. But it goes a bit deeper than that.

So much depends upon the types of themes and plugins you’re implementing. A plugin that powers crucial functionality and has a large user base (such as WooCommerce) is going require a bit more maintenance. The same can be said for a theme that uses a lot of advanced JavaScript libraries and custom features.

That said, every CMS requires some form of maintenance. This is a positive in that we want to make sure everything is as functional and secure as possible. Can something go wrong? Yes. However, applying updates is still vital.

Maintenance needs can be cut quite a bit by eliminating unnecessary plugins. This will not only save you time, but also help you avoid software conflicts as well. Short of that, there’s an auto update feature that can do a lot of the hard work for you.

WordPress Is What You Make It

When going through these myths and misconceptions, it becomes clear that the WordPress experience is different for everyone. Whether you’ve used it to build hundreds of unique websites or played around with a single blog – we all have a story.

Those stories ultimately shape our perception of what the CMS can and can’t do. Even some confusion over the separation between WordPress.org and WordPress.com can lead us to assumptions about who’s in charge and what is possible.

The bottom line is that WordPress really is ours to bend and shape. Use it to build something big or small, cheap or expensive. Install enough plugins to keep maintenance needs high or go completely barebones. Customize it to your heart’s content. It’s your choice.

There is almost endless flexibility. That’s what has led so many of us to choose WordPress. Just know that, whatever it means to you, there are other perspectives out there worth considering.

The post 5 Common WordPress Myths Debunked appeared first on Speckyboy Design Magazine.

We have to trust, for example, that it’s secure, respects our privacy, and works as expected. In other words: we need to believe that the developer has created an app with good intentions and that using it won’t result in any intentional harm.

That belief is tested daily. Security flaws, malicious attacks, and all manner of bugs pose huge challenges. And so much of an app’s reputation depends on how the developer responds to these crises.

But as we are seeing more frequently, trust isn’t solely dependent on an app’s primary developer. That responsibility also spreads to any third-party scripts and libraries their product utilizes.

One prime example is the Log4j vulnerability. A flaw in this popular logging library from Apache made it possible for an actor to arbitrarily run malicious code. Its effects could be devastating.

As if this weren’t bad enough, patching the vulnerability became incredibly complex due to how many other apps and service providers utilize Log4j. This meant that each app had to upgrade its copy of the library, then distribute the fix to users. The process has to repeat again and again.

For web designers, this hits home on several levels. We put our trust into many apps (particularly open-source). And many have third-party dependencies. It puts us and our clients at risk.

Let’s take a deeper look at the issue and what web designers can do to stay safe.

Open-Source Software Is of Special Concern

The saga of Log4j has opened up a proverbial can of worms regarding open-source software in particular. In the United States, the White House held a meeting with top tech firms regarding the security of widely-used foundational software that is maintained by volunteers.

Popular examples include WordPress, Node.js, React Native, and OpenSSL. Beyond that, Google has published a list of over 100,000 projects that are deemed “critical”. They’re relied on by everyone from governments, corporations, educational institutions – right down to personal and small business websites.

This does not mean that any of the items on the list are inherently insecure. Rather, it’s a measure of the potential impact a security flaw could have. As the OpenSSF Securing Critical Projects Working Group (WG) states:

“For our purposes, a critical OSS (open-source software) project is an OSS project that can have an especially large impact if it has a significant unintentional vulnerability, or if it is subverted in either its source repository or distribution package(s).”

Volunteers and Limited Resources

To state the obvious, security holes are not limited to open-source software. Big proprietary projects from the likes of Apple, Microsoft, and other behemoths of tech also have their fair share.

The difference is that these companies have the resources to ensure any issues, once discovered, are promptly fixed. Projects that rely on volunteers may not have such luxuries. Some may need to scramble to find someone knowledgeable who can take appropriate action in a timely manner.

And if a project is no longer maintained? It places a huge target on anyone using that software – whether they know it or not.

The beauty of these projects is that their volunteers are incredibly dedicated. We’ve often saluted those who work behind the scenes of WordPress, for example. The willingness of people to contribute their time and talents is a wonderful thing.

But as Morten Rand-Hendriksen points out, some major systemic issues need to be addressed:

“We are acting as if these are still little hobby projects we’re hacking away at in our parents basements. In reality, they are mission-critical, often at government levels, and what got us here is no longer sufficient to get us anywhere but chaos.”

It’s admirable that a group of people, no matter how small or far-flung, can build an app that makes an impact on the world. But there are no assurances that the project will be sustainable over the long term. That can be problematic.

What Can Web Designers Do?

As web designers, we are in an awkward position. So much of what we do these days relies on open-source projects. And we reap the benefits of them every day.

The good news is that none of the issues outlined above means we have to abandon open source – nor should we. There is too much value in simply turning our backs on our favorite projects. If enough of us did so, that would likely make the situation worse.

Instead, we should carefully consider the apps we are using. Gain an understanding of the project, who’s involved, and the challenges they face. Look at its reputation within the industry and its longevity. Examine its changelog and see how often updates are released. Consider volunteering your time if you are able.

It’s also important to look at which third-party dependencies are associated with a project. This can be difficult to discern, but worth the effort.

Then there’s the role of service providers such as web hosts and APIs. They are additional links in this chain. Because, even if we’re certain that an app we installed is safe, we also need to rely on these providers to maintain their systems as well. Monitor them as best you can and don’t be afraid to ask questions.

Placing blind trust in software is not a wise choice. And while it may feel nearly impossible to keep up with all of this, it’s now a necessary part of the job.

Truthfully, we won’t be able to catch every issue before it becomes something bigger. But we can keep an ear to the ground and be proactive about the software we’re using.

The post Why It’s Getting Harder to Trust the Software We Use appeared first on Speckyboy Design Magazine.

You see, things don’t really go away so much as they fade into the background. The website that used to be buzzing with traffic might turn into a ghost town. And it’s just as likely that the technology behind that site is also sitting there collecting dust.

But it’s not just those old, unattended sites that have issues. There are also situations where a mission-critical website relies on outdated software. That could be anything from an abandoned WordPress plugin to an unsupported version of PHP.

It’s far from an ideal situation. And many potential problems can arise from sticking with these old standbys. Yet, it’s also the reality of the modern web. As quickly as new tech arrives to grab the spotlight, the old continues to lumber along in the shadows.

The problem is complex – and so are the potential solutions. Is it even possible to rid the web of these dinosaurs?

Why Do Websites Continue to Use Legacy Code?

When you picture a website that uses legacy code – what comes to mind? Maybe it’s a blog that hasn’t seen new content in a few years. Or a defunct online community. You might even think of a dormant business site.

The common thread of these examples is that they’re likely small and inexpensive (perhaps free) websites. Entities that are frozen in time.

Now consider a large enterprise site that is heavily customized. Maybe it includes bespoke functionality that enables customers to pay their bills. There could be a custom WordPress plugin that facilitates a specific workflow for team members.

Custom functionality is expensive and time-consuming to produce. And in some cases, it can be fragile. It might rely on a method or feature that isn’t supported in newer versions of its dependent software. For example, an application that was built for PHP 5 may no longer work in PHP 8.

And while a developer (or a team of them) can refactor the code – it’s not always easy or fits within a given budget. Much like the old stories of corporate users who kept Internet Explorer 6 around long after its time, legacy code can live on for years.

The bottom line is that outdated software very much remains in active use. That’s true at both the high and low ends of the scale.

Two Prime Examples: PHP and WordPress

Usage statistics change regularly – and they will undoubtedly shift after this article has been published. But two trends, in particular, are prime examples of outdated software in action: PHP and WordPress.

PHP 5 and 7 Are Still Out There

As of this writing, the latest version of PHP is 8.1. It was released in November 2021, and security updates are scheduled to end in November 2024. Version 8.0 was released in November 2020 (security updates end in November 2023). Version 7.4 was sent out into the world in November 2019 (security updates end in November 2022).

Thus, versions 8 and above have been with us for several years. Yet according to W3Techs’ PHP usage statistics, just over 6% of the sites surveyed are running PHP 8 or 8.1. Meanwhile, 70% are using some flavor of PHP 7, and nearly 23% are still running PHP 5 (which ended support in 2018).

The transition between major versions of PHP tends to be a slow one. That’s likely due in part to changes in compatibility. WordPress and its ecosystem, for example, have had a long road toward full support for PHP 8.

Plus, web hosts haven’t traditionally pushed customers too hard to upgrade (more on that in a bit). At the same time, website owners range from being unaware of PHP to not being overly concerned about upgrading.

In short: there has been little sense of urgency. Or, not enough of it to turn the tide and get more websites using the latest version.

PHP version statistics from W3Techs, as of November 2022

WordPress 4 and 5 Live On

As we go to press (pun intended), WordPress 6.1 has been released. It’s the latest version of the most popular content management system (CMS) known to humankind.

And according to the W3Techs WordPress usage statistics, nearly 60% of surveyed sites are using version 6 or above. It’s significantly higher than the usage rates for PHP 8. That’s probably not too surprising, though.

By comparison, updating WordPress is easier and can even be automated. Site owners and those responsible for maintenance don’t necessarily have to lift a finger to upgrade. Managed hosting providers may also take care of it. And WordPress is known to value backward compatibility, so there’s less chance of a major issue occurring.

But outdated versions are still hanging in there. Version 5 powers 34% of installs, while over 6% of installs cling to version 4.

If there’s any good news, it’s that WordPress core continues to release security updates for several older versions of the software. Still, these sites lose out on new features and performance enhancements. Not to mention possible theme and plugin compatibility issues. Oh, and it’s unlikely they’ll work with the latest version of PHP.

It’s also worth noting that these statistics don’t account for websites running outdated or abandoned plugins and themes. That could be an entirely different galaxy worth exploring, yet just as relevant. This is where the majority of WordPress-related security issues originate.

WordPress version statistics from W3Techs, as of November 2022

Why This Is a Concern

The term “outdated software” can conjure up all sorts of nightmare visions. A person shopping online with an unpatched version of Windows XP comes to mind. It might work, but there are a lot of risks in continuing to use it.

Security is of paramount concern. It stands to reason that using a version of PHP that is no longer receiving security updates is a risk. Attacks that might be easily stopped with newer versions could do damage to a legacy setup.

But so is employing an old JavaScript library or server utility with an open security flaw. Dependencies of all stripes can be dangerous, after all. The recent Log4j vulnerability is but one of many reminders.

Then there are issues of efficiency and performance. Outdated software that lacks these enhancements can negatively impact user experience, SEO, and energy consumption.

And the more outdated the software, the harder (and more expensive) it may be to get up to speed in the future. Each subsequent version can add obstacles to the process.

Some Web Hosts Are Forcing the Issue

Web hosts have a role to play in helping their customers implement new software. And some are becoming more aggressive in these efforts.

PHP has been a primary target. Some hosts will allow customers to continue running an unsupported version but have begun charging an extra fee. This could be a result of higher support costs for customers using outdated software. At the very least, it’s a way to convince users to upgrade.

Still, others have taken a more hardline stance. They’ll notify customers that use an outdated PHP version and provide them with a scheduled upgrade date. From there, the site is upgraded regardless of whether it has been tested or patched for the new version.

It remains to be seen how effective these measures will be. But cleaning up outdated software is a massive undertaking. Thus, someone must get the ball rolling. Hosts are well-positioned to do so.

Out with the Old?

At 30+ years old, the web has hosted an incalculable amount of software. Consider all the apps – large and small – that have been downloaded and installed on servers over time. It’s no wonder that some were left in place well past their expiration date.

Sometimes this legacy code sticks around out of necessity – other applications depend on it. But it might also happen simply because a site’s owner isn’t aware of the situation. No one may have approached them regarding an upgrade.

In either case, resources are what’s needed to increase modernization efforts. At the enterprise level, this means dedicated time and money to keep things evolving with newer versions.

On the lower rungs of the ladder, education is a key factor. Web hosts are starting to realize the importance of keeping customers informed. And web designers should do the same.

It starts by letting clients know where they stand, the dangers of using outdated software, and the benefits of upgrading. From there, they can make informed decisions.

No, a single upgraded site won’t change the world. But each is a tiny step towards a safer web that can take advantage of the latest technologies.

The post The Web Has an Outdated Software Problem appeared first on Speckyboy Design Magazine.

Website security is a prime example. It has always been a concern – even when I started on this path back in the mid-1990s. Back then, the primary concern was a hacked FTP password or an angry ex-colleague defacing/wiping out files. These days, it’s so much more. Kind of like a pesky bug that has morphed into a massive sea monster.

And that monster has fully wrapped its tentacles around this grumpy designer. Work has become a vicious cycle of malware infection, cleansing, and reinfection. Then repeat.

The main target of the monster’s malevolence is WordPress. That shouldn’t come as a surprise, as the content management system (CMS) is constantly under attack. It comes with the territory of powering over 40% of the web.

Sadly, I know I’m not the only one facing this sort of debacle. With that, I wanted to share a few rants, thoughts, and suggestions for putting that monster back in its place.

Being Careful Isn’t Good Enough

The cold reality of website security is that there are no guarantees. Virtually every site can be compromised by malware. It happens to even the most careful among us.

As it applies to WordPress, being careful means keeping a few basics in mind:

• Vetting the theme and plugins we install;
• Routinely applying updates;
• Using secure and complex passwords;
• Hosting the site on a service that takes security seriously;
• Ensuring that file permissions are in line with WordPress recommendations;
• Adding extra layers of defense such as security plugins and firewalls;

While there’s more to it than that, the above actions provide a solid foundation. The idea is to protect against the most basic kinds of attacks. Hopefully it also deters some more complex attempts as well.

The frustrating aspect of this approach is that you’re only as strong as the weakest link in your security. Even reputable plugins can contain security holes. And there is a multitude of vectors an attacker can use to cause trouble – including some that we have no direct control over.

Therefore, being careful isn’t good enough to ward off every attack.

Cleaning up a Hack Is a Drain on Resources

Despite taking steps to avoid security issues, hacks still happen. And when they do, cleaning up the aftermath can be an arduous task.

The process involves identifying any malicious files – including legitimate WordPress core files that could have been modified. Security scanners like those found in the Wordfence plugin can help to identify files, but there are caveats.

If a site’s administrator account has been compromised, or an attacker used a security hole to gain access to the WordPress dashboard – all bets are off. They’d have the ability to deactivate a security plugin. From there, they could wreak all sorts of havoc while staying undetected.

Plus, determining how malware found its way onto your site is rarely simple. I can’t count the number of times I thought I had found the culprit, only to be proven wrong after subsequent infections. It often takes combing through files and studying security blogs to get an answer. Yet some issues can remain a mystery.

Not only is this stressful for everyone involved, but it also hampers your ability to work on other projects. A security breach is an all-hands-on-deck type of situation. If you happen to be a freelancer, then your hands are inevitably tied up with fixing a hacked site.

What Else Can Web Designers Do?

As I previously mentioned, there’s only so much within our control. Web designers can make informed decisions, but our projects can still fall prey to malware. In some ways, it seems like a hopeless situation.

However, security threats aren’t going away. If anything, they’ll continue to grow exponentially. That means we have to keep on trying.

Here are a few strategies that could help:

Become a Plugin Minimalist

While it’s never a good idea to keep unnecessary WordPress plugins installed, it can also be dangerous. That’s why it’s worth removing anything you don’t need.

In some cases, it may be worth creating a barebones custom plugin when possible. Malicious bots attempt to sniff out known vulnerabilities within WordPress core and specific plugins. This may be a way to reduce risk while still maintaining functionality.

Regardless, it’s also a good idea to keep up with what’s happening with the plugins you do install. Make sure they are regularly updated and try to avoid any that are no longer maintained.

Ask Clients to Invest in Security

Security can become a significant part of a web designer’s job. A lot of work goes into strengthening a website and mitigating any issues that arise. But our pricing doesn’t always reflect that reality.

Thus, it makes sense to ask clients to invest in this area. By recommending security-related tools and services, you’re proactively adding extra layers of protection. And by including regular security checks in your maintenance packages, you’ll be keeping a watchful eye on what’s happening.

Another benefit of this strategy is that you’re raising awareness of security. When clients have a better grasp of the subject, they’ll be more likely to take preventative measures.

Make a Plan for Cleanup

It’s safe to say that none of us want to deal with a hacked site. We do everything we can to try and prevent it from happening. And…it happens anyway.

As such, it’s better to prepare for this scenario rather than bury your head in the sand. Develop a process that helps you efficiently clean up a compromised site.

It may not always work the first (or second) time. But each failure is a good learning experience. Eventually, you’ll refine the process and increase your odds of success.

Get Some Professional Help

Managing website security is messy and frustrating – enough to put any of us into therapy. That kind of professional help is always welcome. But it’s not the kind I’m talking about here.

Rather, I’m talking about working with security professionals. For example, services that help to lock down your client’s websites and rid them of any infections.

There’s a cost involved – one that you can pass along to your clients. And it may just save your sanity in the long run.

Malware Chaos Is the New Normal

In some ways, securing a website is like a game of cat-and-mouse. For every gap you close off, another one appears. Malicious actors are constantly evolving their methods for penetrating WordPress and other platforms. And none of us are immune.

This makes our job more difficult and time-consuming. And it also makes website maintenance more expensive for our clients.

Certainly, this is not what I envisioned when I started as a web designer. It’s unlikely that many of us got into this industry because we enjoy cleaning up malware. But like it or not, this is the new normal. And we’re the last line of defense against this proverbial sea monster. We can’t afford to go down without a fight.

The post The Grumpy Designer Takes on WordPress Malware appeared first on Speckyboy Design Magazine.

The software saw quite a few ups and downs along the way. It started as a challenger to Netscape and didn’t take long to become a market leader. But there was also a lack of support for standards, a push for proprietary code, and a monopolistic scandal.

For web designers, IE was the thing we loved to hate. If you tried to build a cross-browser-compliant website during its heyday, you likely ran into some trouble when testing in Microsoft’s browser.

Layouts could be messy, as support for newer techniques like CSS Grid and Flexbox were lacking. And it seemed like there was always that one client or customer who used IE – meaning you had to provide a fallback.

While no longer having to support IE is a reason to celebrate, its demise does bring about a bittersweet feeling. What will we do without our favorite nemesis? Who or what could replace it?

It just so happens that the modern web has several potential candidates. Here are a few who could take the throne.

Tech Companies with Outsized Influence

For a time, Microsoft had a stranglehold on the browser market. And IE could be considered a means for the corporate giant to put its mark on how the web would evolve. But as the browser stumbled, the company’s influence shrunk along with it.

These days there are a handful of companies that have a huge say in what happens on the web. A decree from any one of them can send web designers scrambling to account for whatever change they’ve decided to implement. Among them:

Google

It seems like everything Google does has an impact on our industry. For example, a change to its search algorithm means having to tweak SEO to stay relevant.

But it goes well beyond their search product. As the current top dog in the browser battle, Chrome is in a position to adopt standards and push technologies that potentially benefit Google. Competitors such as Firefox are struggling to survive, let alone take a bigger piece of the pie.

Core Web Vitals now dictates what performance metrics we need to adopt. And its AMP project compelled publishers to participate – even if it wasn’t in their best interest.

Microsoft may have dreamed of such influence, but Google achieved it.

Facebook

With billions of users, Facebook controls mountains of data. And how they decide to use it affects both everyday people and businesses.

If you use the service, consider the typical items you see in your feed. Facebook has decided what’s relevant to you. It’s possible to see updates from friends and family, but you’ll also get a mix of posts from other sources – whether you’ve subscribed to them or not.

For businesses and non-profits, reaching your audience (even the ones who “like” your page) can be incredibly difficult. That is unless you pay to promote your content.

More directly of concern to web designers, implementing Facebook’s API into your projects means giving up some level of control when it comes to performance and privacy.

Like Google, Facebook’s services are often seen as necessary and unavoidable. As such, web designers have to deal with them – like it or not.

No-Code Tools

I know, we’re all supposed to embrace the no-code revolution. And there’s something to be said for tools that do some of the dirty work for us. Why craft a CSS Grid layout when a page builder can do it for us?

Many of these products do their job pretty well. The WordPress Gutenberg block editor, for example, has vastly improved since its initial release. There’s a learning curve. But once you get accustomed to how this and other no-code tools work, you can achieve some solid results.

But they can also be quite frustrating to work with. For example, if you want to implement a particular feature that one of these tools doesn’t offer, it can require an uncomfortable (and possibly unsustainable) workaround.

Performance can also suffer. Some tools add lots of overhead in the form of JavaScript or CSS. And, even if the code works, it can still conflict with other parts of your website.

While the right tool adds a layer of convenience, it may also require us to accept some serious tradeoffs. That could draw the ire of many a web designer.

Malware and Malicious Actors

Perhaps there’s never been a more dangerous time to manage a website. Malware is all around us and tends to rear its ugly head at the most inconvenient of moments.

And the people who create and spread this malicious code aren’t being effectively deterred. If anything, the market for bad actors is continually growing. Not to mention the increased sophistication of their attacks.

It has become a recurring nightmare for web designers. Cleaning up SEO spam, restoring infected databases, and attempting to harden code – only for it to happen again and again. It’s a real-life game of Whack-a-Mole.

Even worse is that solutions don’t appear to be on the horizon. Both web hosts and software developers are trying to level up, but key breakthroughs seem hard to come by. And now insurance companies are starting to take web security into account when selling policies. That’s not going to help.

The burden of securing the websites we manage is enough to make any web designer question their career choices.

The New Multi-Pronged Nemesis

When Internet Explorer debuted, the web was still a relatively new phenomenon. People were excited by the prospect of a truly global community and the information superhighway.

Save for Google and a few other services, IE was one of the last remaining relics of that era. And unlike those that are still around, it never quite evolved to the point of staying relevant. It may be that IE’s only claim to fame in the past 15-20 years was that it made web design harder.

This made it stand out in a way that Microsoft couldn’t have imagined back in the 1990s. It’s likely the reason they released IE’s successor, Edge. IE was simply too tainted to continue.

Today, there is no singular bogeyman. The web is multitudes the size and complexity of what it was back in the day. And, as referenced above, there are several companies, products, and maladies that impact us. You could theoretically pick a new one to curse each day.

IE was alone in its time and an easy target. In some ways, that almost seems quaint compared to the environment web designers face today.

A single nemesis that tries to ruin our good time? If only.

The post After Internet Explorer, Who Will Be the Web’s Next Nemesis? appeared first on Speckyboy Design Magazine.

And while there are plenty of best practices to follow, securing a website is a major challenge. Fending off automated attacks against content management systems (CMS), training clients, and continuously updating software take their toll. We can lessen the risks, but can’t fully mitigate them.

For years, security processes were primarily between a designer, host, and client. But increasingly, other third parties are taking an active interest. And web designers are getting caught in the middle.

If this hasn’t impacted you yet, it may be just a matter of time. Thus, freelancers and agencies need to take notice of this trend.

Let’s take a look at what’s happening and how web designers can be prepared.

Who’s Involved?

Granted, third-party interest in web security isn’t completely new. eCommerce sites have long had to deal with PCI compliance. And government regulations have aimed at areas such as user privacy – which could also be considered a security concern.

However, there seems to be increased input from other sources – particularly the insurance industry. They’re becoming keen on web security as it relates to their clients.

Organizations that require insurance, such as businesses and non-profits, are very likely to have a website as well. Just as they take a physical location’s well-being into account, insurance companies are starting to look at websites in the same way.

For example, let’s think about a typical brick-and-mortar retail store. Before providing insurance to a retailer, an insurer might consider:

• The structural integrity of the building;
• The types of merchandise being sold;
• Any anti-theft security measures the retailer has put in place;
• The number of employees;
• Yearly revenue;

We’re now seeing similar concerns being extended to websites.

What Aspects of Website Security Are They Looking At?

Securing a website requires constant effort and encompasses several areas. Some factors, such as web hosting and SSL certificates, are fairly universal. But others may depend on how the website was built.

That means a static HTML site will have different security needs from one built with WordPress. And then there’s integrating third-party APIs, data collection, and financial transactions. Each presents a unique challenge.

Yet, there’s no guarantee an insurer is going to take a realistic view of these nuances. They may well employ an all-of-the-above strategy, even if specific elements don’t apply to a client’s website.

Industry veteran (and a colleague of mine) Wayne Kessler opines, “My biggest concern is the creation of unnecessary work and cost due to contractor (which is what an insurance company or a security consultant is) specified ‘standards’ that are oversized to risk.  A cyber insurer’s job is to sell insurance that preferably won’t have any claims on it.”

He continues, “So, they can want websites locked as tightly as possible without due consideration of the ramifications of functionality or cost. It is not always possible to limit login access to a small IP range. SFTP is still needed for sites. A client might need to be able to send files back and forth to their designer.  Workflow, site management, user functionality – these cannot be ignored when talking about security without the possibility of greatly reducing the value of the website.”

Advice for Web Designers

As is often the case, web designers are liaisons between our clients and a third party. In this case, insurers will hand clients a laundry list of website security considerations. From there, it’s up to us to make sense of them, implement what’s feasible, and effectively communicate.

There are a few potential roadblocks. The biggest is that you may not have control over every situation. For instance, some security measures may require the cooperation of a web host or plugin developer. Whether or not they comply is entirely up to them.

The potential cost is another consideration. The investment required to implement certain items may go beyond what your client is willing or able to pay.

Kessler says that web designers need to stay in the loop during the process, noting that “security standards seem to be expanding quickly with the growth of these industries, but that doesn’t mean these standards should apply to just any website. If you don’t take financial transactions on your website, or if you don’t keep user/customer data on your website, there are recommendations for these that should not apply. Beware of ‘oversizing’ the needs for security protection.”

It’s also important to recognize that many hands play a role in website security. According to Kessler, “Every story we read about identity theft comes from a gap in data protection. Web designers don’t want to be an identified gap. Similarly, you don’t want to manage a site that has a virus, is generating spam, or is locked up by rip-off artists. There are options to mitigate those risks. Web designers, and website owners, should take those options.”

The key is to control what you can and make sure your clients have an understanding of what’s involved.

Dealing with the Increasing Complexity of Web Security

As if web security wasn’t already a complex subject, the introduction of insurers and other third parties only adds to the stress. For web designers, it seems like yet another burden placed on our shoulders.

Still, this is part of our ever-evolving job description. As building and maintaining websites continue to change, it’s up to us to stay on top of best practices. In a sense, this development is a natural extension of that evolution.

Thankfully, the skills we’ve picked up in communicating with clients and adapting to new technologies can serve us well. Those experiences have prepared us to take this new challenge head-on.

The post Why Third Parties Are Taking an Interest in Your Client’s Website Security appeared first on Speckyboy Design Magazine.

Of course, this was all a marketing ploy by Wix, the DIY website provider. The goal is a bit fuzzy, but perhaps it’s to demonstrate its developer-focused features. All the while, it also attempts to make WordPress look like a hot mess.

In response, WordPress co-founder Matt Mullenweg posted his own take on the shenanigans. He mentioned Wix-related customer service issues, alleged code theft and the fact that Wix doesn’t allow users to export their website content for use elsewhere. Subsequently, Wix CEO Avishai Abraham offered an open reply of his own.

Nothing like a good old-fashioned internet fight to get the CMS-wars going! But this isn’t exactly a Coke versus Pepsi type of rivalry. In terms of market share, it’s more like an ant (Wix) flicking a spec of dirt on Godzilla (WordPress).

The WordPress community has reacted with a mix of disdain, bewilderment and amusement. But what does it all mean? Allow me to try and make sense of this free-for-all.

The Attacks Make Wix Look Like a Bully

Competing products go after each other all the time. Everyone from automakers to retailers dig at each other. So, why is this any different?

For one, WordPress is an open-source project. It boasts a very large, active community of users and contributors. People from around the world volunteer their time to keep the project going. Or maybe Wix is talking about the Automattic-owned WordPress.com. But the campaign doesn’t seem to really differentiate between the two.

Wix is a corporately-owned, proprietary system. They sell a service. While they may be considered the “little” guy in the fight, they are far from a penniless or powerless organization.

And it’s the organizational difference that makes Wix look bad. The fact that a for-profit company is going after a free, open-source competitor could be seen as bullying. Almost like a grocery store attacking a food bank.

While Wix has every right to communicate and declare its self-described advantages, the manner in which they’ve chosen to do so seems unnecessarily abrasive. Perhaps it’s a way to get attention. Whether it’s the kind of attention that actually benefits them may be another matter.

WordPress Isn’t Immune to Constructive Criticism

I believe the WordPress community has a right to be on the defensive here. They’ve invested a lot of blood, sweat and tears into the software. That collective effort has created a strong bond amongst users and with WordPress itself.

Therefore, an attack on the CMS is seen as an attack on the community at large. The video portrayal of WordPress as an impersonal, error-prone platform goes against the views and pursuits of many in the community. It infers that the work people have put into the project isn’t good enough. As if contributions to something bigger than oneself is a fool’s errand.

That’s not to say that everything is perfect. WordPress has its own shortcomings and areas that could stand to improve. Like all software, it’s a continual work-in-progress.

If Wix wants to call attention to issues such as plugin conflicts, security problems or maintenance requirements – that’s fair game. A critical eye towards real issues should always be welcomed, whether it’s from a competitor or within the WordPress ecosystem itself.

Competition is often one of the best ways to bring about these types of moments. It provides a crucial opportunity for self-reflection and improvement. Running completely unopposed certainly doesn’t fuel the same kind of evolution.

What Could This Mean for the Future of Both Apps?

The immediate result of this kerfuffle is that Wix gets some attention, while WordPress fans become agitated. In some respects, that could be viewed as a win for the challenger.

Yet the long-term effects will be the true test. Will Wix be able to poach enough users away from WordPress to make this all worth their while?

The market share disparity (41% for WordPress, 1.5% for Wix as of this writing) is massive. This means that, even if a relatively small number of users make the switch, Wix can claim growth. For argument’s sake (and realistic or not), let’s say it’s 1 million websites did so. That number means a whole lot more to Wix (a million paying customers) than it does WordPress.

Meanwhile, it’s hard to imagine that any of these attacks put a significant dent into WordPress’ continued growth. It will stay the market leader by a large margin for the foreseeable future.

Still, when you look at it this way, it’s easy to see why Wix wanted to pick a fight. Will it actually pan out? Time will tell us the answer.

The post Wix Goes After WordPress: One User’s Take appeared first on Speckyboy Design Magazine.