Blog Security 101 – Part 1

Blog and lock

There is no doubt that WordPress is the most popular web application for building a presence on the Internet. Currently, there are over 74 million web sites using WordPress and that number makes up a staggering 18.9 percent of all web sites on the Internet. But being so popular has a price; when the bad guys know that so many people use your software it becomes a target. Add to the mix the fact that your application is so easy to use that people without a great deal of technical knowledge can operate it and you start to make malicious hackers salivate; just ask Microsoft.

According to research conducted by the security firm Sophos, 73 percent of WordPress installations are found to be vulnerable to attack. This means that the application has not been hardened by the site’s owner to the point where an attacker could not break into the site by exploiting any known vulnerabilities.

If those facts have you worried take a deep breath and relax. We’re going to show you some ways that you can better secure your blog against malicious hackers and make it difficult enough that most attackers will move on to an easier target and leave your site alone.

The very basics

If we are going to look at security from the ground up it is important to understand some of the terminology that is thrown around. The word hacker is used outside of the security industry to describe the bad guys who are trying to compromise your blog. The pros, on the other hand, opt for the terms threat actor, criminal or attacker; most of them despise the term cybercriminal. A breach is when a threat actor successfully breaks into your system, in this case your blog, and this is done by exploiting a vulnerability.

Most of the time, we think of the attacker as someone who is trying to break into our site so they can steal financial information like credit card numbers or usernames and passwords. These are common targets of the threat actor, but they are not the only reasons why they might target your blog.

Blogs are targeted by some attackers to help other sites rank better in the search engine results. A blog is breached and the attacker injects links to another web site in the comment section or even in the posts themselves. These links might not be easy to spot since they can easily code out the text-decoration and change the color of the anchor text. These links can harm the reputation of breached site since they often point to low-quality sites, web sites that promote illegal or illicit activities or sites that host malware. Which brings us to another reason why WordPress sites are often targeted.

One of the most common reasons why a site might be attacked is so that the criminal behind the attack can upload malware to the targeted site. When this happens the malware can be used to exploit vulnerabilities in the web browsers of the site’s visitors. Malware is then loaded onto the visitor’s computer just because they went to a blog, and it might even be a blog that they trust. Sites that are guilty of this are flagged by search engines like Google and are usually removed from the results costing the site a great deal of traffic and causing a great deal of damage to that site’s reputation.

The last type of attack we will mention here is known as a Denial of Service attack. This occurs when the attacker knocks a site offline so that legitimate visitors cannot access it. Usually this is done by flooding the server with enough traffic and requests that the web server that hosts the site just gives up. Attackers use other people’s computers to do this; the ones that have been infected by malware and taken over or they use other technologies. These attacks can come at the hands of a hacktivist, or someone who is trying to take the site down for political or social means; a competing business or web site; and sometimes these attacks come from a young threat actor who is trying to hone their skills.

How they get in

We mentioned vulnerabilities earlier as the way attackers breach a blog. These vulnerabilities can come from a number of places:

  • The WordPress code itself
  • A plugin
  • A template
  • Brute force attacks
  • The user

WordPress itself is a software application and at times, people find holes in the code. Many times, it is the wp-config file or the wp-includes folder that are targeted. When these holes are found, the people who maintain WordPress work to patch it so that the hole is no longer a vulnerability. This is one reason why WordPress is updated and the most important reason to make sure that you are always running the most current version of WordPress on your site.

Plugins present the same problem; they consist of code and can have holes in them that allow attackers in. For this reason, you should be careful about what plugins you install on your site and you should make certain to remove any plugins that are not being used. Plugins have also been known to have exploits written into them with the purpose of giving attackers access to any site installs and activates them. This is not a common scenario, but it has happened. The best way to avoid this is to install plugins from the WordPress Plugin Directory. This is much safer than downloading the plugin from another site to install as WordPress monitors the plugins in their directory.

Likewise, templates have been known to house security holes as well. Those inactive themes that are sitting in the themes directory and haven’t been updated since you installed them could be just the thing an attacker is looking for. There have also been themes that contained malicious code in them that can be used for nefarious things.

Brute force attacks are another common method used to breach WordPress blogs. An automated system seeks out blogs running the WordPress application and then goes to work trying to guess the password for the admin username. Since most blogs keep the admin account active, and with administrative rights, the attack need only guess the password. This isn’t too hard for a program that can guess hundreds of thousands of passwords a minute when you consider most passwords are ridiculously simple.

The final vulnerability we will look at here is the user. It was mentioned previously that there are sites out there that exploit holes in a web browser and install malware on the computer of a person who visited that site. Malware can also be installed through phishing attacks that contain malicious attachments and even through older methods like file sharing. Malware can do a number of bad things on a computer, and one of these things is they can capture keystrokes on a computer. Translate this into the attacker can see that a person is logging into a WordPress site and can steal the URL, the username and the password. This is just one more reason why you should run up-to-date anti-virus software on your computer especially if you use that computer to access your blog.

Fighting back

A majority of attacks against WordPress sites happen because they are considered low hanging fruit by the attacker; meaning they are easy to breach. Many of these attacks are so simple for the bad guys that they are automated and the attacker never has to do more than let a few programs run to compromise thousands of WordPress sites.

While no WordPress site, or any other computer system, will ever be 100 percent secured against attacks you can make it more difficult for any attacker who targets your site. If you have done a good enough job at hardening your site, they might move on to an easier target. If they are intent on breaching your site, and they are able to successfully do so, you goal will be to identify the breach and clean up your site as soon as possible.

To help you better secure your blog, we have part two of this series coming soon. In the follow up post we will look at plugins, code hacks and other things you can do that will harden your blog against a majority of the common attacks out there.

How To Use Google Hangouts On Air To Promote Your Brand

With the steady and significant uptick in algorithm updates since 2004, Google has notified the internet of the importance of quality. The king of search has always set the standard when it comes to search engine etiquette, and its search facility still serves as a major gateway for website traffic. Although the avenues available for large-scale traffic have widened to accept social media authority and activity, gaining traction with as many mass market distribution vehicles as possible is paramount to creating a well-known digital blueprint.

Many of the methods for online customer acquisition have changed, but there are still some free workflows that deliver as much value as many of the best paid solutions. The common ingredients to making them work are a little knowledge, and a bit of elbow grease. Once you get over the shallow learning curve, rinsing and repeating becomes routine.

Google Hangouts has proven to be a disruptor to the online web conferencing scene, in that it provides a free solution with many of the same features that were previously only available for a steep monthly price. While there are many advanced ways to integrate this technology, including utilizing flash media servers, Amazon EC2 hosting, and multiple premium WordPress plugins to take advantage of the technology, we will show you how to get up and running with the essentials.

A setup of this nature is not only feature-rich and cost-effective, but very powerful when it comes to organically attracting, engaging, and converting new visitors into clients, customers, fans, and sales.

Upsides and Downsides of Google Hangouts on Air (GHO)

Pros:

  • Free to use
  • Streams live on your Google+ Profile and your Youtube channel (with most accounts)
  • Recorded content shows up prominently in search results (at the moment)
  • Highly engaging, trusted format that builds credibility, and allows for “selling without selling”

Cons:

  • Video resolution is not always the best
  • Need to be creative to promote your event beforehand (no pre-event permanent URL)
  • Takes a few dress rehearsals to understand the workflow
  • While viewing is unlimited, only 10 live producers can present the event at the same time

Basic Layout

On the left side of your main GHO dashboard, you’ll see a few icons that you will use to make the user experience ripe with collaboration and interactivity. Keep in mind that only users who access the Hangout through your Google+ profile will be able to take advantage of all of the features.

The top icon is for inviting friends to your Hangout. If you are inviting people who are already in your Google Circles, then it’s easy to copy the URL at the top of your Hangout window, and paste it in an email, or wherever. If invitees are not already in your circle, then there may be issues with signup, reminders, and the like.

The next icon down is used to popup a chat window, in the event that you need to have a moderated conversation with an attendee or attendees while the event is going on. Here, you can paste relevant links and resources that you deem useful for your audience in real-time. Another icon allows you to share your screen.

Near the bottom of the menu is a Google Drive icon that allows you to share documents during the live session. Attendees can collaborate on active documents without writing over the work of other attendees. The sky is the limit when the live video aspect is combined with the collaborative documents feature.

GHOA-basic-layout-1

Google Hangouts on Air Pre-Event Flight Check

Just as an airplane goes through a flight check, you’ll want to follow a routine with your GHO workflow for maximum efficiency. While snags are a part of technology, each delay dilutes the effectiveness of your live and post-event efforts. Keep in mind that as the number of presenters grows, so do the logistics, including different time zones, microphone setups, and internet speeds, to name a few.

The first step in synchronizing producers is making sure that each presenter has a Google+ account from Gmail. It’s a good idea to email presenters a screenshot of the Gmail dashboard, and direct them to the Google+ signup link that appears in the top right or left corner:

GHOA-pre-signup

If they haven’t already, it is a good idea to make sure presenters have filled out their name and avatar profile information. Other essentials include a photo, a tidbit on their personal background in the description area, and their display name.

HOA Presenter Setup

Whether you opt to do a dress rehearsal or send setup instructions to your group of presenters, the professionalism of your GHO presentation is directly related to your preparation. Coming off as unpolished does lend itself to authenticity to an extent, however, large gaffes will decrease the trust and credibility that comes with this presentation medium.

Here are a few general tips to remember when aiming for nice-looking presentations:

  • Maintain ample lighting (computer cameras have a habit of producing dark video)
  • Mute your microphone (unless you are speaking)
  • Choose a quiet area (even computer “humming” can be loud on camera)
  • If possible, angle your camera down on your face, and position yourself so that you are visible from the shoulders up

Combining Google+ Events With GHO

Creating a GHO event is a great way to leverage the search engine power of Hangouts, and increase awareness of your product or service long after your event has passed. Take these steps to integrate Google Events, and Hangouts:

  1. Create a Google+ Community
  2. Share your event from the share box
    GHOA-event
  3. Clicking on the “Text” icon will create your event
    • Name and write a description for your event (as mentioned earlier, no pre-event Hangout URL is available)
  4. Under your event advanced settings, click the “On Air” button (this alerts event attendees that your event is a virtual one rather than a physical one)
    GHOA-event2-1
  5. Just prior to starting your event, navigate to the Hangouts menu, and click the “Start a Hangout on Air” button
  6. Get the Youtube URL from the embed link located at the top right of the Hangout dashboard, navigate to the Google Community you just created, and click on the Video icon
    GHOA-video-button

    • Share your Youtube URL in the share box (now it is automatically shared in your Google Community and Google+ pages)
      GHOA-YT-URL
  7. Press “Start” to begin recording the broadcast, and “End” to finish

Your Google Community followers can now see which events are being live-broadcast, and view them even after the event. If you wish to delete the recording, you can do so from your Youtube Video Manager associated with its respective Google Plus account.

This should give you the tools you need to start running successful Google Hangouts on Air. Regularly doing so will give you consistent access to a pipeline of new potential customers and fans of your products and services. Combined with their increased shelf-life due to organic search, GHO can be a vital part of a comprehensive new media outreach campaign.

Rel=Author: Increase Click Through Rates and Social Rankings

 

Traffic. That’s the name of the game. If you have traffic, you’ll be able to turn that into a strong, loyal audience, and then finally, you’ll be able to make money off them.

Getting that traffic, though, is difficult. I’d be remiss to say that getting people to come to your blog, participate, and hopefully result in profit is an easy task. It’s anything but easy. Tiring, stressful, and often demoralizing.

Rel=Author

Now that I’ve gotten the gruesome out of the way, let me lay out a tactic that should help you to increase your rankings in Google, increase your click through rates (CTRs), and have the right people coming to your site that will increase your profitability. Is it the end all be all to getting audience? There isn’t one-way to do that. But if it can help increase your organic traffic by over 30%, perhaps it’s well worth your time.

The tactic that I am referring to is the implementation of the “Rel=author” tag on your site. For those that haven’t seen, this enables a small face of the author to appear to the left of the result. Since most of the results don’t have this, it draws the searcher’s eye to it. While it’s not the only variable that entices a click—your title tag and meta-description are definitely big parts here—it will help significantly.

what-is-rel-author

Just one last thing before I explain the details. There are actually two variables. The “rel=author” and the “rel=me” tags. The basic structure works as follows: you set up a Google+ account, add the site that you are a contributor to, and then link to your Google+ account on your site. That makes the connection. But you can also link to other pages with the “rel=me” tag that tells Google those other links are also part of your network.

In other words … you should link to your Twitter account using “rel=me.” That’ll tell Google which Twitter account is YOUR Twitter account.

So the question is: how do we set it up on our own sites? I’m glad you asked.

Step 1: Google+

Google PlusIf you thought you were going to get away from Google+, you were mistaken. Google’s social networking site is alive, kicking, and ready to try and dominate. Google will do whatever it can to make their social network work. So play along.

If you haven’t already created an account, create one. But assuming you have, head on over. When Google+ loads, it always displays your posts to constantly remind you that you should participate. Click “About” in the navigation. Scroll down until you get to “Links.” This includes links to anything of yours off site: your other social accounts, your blog, and any sites that you contribute to.

Punch in the URLs that you write for and voila, you are done with this step. This is Google’s way of having a control variable when setting up the authorship tag. It’s also how Google pulls data so that it will include your name, your picture, and the number of people in your circles.

Google Plus Profile

Screen Shot 2014-01-20 at 11.23.55 AM

Step 2: Your Site

Now you need to put the code on your site so Google knows to search for your Google+ account. That sentence is a bit tricky to understand, but it works like this. The Googlebot lands on your page and starts to read your site’s information. It stops at “rel=author” and sees either a link to your Google+ or the profile number. It holds this information and then continues reading the rest of the page. I would need 20,000 words (or more) to explain the details of everything that helps your site rank.

I digress …

You’ll need to put the following into the header:

Just copy/paste from your Google+ and subtract the /posts/ Google always adds.

But since most of you are likely building your blog on WordPress—I really hope all of you—then there is a far simpler way to do it.

Some WordPress frameworks, such as Genesis, come with the functionality for Authorship already built in. Therefore, all you need to do is go to your profile page in the backend of WP, locate the Google+ section, and paste the Google+ URL.

Then you’re done.

But if you’re not using a framework, all you’ll need is one of the two big SEO plugins available today: All in One SEO Pack or Yoast SEO. My favorite is Yoast, but either one will result in the same outcome.

Screen Shot 2014-01-20 at 11.28.22 AM

Just like with the framework, both of these plugins take the data from your WordPress profile. A new field will show up in your profile, paste your URL, and then it’s connected. To ensure this is happening, go to publish a new article and it’ll include a drop down of Author metadata.

Step 3: Test

Just because you’ve added the code doesn’t mean it’s going to work. Fortunately, Google has provided us with a simple tool called the “Structured Data Testing Tool” to guarantee that your implementation has worked. Copy and paste one of your articles into the tool and if it’s working, it’ll say: “Your authorship setup is finished. Congratulations! However, please note that Google will only show your author portrait in search results when we think it will be useful to the user.”

If it doesn’t confirm that it’s working, you’ll need to go back and make sure you added the correct URL to your profile or in the SEO plugins or you’ll need to confirm that you connected the correct site to your Google+ contributor section. If both are working, your test should come up positively.

Structured Data Testing Tool

But I’m Just a Writer

So let’s say you’re the minority visitor to this site and you’re not interested in running a blog, but rather, you just want to write on other blogs as a freelance writer. It’s a great career and you can make plenty of money.

There is a theory in the SEO community that Google will start to gauge your authority based on the types of articles you write, where you publish them, and other unknown variables. In other words, if you write about finance on a diverse number of sites, Google might see you as an authority in finance.

As a freelance writer, this is very valuable for you. You are, effectively, bringing your authority to other sites. Should you get a job writing an occasional column for another site, that site benefits from your authority as well; therefore, you are in a position to negotiate. If you run a site about SEO, would you pay more from a beginner or an expert? If you have a ton of authority in Google’s eyes, other sites are going to pay you more money. Period.

None of this has really been proven yet, but ask yourself: if you could prepare for the future of SEO before it happens, would you do it? If the answer is no, you’re likely in the wrong business. There is no harm preparing and even if it never comes to that, you’re still going to have the picture in the SERPs which will, inevitably, increase the CTR.

You should know that Google is constantly in change about what pages they show the data on. About a month ago, there was a report that the image snippet had stopped showing on real estate sites. Does this mean that Google is against commercial and they view real estate as commercial? Who knows? But what we do know is Google always changes.

Increase your click through rates, get more traffic, and plan for the future is what you’re doing when you implement the authorship tag.

If you have trouble setting up your Authorship, please post in the comments. I’ll try and help you out and help figure it out. But if you’re using WordPress, you’re likely going to have it done in about two minutes. It really is that simple.