CAll Us: +1 888-999-8231 Submit Ticket

Make Yourself Heard With The WordPress Editor Experience Survey

WordPress Editor ExperienceIf you’re a regular user of the WordPress editor interface, you might want to make your thoughts known by completing the Editor Experience Survey.

The survey, part of the WordPress project’s attempt to understand how WordPress bloggers and professionals use the tools WordPress provides shouldn’t take more than a few minutes to complete and will provide valuable information WordPress’ developers can use to focus their efforts as work continues to improve the editing experience.

The WordPress team doesn’t collect data from self-hosted WordPress sites, so it’s hard for them to know what users really want. Millions of people use WordPress every day, but without input, developers are working in the dark. Most WordPress users spend the majority of their time with WordPress using the editor. That’s not the case for WordPress developers and professionals, so it’s difficult for them to assess the pain points and needs of professional writers and bloggers.

As WordPress developer Morten Rand-Hendriksen pointed out a couple of months ago, there’s a considerable gap of knowledge and expectations between the average WordPress user and WordPress developers. The developers want to make the WordPress editor a world-class writing and publishing interface — it’s one of Matt Mullenweg’s focus areas for 2017. We’ve already seen some indication of where the editor is heading, but any extra information can only improve the final experience.

The survey includes questions about how WordPress users interact with the editor and which features they find useful, including whether they use the markup editor, which formatting features are useful, and whether the no-distraction interface is regularly used.

Of particular importance are questions concerning the accessibility of the WordPress editor. If you find that the WordPress editor doesn’t provide a positive experience when used with a screen reader or other assistive devices such as braille embossers, voice recognition programs, or screen enlargers, the WordPress team would love to hear from you.

It’s worth noting that the survey itself isn’t particularly friendly to those with accessibility issues, so Amanda Rush from the WordPress Accessibility team has written a blog post with some guidance for people with accessibility issues who want to complete the survey.

The team also wants to know about any plugins you install to change the functionality of the WordPress editor. Discovering how users modify the editor could give developers information they need to decide which feature to add (or to remove).

If you’re a regular user of the WordPress editor, I’d encourage you to take the time to add your two cents. In the absence of telemetry data showing real-world use, surveys of this type are hugely helpful to developers and designers. The results of the survey are likely to shape the future editing experience, so it’s well worth making your thoughts known.

Posted in:
Content, WordPress

Source link

When Is It Right To Keep WordPress Vulnerabilities Secret?

WordPress VulnerabilitiesBugs are an inevitable part of the software development process. As hard as developers try to avoid them — and they try very hard indeed — mistakes will be made and some of those mistakes will cause security vulnerabilities. What’s important is how developers handle vulnerabilities when they do occur, including how they communicate about them with users.

In the open source and security world, it’s generally agreed that when a vulnerability is discovered, as much information as possible should be provided to users. They need to know about the vulnerability so they can protect themselves. Information is power where security is concerned, and if only criminals and security researchers know about a vulnerability, users are at an unfair disadvantage. As Aaron D. Campbell, WordPress Core Security Team Lead, remarks in a recent blog post,

“Disclosing the vulnerability is best for your users. It builds trust. It’s also the best thing you can do for the future of security. Hopefully other people can learn from your issue and not have to face the same one themselves.”

But sometimes, developers and security researchers choose to keep vulnerability information to themselves, for a short time at least. Secrecy rubs some people up the wrong way, and for good reason. Professionals and other developers need all the information they can get to protect their sites, users, and clients. They don’t trust developers to make sensible decisions about what should be kept secret, an attitude informed by a long history of vulnerabilities that were hidden to benefit developers and their companies rather than users.

This January, WordPress 4.7.2 was released. It included a patch for a serious vulnerability, but there was no mention of the patch in the initial release notes. Details of the vulnerability were released several days later, much to the chagrin of those who demand complete and immediate transparency. In this case, WordPress developers were justified in keeping the vulnerability to themselves.

It’s important to distinguish between secrecy to protect users and secrecy for selfish reasons. There are many selfish reasons a developer might want to keep a vulnerability secret: because it makes them look bad, because it might discourage people from buying their product, and, in the worst cases, because keeping it a secret is less expensive than fixing it. None of those reasons apply to WordPress and most other open source projects.

When a WordPress update is released, it’s installed by millions of site owners in the following days. The release is also scrutinized by criminals who know that many WordPress sites won’t be updated immediately. They use information gleaned from the public disclosure of vulnerabilities to attack WordPress sites that have not been patched.

While there’s nothing to prevent criminals from analyzing the code of an update to discover what is being patched, declining to widely publicize vulnerabilities gives WordPress users a chance to update before criminals begin to exploit a vulnerability.

In good time, all vulnerabilities should be announced and publicized. No one wants to go back to the dark days of security by obscurity. Users and professionals who want to know about vulnerabilities as soon as possible have a good case, but a project’s developers have a difficult decision to make: publicize a vulnerability immediately and put users at risk, or hold off and give them time to update. Vulnerabilities should be kept secret for no more than a few days, but sometimes protecting users is more important than complete transparency.

Posted in:
Security, WordPress

Source link

New OpenVPN Plans For Magento And WordPress Dedicated Servers

OpenVPNWe’re happy to announce the introduction of secure OpenVPN accounts to our dedicated server and enterprise cluster hosting plans. OpenVPN allows site owners to use a secure encrypted login process to access services on dedicated servers that would otherwise be unencrypted, including HTTP and FTP services.

OpenVPN will be available on all 400 and 500–level dedicated server plans as well as all enterprise cluster levels. Dedicated servers from the 400 tier can choose OpenVPN protection for $24.99 per server per month, and dedicated servers in the 500 tier will receive OpenVPN protection as standard at no added cost.

All of our Magento dedicated server plans include SSL certificates that protect customer-facing services from man-in-the-middle attacks and scrutiny by malicious third-parties. But web-based SSL protection doesn’t apply when connecting to services like FTP, which doesn’t automatically encrypt data connections.

Usually, those services are firewalled to prevent access, but in many cases, off site workers require access to services that are not by default secure. The introduction of OpenVPN to our dedicated server and enterprise cluster plans allows clients to provide offsite server administrators and developers with the access they need without compromising server security. All authorized OpenVPN connections are made over a securely encrypted virtual private network using state-of-the-art cryptographic technology.

OpenVPN is an open source service that uses TLS certificates to implement secure virtual private networks, and is capable of traversing NATs and firewalls. The OpenVPN service uses certificate-based authentication, so no passwords are required.

You can access OpenVPN services with any OpenVPN-compatible client, but we can only help with support issues and troubleshooting if you use an OpenVPN client we support on Windows, Mac, or Linux.

It should be noted that the new OpenVPN services don’t replace site-to-site IPSEC VPN tunnels already in use. OpenVPN is intended to be used only when authorized personnel require secure access to servers and we won’t create OpenVPN accounts for other purposes.

To access individual services on your dedicated servers, you will still need to use the standard accounts that we provide. OpenVPN authentication protects connections when you access services using your standard user accounts, but the credentials are distinct. You’ll need to let our support team know if you want to terminate your OpenVPN accounts.

Since shared hosting plans are multi-tenant environments, VPN services are only available on dedicated servers and enterprise clusters. OpenVPN is only available with dedicated server and enterprise cluster plans.

Posted in:
Magento, WordPress

Source link

Google Is Retiring Its WordPress AdSense Plugin

AdSense PluginGoogle has announced the retirement of its popular WordPress AdSense plugin, which was embraced by bloggers and publishers as a simple way to monetize content on WordPress sites. Existing ads aren’t affected, but within a couple of months, users will no longer be able to change the layout of their ads or visit the front-end of the plugin.

Advertising is the most common monetization strategy for WordPress sites, and Google’s AdSense the most popular advertising network. For non-technical site owners, the AdSense plugin offered a quick and easy way to include relevant advertising on their pages. Designed to be usable without requiring any coding expertise, ads were managed through a simple click and drag interface.

But the plugin hasn’t been updated for Google’s newest advertising products, and is being retired because it no longer offers the best experience to publishers or their visitors.

Google advises WordPress users to deactivate and uninstall the plugin, which will receive no further updates. At the time of writing, publishers have a couple of months to investigate alternatives — some of which we’ll discuss below. If you want to avoid disruption to your site’s revenue, make sure you have an alternative ready before removing the AdSense plugin.

According to the timetable published by Google, from the beginning of this month (March 2017), WordPress users will no longer be able to sign-up for AdSense using the plugin. From the beginning of April, the management of ad units and ad settings will be disabled, and from May, the plugin will no longer be supported.

It’s likely thousands of WordPress users will be impacted by the retirement of the plugin. We suggest that publishers and bloggers who rely on this plugin seek an alternative advertising solution as soon as possible. Google no longer supports alternative third-party AdSense WordPress plugins either, so simply switching to another plugin that offers similar functionality is not a viable long-term solution.

WordPress AdSense Plugin Alternatives

Although Google is retiring the plugin, it isn’t turning its back on WordPress users. The search giant’s official recommendation is that WordPress users embed advertising in WordPress text widgets. While this isn’t as intuitive as the plugin, it’s a usable solution that is well-documented in Google’s help pages.

Google’s QuickStart advertising is the least complicated way to replace some of the WordPress plugin’s functionality. With Quickstart, publishers simply add a JavaScript snippet to their pages and AdSense takes care of the rest.

Google also suggests page-level ads as an alternative, a new advertising format designed to be particularly friendly for mobile users. Page-level ads include anchor ads, small pop-up banners at the bottom of the screen, and vignette ads, fullscreen advertising that appears between the pages of your site.

For WordPress users looking for a low-friction way to include advertising on their site, QuickStart and page-level ads are worth investigating.

Posted in:
Content, WordPress

Source link

Google Docs Users Can Now Send Articles Straight To WordPress

Google DocsWordPress’ editing interface is great for writing – and it’s only going to get better – but collaboration is a weak point. It is possible to collaborate on a WordPress article, but only if writers and editors take it in turns. Several contributors can’t work on the same document at the same time, which is one of the reasons so many WordPress publishers turn to third-party editors like Google Docs.

Google Docs offers excellent collaboration support. Any number of participants can edit a document and – most of the time – Docs will do the right thing with the changes. It’s easy to see who has made each edit, suggest edits without committing them to the active document, and add comments.

But for WordPress users there’s a major stumbling block: getting content out of Google Docs and into WordPress isn’t straightforward. The obvious solution is to copy-and-paste, but that plays havoc with formatting and links. When I’ve used this method for longer documents, it’s taken a lot of work to knock the article into shape for publishing.

In a move that recognizes the value of collaboration and that WordPress’ native collaboration features aren’t quite there yet, Matt Mullenweg has announced the release of a Google Docs add-on that can send documents to WordPress sites as a draft. The big win here is that all the formatting – images, text styles, links – are maintained.

As with many of the innovations coming out of Automattic, the Google Docs add-on only works if you have a JetPack-enabled WordPress site.

The add-on isn’t perfect: image layout can go awry, and any edits that happen in the Google Doc after it’s been pushed to WordPress aren’t synchronized. As a consequence, it’s not possible to edit any existing WordPress drafts in Google Docs – it’s a one-way process. I expect some of these limitations will be overcome in the future, and the features that are available are welcome.

As someone who writes a lot of content that ends up in WordPress via Google Docs, this tool will save me a lot of time. Apart from single-writer blogs, almost every publishing workflow involves collaboration with other writers, editors, and clients. Google Docs is the perfect app for that sort of collaboration.

When I write an article, it starts life as a Markdown file which is converted to HTML and uploaded to Google Docs, where editors or clients can review it, add notes, and make edits. That process is smooth – but once the article is ready for publication, someone has to take the Google Doc, paste it into WordPress and then spend a lot of time redoing formatting, images, and links that were already part of the Google Doc. For a busy site owner, that’s a frustrating waste of time.

The new WordPress Google Docs add-on has the potential to improve that process, providing a friction-free workflow that can take documents from drafting to publication-ready without an onerous duplication of effort.

Posted in:
Content, WordPress

Source link

Clef, The Popular Two-Factor Authentication Service, Is Shutting Down

ClefClef, a popular two-factor authentication service used by Magento eCommerce stores and WordPress sites has announced that its service will cease operation on June 6th 2017. It’s not clear why Clef is shutting down, but the company’s announcement states its employees will be moving to another company. It seems Clef – in spite of its popularity – failed to find a business model that could support its continued existence.

eCommerce merchants and site owners who use Clef should prepare to move to a different TFA provider as soon as possible.

Although there is no shortage of TFA plugins and services, Clef put the user experience front and center, offering an intuitive solution to the perennial problem of poor password management. Clef’s WordPress plugin has been installed over a million times, and its Magento extension has five stars on Magento Connect. The WordPress plugin has already been removed from the WordPress Plugin repository, and other integrations and mobile apps will be withdrawn in the lead-up to the service’s shutdown in three months.

Two-factor authentication is a key security measure for sites and stores that need authentication more robust than a simple username and password combination can offer. Brute force attacks are a constant threat to any online business, and sites with many users struggle to ensure they choose passwords intelligently.

Two-factor authentication services – including Clef – add an extra factor of authentication, often a one-time code generated by a mobile application. Without access to the secrets used to generate these codes, brute-force attacks can’t succeed. Sites are also protected against other password-based vulnerabilities, including leaked password databases and careless users who don’t keep their passwords safe.

It’s advisable for all sites and eCommerce stores to implement two-factor authentication. Those who used Clef have several options to choose from.

Users of Magento 1.X can move to Hostdedi’ Sentry extension, which, once installed, will require two-factor authentication for all administrative logins. Sentry integrates with many of the most popular two-factor authentication services, including Duo and Google Authenticator.

WordPress hosting clients who use the WordPress security plugin Wordfence might consider its built-in 2FA functionality or a dedicated plugin.

  • Two Factor Authentication is a comprehensive TFA solution for WordPress. It can be used with Google Authenticator, Authy, and a number of other TFA services. Two Factor Authentication is thoughtfully designed and includes several features to simplify logging in for WordPress users, including graphical QR codes that can be scanned by mobile devices.
  • The Duo Two-Factor Authentication plugin works with the popular Duo TFA service and offers one-tap authentication and one-time passwords delivered by SMS.

If you don’t use two-factor authentication, you’re missing out on a low-friction strategy that significantly reduces the chances that your site will be compromised.

Posted in:

Source link

What You Need To Know

CloudbleedTowards the end of last month, it was revealed that CloudFlare, a popular CDN provider, suffered a vulnerability that caused its edge servers to leak private data. The vulnerability – discovered by Google researcher Tavis Ormandy – was swiftly mitigated, but because the problem may have existed since September 2016, it’s worth taking some time to understand the potential implications for eCommerce merchants, site owners, and their users.

Cloudflare is a service that – among other things – helps websites achieve better performance. It takes the contents of a website and uploads it to edge servers around the world. When a user requests a page, the request is redirected to the nearest edge server, significantly reducing the latency introduced when server and client are far apart. Because the site’s HTML and other assets travel through Cloudflare, they can be processed in various ways before being passed on to the requester.

To process the HTML, Cloudflare runs pages through an HTML parser. A bug in that parser is what caused private information to be leaked. You can read the full technical details in Cloudflare’s post-mortem, but, in short, a buffer overrun error caused the parser to access parts of the server’s memory that should have been private. In a specific combination of circumstances, the parser would not stop with the HTML it was parsing, but would continue to read data from memory. That data sometimes included sensitive information like login details, keys, and private messages.

When someone requested the page, the private data was sent along with it. Even worse, the private data was also sent when web crawlers made page requests, including search engine crawlers, which resulted in some private data being made available in search engine results.

That all sounds very bad indeed, but it should be understood that the buffer overrun could only happen in a very specific set of circumstance. It’s not the case that every request routed through Cloudflare leaked private data. According to the company:

“The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (thatʼs about 0.00003% of requests).”

Cloudflare is huge, so even 0.00003% is a lot of requests, but there’s no evidence that any criminals were actively exploiting the vulnerability and the problem was fixed less than 8 hours after it was discovered. For large sites using Cloudflare, it’s likely that some user data was leaked, but for each individual user the risk is miniscule. Google and other search engines have attempted to scrub their search indexes of any private data that may have been cached.

Should You Reset Passwords?

At this point, the risks are minimal. If you use Cloudflare with your site or eCommerce store, you may choose to advise users to reset their passwords out of an abundance of caution. Given the extensive publicity the leak received, it may well be wise to communicate with users about the nature of the vulnerability and the risk to their privacy. Some security experts advise that passwords should be reset, but because the risk to individual users is small, some prominent security writers advise against password resets, arguing it will do little to protect users and is likely to add to the security fatigue that causes users to ignore security best practices.

Posted in:

Source link

How Can Algorithms Help The eCommerce Bottom Line?

AlgorithmsOnline retailers have access to far more data than their brick-and-mortar peers. In fact, brick-and-mortar retailers go to great lengths to collect data that eCommerce merchants get for “free”. But just because we have the data, it doesn’t mean we’re using it well. Big data is all well and good, but it’s just a collection of ones and zeroes without the will and the algorithms to turn it into useful information.

Many leading merchants are investing significant amounts of money and time into cracking the problem of algorithmic eCommerce. The dream scenario is retail operations that are almost completely automated. The potential benefits are huge, not the least of which is cost streamlining. At the simplest level, if we can buy at the best price and sell at the best price, we stand to reap considerable bottom-line advantages.

Unfortunately, determining what’s best is a difficult challenge because there are so many constantly changing variables. Monitoring the totality of the eCommerce environment and making predictions that can be applied to eCommerce operations is a task perfectly suited to machine learning and big data algorithms.

Gartner recently released a paper that discusses how algorithms can be used, today and in the future, to optimize eCommerce operations. Using Algorithmic Retailing to Drive Competitive Advantage explores four main areas to which algorithmic analysis can be applied. The four areas cover almost every part of an eCommerce business, but let’s have a closer look at a couple of major areas.

First is “Cost of goods sold”. This is the area most of us think about when we consider applying algorithms to eCommerce decision-making. It includes intelligent pricing, an area in which several companies already offer products. For a store with a large catalogue and a substantial number of competitors, automated smart pricing can make a substantial difference to competitiveness. Manual pricing at this volume is expensive and too slow for fast-moving markets.

Under the “Cost of goods sold,” Gartner also includes product selection, promotions, and inventory decisions — all of which impact the total cost to the company of buying and selling goods.

However, it’s not only the obvious “pointy” end of the eCommerce process that will be impacted by algorithmic decision-making. Many back-end processes are also amenable to automation, including IT — a significant cost-center for eCommerce merchants. There’s been substantial progress in this area too, especially around warehousing and distribution. Intelligent algorithms are being used today to determine maximally efficient warehousing and delivery — enabling retailers to have fewer products taking up warehouse space and reducing fulfilment times.

Gartner is perhaps a little optimistic in its claim that by 2020, the leading eCommerce merchants will be largely algorithmic, but there’s no doubt that online retails has embraced machine learning and algorithmic decision-making in a big way. Merchants that don’t invest in algorithmic eCommerce are likely to find themselves at an increasing disadvantage.

Posted in:

Source link

Lessons From The Recent S3 Outage for E-Commerce Store Owners

Content MarketingLast week, Amazon’s S3 storage service suffered stability and availability issues that had a wide-ranging impact on tens of thousands of companies, ranging from small eCommerce merchants and publishers to some of the largest sites on the web. S3 is used to store static assets like images and scripts. When S3 suffers availability issues, those assets may become unavailable.

A pointed example of what happens when a service relied on by so many suffers availability issues comes from Amazon itself — static assets for AWS’s status pages were stored in S3. The service designed to tell users about any problems didn’t function properly because it was hit by the problems it was supposed to be reporting.

Hours-long availability issues can have serious consequences for busy websites and eCommerce stores. For as long as a service isn’t available, its users lose money, customers, and reputation. This isn’t an S3 problem, an AWS problem, or even a cloud problem. Complex systems experience failures from time-to-time — that’s a universal truth and it’s something everyone doing business on the web should understand and account for.

The best way to avoid being bitten by a failure in a platform is to plan ahead. Proactively consider how to deal with failures, rather than reacting when they happen. Does your business’s disaster recovery and business continuity plan include contingencies to handle failures in the services it relies on? If not, here a few things you should be thinking about.

  • Design for redundancy or don’t put all your eggs in one basket. The availability of your business’ online presence should not be entirely dependent on one service. Ensure that your data exists in more than one place. Design server clusters such that a failure in any one server doesn’t bring down your site. Avoid single points of failure.
  • Use managed services with responsive support. For CEOs and CIOs, one of the most frustrating aspects of downtime on services like S3 is that they have no insight into the problem and there’s nothing they can do except wait for it to be fixed. With a managed hosting solution that includes great support, there will be a trusted advisor you can call when something goes wrong. A managed hosting provider will build redundancy into their systems and help you to create a resilient platform that can better weather failures.
  • Cloud isn’t the only option. Cloud storage solutions offer many benefits, but cloud isn’t the only way to go. Consider resilient high-performance alternatives like redundant dedicated servers.

The key lesson to be learned from this most recent outage shouldn’t focus on the reliability of any particular platform or hosting modality.

Instead, eCommerce merchants, publishers, and business site owners should consider the negative consequences of relying too much on the resilience of any one platform. An infrastructure monoculture isn’t good for the web. Infrastructure and vendor diversity are essential to building available, reliable, and stable online services.

Posted in:

Source link

A WordPress Security Plugin Won’t Solve All Your Security Problems

Security PluginWordPress security plugins help improve the security of WordPress sites, but they’re no substitute for an understanding of basic security precautions. Any web application is vulnerable if its developers and users don’t follow security best practices. WordPress is no different, and because WordPress is used by millions of non-technical users, it’s reasonable to assume that many of them won’t understand the complexities of web application security.

WordPress security plugins exist — in part — to help non-technical users limit the risk, without asking them to become security experts. But no WordPress plugin can make a site invulnerable to hackers, and it’s important that WordPress site owners understand at least the basics of web application security to keep themselves safe. It’s perfectly possible for WordPress to be secure. In fact, it’s relatively easy to create a secure WordPress site, but you need to know a few commonsense rules.

Bringing easy web publishing to everyone is a core goal of the WordPress project, and it’s been remarkably successful. Anyone with an idea can publish content on a site over which they have complete control. But, however easy it is to create a WordPress site — and modern WordPress hosting companies make it very easy indeed — the user still has some responsibility to educate themselves about security. The vast majority of hacked WordPress sites are the result of user error: the user chooses a bad password for their admin account or they fail to update a plugin with a known vulnerability.

However well-designed and feature-rich a security plugin is, it won’t protect users against many of the mistakes that hackers exploit. WordPress security plugins like WordFence and iThemes Security make it much easier to secure a WordPress site, and I’d strongly advise any non-technical WordPress user to install a security plugin, but WordPress users should understand that installing a security plugin isn’t the end of their security responsibility.

This isn’t a WordPress problem: it’s web application problem. Web applications like WordPress, Joomla!, Drupal, and Magento are immensely complex pieces of software. No one has figured out how to make software that’s both feature-rich and completely without bugs. Software bugs, and hence software vulnerabilities, come with the territory — and, unfortunately, so do hackers and criminals.

Installing a security plugin won’t protect you against these vulnerabilities. WordPress and WordPress plugin developers try hard not to introduce bugs, and when bugs are found, they’re squashed very quickly. To be protected, you have to update and understand why you have to update.

Many classes of vulnerability aren’t caused by software bugs, but by simple user errors. Nothing the developers can do will stop you using “miaow” as your admin password, although the WordPress interface will tell you it’s a bad idea. Security plugins won’t help you out there either, although they can limit your exposure to brute force attacks that take advantage of bad passwords. You need to know that using a simple password isn’t a good idea.

Web application security is a partnership between developers, hosting providers, and users. Users have to do their part, and installing a security plugin a great first step, but it won’t get you all the way to a secure site on its own.

Posted in:
Content, WordPress

Source link