CAll Us: +1 888-999-8231 Submit Ticket
Menu

Category Archives:
Uncategorized Archives

Home / Blog / Uncategorized

Keyy Is A Clef Replacement For Intuitive WordPress Two-Factor Authentication

KeyyMany WordPress users were disappointed to hear that two-factor authentication provider Clef is shutting down. Clef was popular with WordPress site owners because it let them add an extra layer of security to their site without the complexity associated with other two-factor authentication systems. With over a million installations, the loss of Clef was a serious blow to WordPress site owners.

In March, the team behind the UpdraftPlus backup service announced that they planned to step into the space vacated by Clef. Their brand new two-factor authentication service, Keyy, is now live, and it has many of the same features as Clef.

For those who are unfamiliar with two-factor authentication, it allows site owners to demand an identifying credential in addition to the usual username / password combination. Username and password combinations can be very secure, but in the real world they tend to be a liability. Users often fail to choose a secure password, they may use the same password on more than one site, or otherwise make the life of criminals easier than it should be.

To take a common example, simple passwords can often be quickly cracked by brute-force bots. Many WordPress sites are compromised because an admin user picked “pa55word” as their password, or an equally guessable combination.

The second factor of authentication is typically associated with an item in the possession of a user: a smartphone or dedicated device that displays a one-time code. In addition to their username and password, the user has to enter the code presented to them by the authenticated object in their possession.

It’s much harder for attackers to compromise a site using two-factor authentication, but many users find the process of logging in with two-factor authentication overly burdensome. Clef, on the other hand, was supremely easy to use, as is Keyy.

With Keyy, users don’t have to enter usernames, passwords, or one-time codes. Instead, when they are ready to log in, users are shown a graphic which they scan with the Keyy app on their phone. Keyy works in essentially the same way Clef did. The app on the user’s smartphone creates a public key pair, the private part of which remains on the device, while the public key is shared with Keyy’s server. When the user wants to log in, the Keyy service generates an image tied to the session. The app scans that image and signs it with the private key before sending it to the Keyy servers, which verify the user has possession of the private key and logs them in using OAuth.

Clef provided other services like single-sign on, which aren’t available yet with Keyy, but the company plans to launch an SSO service in the coming months.

It’s worth mentioning that Keyy is a very new service, and it may be subject to the occasional glitch as the team works out the kinks. But it’s great to see an established and sustainable WordPress company with a track record of successful WordPress services step up to provide such an important security service.

Posted in:
Security, WordPress

Source link

Does Your eCommerce Store Support Apple Pay?

eCommerceThe faster eCommerce merchants can get customers through the checkout process, the more likely they are to complete that process. Much digital ink has been spilled on the value of a fast checkout, and there’s little faster than a quick tap of the finger, which is exactly what Apple Pay offers.

Apple is generally in favor of the native-app approach for obvious reasons. When it first launched, the easiest way to give eCommerce customers the option to use Apple Pay at checkout was via a native app, and for many smaller online retailers, that’s not an option.

Apple Pay has been available on the web for a while now, but there are some requirements customers must meet to use it. The most intuitive way to use Apple Pay on a non-mobile device is with the new Macbook Pro with Touch Bar. The Touchbar includes a Touch ID fingerprint scanner and the Macbook has the requisite secure enclave.

Of course, almost no one has the new MacBooks, but that doesn’t mean they can’t use Apple Pay.

Anyone with a Touch ID-equipped phone and the most recent version of MacOS and iOS can use Apple Pay on the web via the Safari browser. Apple’s Continuity technology, which powers several integrations between devices running iOS and MacOS, has been adapted to enable desktop Safari users to make purchases with Apple Pay and verify their identify using either an iPhone or an Apple Watch.

From the customer’s perspective, it works like this: the customer choose the product they want to buy and clicks the Apple Pay payment option when they checkout. Their connected iPhone or Apple Watch will ask them to confirm and authenticate, and that’s it. Checkout doesn’t get much easier.

Whether it’s worthwhile implementing Apple Pay on your eCommerce store depends largely on who your customers are. If 99% of your customers are Windows and Android users, there’s not likely to be much upside. But if even a small proportion are iPhone or Mac users, it’s more that likely worth the minimal effort to deploy Apple Pay.

Apple Pay is relatively easy to add to a Magento eCommerce store. If a store uses the Stripe payment processor, integrating Apple Pay is straightforward.

Apple Pay isn’t the only game in town for fast payments, but Apple’s mobile devices are extremely common and it’s only a matter of time before more of Apple’s laptop and desktop machines are equipped with the necessary technology. Apple users tend to occupy demographic groups with disposable income, the same groups that include the biggest eCommerce spenders, so implementing Apple Pay is likely to prove attractive to the most valuable online shoppers.

As a side note, non-profit organizations can now accept donations via Apple Pay from supported devices, so it’s worth considering adding Apple Pay for the web support to non-profit WordPress and Craft CMS sites.

Posted in:
eCommerce

Source link

XSS Vulnerabilities Have Been Found In The Avada WordPress Theme

AvadaIt has recently come to light that several critical vulnerabilities were fixed in the Avada theme in April, although ThemeFusion, the developers of the theme didn’t widely announce the patched release until several weeks later. If you use the Avada WordPress theme on your site, you should upgrade to Avada 5.1.5 as soon as possible.

The Avada theme is among the most popular themes on ThemeForest, and its developers boast that it’s been the single most popular paid WordPress theme for four years in a row. That means tens of thousands of sites could be vulnerable until they update to the most recent version.

It’s unusual for a developer to release a fix for a known vulnerability and then to decline to publicize it. Although information about the patch was available in the release’s changelog, it’s unlikely that many of the theme’s users avidly read changelogs.

Typically, a developer wants as many people as possible to update as soon as possible when a security vulnerability is discovered, although they may choose not to disclose the exact details of the vulnerability. The average user may not scrutinze changelogs, but it’s a fair bet that hackers and criminals do, which means there’s little benefit to keeping quiet about the existence of a security problem.

But regardless of the wisdom of waiting, a full explanation of the vulnerabilities along with code examples is widely available now. The smart choice is to update all sites using the Avada theme before they’re targeted.

The details of the vulnerability can be read about on WordPress Hütte, but the nutshell version is that several cross-site scripting and cross-site request forgery vulnerabilities were discovered by a security researcher. Both are common critical vulnerabilities in web applications that can potentially be used by an attacker to take over a WordPress site or exfiltrate private data.

We’ve discussed cross-site scripting vulnerabilities on this blog before because they’re the number one security problem on the web. Cross-site scripting is caused by a failure to properly sanitize user input. The protoypical cross-site scripting attack occurs when an attacker submits code to a web form and that code is displayed somewhere on a web page without being rendered inert. When a browser loads the page, it executes the code, which is very bad news if the browser belongs to a user with admin privileges.

Cross-site request forgeries are a little more involved, but — as with XSS attacks — they can be used by an attacker to execute arbitrary code in the trusted context of a browser. Attackers often use CSRF vulnerabilities in conjuntion with social engineering attacks or phishing attacks against existing trusted users to make sites perform an action, like create an admin user with a password the attacker knows.

In conclusion, upgrade Avada now, because it won’t be long before hackers start looking for sites they can exploit with these vulnerabilities.

Posted in:
Security, WordPress

Source link

Custom Landing Pages Are A Vital Feature Of Any Lead Generation Page

Custom Landing PagesLet me ask you a question. Have you ever clicked on a link in a advert, on social media, or in a blog post, and been taken to the home page of a website with no clue how to find what interested you in the first place? You saw a link embedded in content that made you take an action, but that initial surge of interest was wasted.

That’s why custom landing pages are so important. Without a custom page tailored to the specific needs of a campaign, opportunities to convert are wasted. The ideal journey should be from interest, to engagement, to conversion. At no point on that journey should leads be made to work so they can move to the next stage. If they are, the conversion funnel will leak at every stage.

Custom landing pages give site owners the opportunity to display the right content at the right time.

What does a great custom landing page look like?

Basecamp

There’s no one-size-fits-all template for creating effective landing pages, but there are components that all good landing page share.

Prominent calls-to-action. A call to action is a short piece of copy that encourages a lead to take an action. Usually a CTA pithily expresses a value proposition and suggests an action that can be taken to realise that value: “Sign up here for a 10% discount”.

Short, relevant copy. Writing effective landing page copy is an art, but the basic idea is to describe a product and its benefits to the lead. It’s the copy that sells the product. Although most landing pages use short-form copy, there are many examples of landing sites that take the opposite route, including the one in the above images. When in doubt, keep it short, but don’t be afraid to go long-form if it fits the product and the campaign.

Lead-generation forms. The primary purpose of landing pages is to collect leads, and embedding a lead generation form into the landing page allows leads to express an interest immediately.

Visual impact. Effective landing pages take advantage of video, product images, and design to deliver information and display the product in a positive light.

Custom Landing Pages In WordPress

WordPress users can easily deploy custom landing pages and use links to those pages in marketing campaigns. You don’t need anything in addition to WordPress’ default capabilities to create custom landing pages, but there is some benefit to using a plugin that offers functionality to help you build the most effective pages.

One of the best free landing page plugins is WordPress Landing Pages, which lacks some of the features of its premium peers, but has everything you need to build effective landing pages, including a visual editor, custom landing page themes, conversion rate tracking, and simple A/B testing.

Among the premium cohort, Optimizely offers a comprehensive array of inbound marketing features, including themes and custom elements from which you can build landing pages. Optimizely is a feature rich inbound marketing platform with a focus on split testing and experimentations, something that’s key to building landing pages that actually work.

Whether or not you choose to use a premium plugins or go it alone with WordPress’ basic page-making features, creating custom landing pages is an essential step towards increased conversions.

Posted in:
Webmaster

Source link

What Is SEO Spam Malware And How Can It Hurt Your WordPress Site?

SEO Spam MalwareBlack Hat SEOs and hackers are keen to find resources to exploit. A badly secured WordPress site makes a juicy target, and criminals use such sites for nefarious activities ranging from botnets to ransomware distribution. Of late, there has been a rise in a different sort of attack: SEO Spam Malware.

What Is SEO Spam?

SEO spam, also known as spamdexing, is the attempt to manipulate search indexes so that they include content they otherwise wouldn’t. Black Hat SEOs want to spam search engine results with content that doesn’t deserve either to be included at all or included in a prominent position.

The familiar and old-fashioned technique of keyword stuffing is a form of SEO spam, as are link spamming comment threads and forums, doorway pages, and every other technique for giving web pages an undue prominence in search results.

The motivations are clear: search is responsible for a substantial proportion of valuable referrals. SEO spammers and their clients want a piece of the pie, but they don’t want to do the work it takes to legitimately secure a place in the SERPs.

SEO Spam And Malware

SEO malware is malicious software that, once in place on a server, modifies or creates web pages that serve the interest of a spammer. An unsophisticated example would be a simple script that adds hidden links to an eCommerce store to the footers of infected sites. More sophisticated examples might add thousands of new pages to a site.

In a recently prominent example, attackers took over WordPress sites and used malware to create brand-new sites in the root directory of the server. Those sites were made available at subdomains of the legitimate site.

Y

ou might think SEO spam would be easy to spot, but that isn’t always the case. Spammers go to great lengths to hide their work, and often the malware is coded so that the spam is only shown to search engine crawlers. Ordinary visitors — including the site’s owners — only see the legitimate content.

Is Your Site Infected With SEO Malware?

There are some obvious clues that a site has been infected with SEO malware. If you check incoming search referrals in Google Analytics and see clearly unrelated search terms, it’s a strong indicator. So, if your site is a blog about woodworking and you suddenly see an influx of traffic with search terms like “cheap gucci shoes”, you’ve got a problem.

It’s entirely possible Google will become aware a site has been compromised before its owners, so you may well find out about it when Google emails you or your users let you know that web browsers are throwing up a security warning.

Of course, if your site has been compromised with SEO spam, you want to know about it as soon as possible. A WordPress security plugin with malware scanning can help. Sucuri and WordFence are prominent examples.

Keep Malware Out

The best way to fight malware is to make sure your site can’t be compromised in the first place. There’s no such thing as a completely secure site, but if a site is kept up-to-date, uses long and random passwords, or, even better, 2-Factor Authentication, the chances of being compromised are substantially reduced.

Posted in:
Security

Source link

Upvato Débâcle Shows Why One Backup Is Never Enough

UpvatoWhat’s the one thing you expect a backup-as-a-service provider to do? I imagine most of you answered: keep the data entrusted to them safe. In what must be quite embarrassing for the service’s founder, backup provider Upvato did exactly the opposite. They lost all the data, and they lost it because they didn’t pay their hosting bill.

Upvato is (or was) a free service for backing up files purchased from Envato sites, which include sites like ThemeForest that are used by many WordPress professionals and site owners.

When Envato users purchase a product like a theme, the files are only available for as long as the creator and the platform keep them available. Often, a theme developer will withdraw a theme, which means they’ll no longer be available to the buyers.

Upvato was created to solve this problem, backing up the files so that they remain available even if they are removed by Envato’s sites.

All well and good, but when the creator of Upvato neglected to make an overdue payment to the storage provider on whose platform the files were actually stored, the service terminated his account and deleted the data.

This nicely illustrates the point that one backup is no backup. If valuable data exists in only one place, or even two, it’s always at risk of loss. It’s unlikely anyone considered “forgetting to pay the hosting bill” a possible cause of data loss, but that needn’t have been the cause. There’s no such thing as perfect data storage — bad things happen and when they do, data goes away.

That’s not much of a problem if the data is replicated elsewhere — if Upvato’s users had their data stored locally, they’re probably fine. If they had a copy with another backup provider, they’re fine. If their data only existed on Upvato and is no longer available from Envato sites, there’s really nothing they can do — the data is gone.

Keeping Your Data Safe

Any data you consider valuable should exist in at least three places. Consider your website: the files and databases associated with your site may well be crucial to the health of your business. If they only exist in one place, they’re at risk.

Smart site owners keep local backups of their site’s data and additional remote backups, perhaps using a service like VaultPress. All backups should be:

  • Updated regularly. An out-of-date backup won’t do you much good.
  • Tested regularly. I’ve frequently spoken to site owners who think they have backed up their site, only to find their backup scripts haven’t been running, that only half of the necessary data has been backed up, or that the data has become corrupted.
  • Archived. If you only keep the most recent backup, what happens if your site is hacked or infected with malware? A site with multiple backups going back several days or weeks can restore from a version before the attack.

If your data is important to you or your business, make sure it exists in more than one place.

All Hostdedi managed hosting plans include daily backups that are kept for 30 days. With our extended backup service, daily backups are kept for the last 90 days. Longer backup periods are also available.

Posted in:
Webmaster

Source link

WordPress 4.8 Will Arrive On June 8th

WordPress 4.8The WordPress development team has announced that WordPress 4.8 will be released on June 8th.

WordPress 4.8 will include editing enhancements with a focus on laying the groundwork for an improved text editing experience, but it won’t include the full version of Gutenberg, WordPress’s experimental editor, which is still being developed.

The release is on a much tighter schedule than previous releases, which typically have more than a month of lead-time. In fact, it’s somewhat surprising that there is a release at all, given the new project-based focus of WordPress development. It appears that some features are ready to go, and Matt Mullenweg – the release leader – wants to push out improvements that are already available without waiting for the larger project-based updates to be complete. Development on the larger block-based editor enhancements is likely to become the major focus after the release of WordPress 4.8.

Enhancements coming in WordPress 4.8 include better link handling, WYSIWYG features in text widgets, and new media widgets. The new media widgets were mooted for release some time ago. They’re intended to simplify the current multi-step process for adding media to pages and posts. The widgets are integrated with the Media Library, making it easier to drop images onto pages without having to go through the main Media Library interface.

The new image widgets are the first of a series of JavaScript-based widgets that are planned for release, including widgets for video, audio, slideshows, and galleries. All of these are part of the drive to improve the WordPress editing interface and bring it in line with modern user experience and interface design practices.

The Core Media Widgets are being developed as a plugin, so WordPress users can get a sneak peak of what’s in store.

All of the improvements are described as “low-hanging fruit” – features that are relatively easy to develop but will have a significant impact on the experience of WordPress users.

As I mentioned, the release schedule for WordPress 4.8 is substantially shorter than for typical releases. The first Beta will be available on May 12, followed by a second Beta on May 19, a release candidate on June 1, and the final release on June 8.

That gives WordPress site owners and plugin and theme developers about a month to test for compatibility issues. When Betas are released, the easiest way to test the new features is to use the WordPress Beta Tester plugin, which allows WordPress site owners to update to pre-release versions of WordPress. As always, it should be kept in mind that beta releases and release candidates are under active development and may contain bugs. It would be very unwise to upgrade your production site before the final release.

Posted in:
Content, WordPress

Source link

How Does Varnish Make Websites And eCommerce Stores Faster?

VarnishMost modern content management systems and eCommerce applications – including Magento, WordPress, ExpressionEngine, and Craft CMS – generate pages when they are requested by a user. On-the-fly server-side page generation is one the two main strategies for creating an interactive web page. Without that capability, web pages would be static documents. The other major strategy is client-side with JavaScript, but we aren’t going to talk about that today. Server-side page generation typically involves executing code that interacts with a database, building pages by combining templates and data. That page is then passed to the web server, which sends it to the user’s browser.

Although this process is essential, it’s also intrinsically slower than sending static assets and it uses more server resources. If every part of every page had to be unique, we’d have to live with those downsides, but, in reality, many requests are for pages that are essentially identical. It would be wasteful to generate an identical page every time it was requested by a browser, so we use caching. There are many different types of caching, but let’s focus on Varnish.

Varnish is a caching HTTP reverse proxy, which sounds more complex than it really is. Consider a typical web request to a newly published blog article. A browser sends a request to the web server, which initiates the process we mentioned above. The contents of the article are extracted from a database, combined with a template, processed in various ways, and returned to the web server, which sends the end result back to the browser.

The next time a user requests the same article, exactly the same process occurs. But, if we add the Varnish HTTP Cache in front of the web server, something different happens. This time, the initial request goes to Varnish. If it’s the first time Varnish has seen a request for this article, it just passes it on to the web server as before. But when the web server sends the response back, Varnish will remember it. It stores the page in the server’s memory. Next time a request for that article arrives, Varnish simply sends the copy it already has in memory. The web server, the database, and the code interpreter aren’t involved at all.

Varnish works on a simple principle: it’s a key-value store. It associates a chunk of data with a key, which is used to find that data. In many programming languages this type of key-value data structure is called a dictionary, because just like the familiar word dictionary, a key (the word) is used to look up some data (the definition). In the case of Varnish, the key is a URL, and the data is the web page. If Varnish is given a key that it doesn’t have data for, it just passes the key through to the web server, which generates the pages.

Sending a page from the cache is much faster than generating the page anew: how fast depends on various factors, but it’s not unusual for it to be 1,000-times faster. And because the server has less to work to do, its resources can be used more efficiently.

As you might imagine, I’ve simplified the explanation a bit here – caching, and cache invalidation in particular – is considered one of the hardest problems in computer science, but the basic principles we’ve talked about should help you understand why putting Varnish in front of your Magento store is a great performance optimization and why we developed the Turpentine Magento extension to improve the integration of Varnish with Magento.

Posted in:
eCommerce

Source link

WordPress 4.8 Will Not Support Internet Explorer 8, 9, or 10

WordPress 4.8Matt Mullenweg has announced that from WordPress 4.8, which is expected to be released later this year, WordPress will no longer support Internet Explorer versions older than IE 11. Microsoft only supports IE 11, but WordPress supports IE 8, 9, and 10 because a small proportion of its users remain on older versions. In March 2015, Microsoft announced that the modern Edge browser would replace Internet Explorer on newer versions of its operating systems.

For a project with as many users as WordPress, backward compatibility with older software is both necessary and problematic. Even though only a small proportion of WordPress users manage their websites on older browsers, that proportion may translate to millions of individual users. Corporate policy and government policy or a lack of access to up-to-date hardware and operating systems means people may not be able to use the newest versions of software even if they want to.

But supporting older browsers has a cost for developers and users alike. If features must be compatible with older browsers, developers are obliged to avoid modern tools, libraries, and language capabilities, which limits new features and constrains the experience developers can build.

It’s unsurprising that the ending of support for older versions of IE was met with universal praise in the WordPress developer community. If developers have to support older versions of IE, they can’t take advantage of the newer features available in more modern browsers.

“Depending on how you count it, those browsers combined are either around 3% or under 1% of total users, but either way they’ve fallen below the threshold where it’s helpful for WordPress to continue testing and developing against. (The numbers surprised me, as did how low IE market share overall has gone.)”

This issue came to a head with the planned changes to the WordPress Editor. To build the editing experience Mullenweg and the WordPress developers want, they need to be able to use modern web technologies that aren’t available on older browsers.

Internet Explorer 8 was introduced in 2009, followed by IE 9 in 2011, and IE 10 in 2012. Five years is a long time on the web, and the state of the art in web technology has advanced enormously in that time. Older versions of IE aren’t capable of offering the experience modern web applications aspire to. By dropping support for older versions, WordPress’ developers are free to make use of recent innovations without having to test every change for compatibility with legacy software.

It’s worth emphasizing that WordPress won’t stop working on older versions of IE: functionality that works now should continue to work, but new features will not. And over time, the experience offered by unsupported browsers will stagnate.

Posted in:
Content, WordPress

Source link

Certificate Transparency Aims To Make eCommerce Shoppers Safer

Certificate TransparencyThe security of online eCommerce transactions depends on SSL certificates and a system of validation by Certificate Authorities. The math behind SSL / TLS cryptography is sound if used properly, but the entire system depends on Certificate Authorities behaving as expected. They issue certificates, validate the identity of applicants, and make sure the SSL system isn’t abused. Every time a shopper makes a purchase from an eCommerce merchant, they implicitly trust the Certificate Authorities. That’s a problem, because although most Certificate Authorities deserve the trust they’re given, some do not.

Recently it was revealed Certificate Authority WoSign had persistently broken the rules that exist to keep web users safe. Over a period of several years, they had abused the trust placed in them. Browser developers reacted quickly to prevent any further damage, but that’s a case of closing the barn door after the horse has bolted.

What the web really needs is a way to make sure Certificate Authorities are doing their job properly, a monitoring system that would make any malfeasance immediately obvious.

That’s the goal of Certificate Transparency, a project from Google that aims to make Certificate Authorities open to scrutiny. Certificate Transparency is intended to make it difficult for CAs to issue certificates for a domain without the owner of that domain knowing about it. At the moment, any Certificate Authority can issue a certificate for any domain, and there’s no straightforward way for the domain owner to find out.

Certificate Transparency provides a monitoring system for all issued certificates — a log of all certificates that anyone can query. The logs are append-only lists of all certificates issued by CAs. They can be queried by anyone, so if a domain owner wants to know if a CA has maliciously or accidentally issued a certificate for their domain, they can simply send a request to the log.

Certificate Transparency will keep CAs honest by making it easy to find out when they’re behaving dishonestly or incompetently.

It’s possible to dream up any number of systems that would make the web safer and more secure, but it’s a pointless exercise if the major stakeholders, especially browser vendors, don’t act.

The good news is that starting from next year, Google intends to make Certificate Transparency mandatory. If CAs want Google’s Chrome browser to trust their certificates, they’ll have to comply with Chrome’s Certificate Transparency policy. All certificates issued after October 2017 will have to comply.

October 2017 is almost a year away, and there are any number of reasons that deadline might slip, but it’s encouraging that at least one major browser developer is being proactive about the problem of untrustworthy Certificate Authorities.

eCommerce shoppers and retailers — and everyone else who uses the web — must be able to trust that their private data won’t be delivered into the hands of criminals and others who would use it maliciously. Certificate Transparency is a welcome move in that direction.

Posted in:
Security

Source link