Nathan "Spanky" Briggs

Marketers: don’t accidentally promote rubbish

Here's a quick WordPress tip: if you're pimping a WSO-type WP plugin to your list, especially if it's a new launch, make sure the damn thing actually works before you email for it.

I know it's tempting to bash out an email or five, what with dimesales and affiliate contests. Trouble is, that pressure is also on the person selling it, and that's where problems start.

Inadequate testing can make you look anything from a little silly to a quick-buck scam artist. There are people out there making big splashes with fancy copy, nice graphics, launch contests and all that jazz… with very little time and money actually spent on producing and testing the product.

So please, be careful, and test software before you mail. Because you are not a scam artist – don't risk looking like one.

How to remove passwords from your browser and increase your online safety

In Fast Web Formula today, we are talking about password security. How to keep your passwords safe, make them complex – and not have to remember them!

I recommend LastPass for generating secure passwords, and keeping them secure. It's free, works on all major browsers. The premium version lets you share your passwords and secure notes to your smart phone.


Once you have LastPass installed, you might think you're safe. Your passwords are safely locked away, encrypted, and no one could get them – even if they got your computer.

Nope! The passwords you imported in to LastPass are still in your browser. Encrypted, yes, but anyone can get around that just by opening up a browser window. So you have to remove all your passwords from your browser.

We were talking mostly about Chrome today, so I whipped up a quick how-to on removing all saved usernames and passwords from Chrome. Be careful, there's no undo on this, so make sure LastPass is installed and working ok before you do this.

Cloudflare: Early Reports Question Effectiveness as Website Security Tool

Do you know how your sites are protected? What tools your host uses?

One tool you've probably heard of is Cloudflare. Maybe you've seen advertising saying something like “we protect your site from attacks” or “we protect your site from hackers”. How do they do this?

Part of CloudFlare's service is something called a Web Application Firewall (WAF), which is fancy-speak for saying their computer looks at what people are coming to your site to do, what data they're sending, and tries to figure out if they're nice visitors (which it should let through) or naughty hackers (which it should block).

But does it work?

Tony Perez (of Sucuri fame, and a serious man-crush of mine 😉 ) has been through a looooong and boring report from a gang of web security ninjas. They compared Cloudflare, Incapsula and just plain ol' mod_security (a set of rules, configured by the server admin — you almost certainly have mod_security on your shared hosting account). The results don't look good.

Tony extracted the results into a summary blog post, and I'm going to summarise his summary to save some more time for you.

mod_security: great! Stops almost every attack they tested (123 attacks, covering 3 different types of hack)
Incapsula: very good – stops almost as much as mod_security
CloudFlare: stops absolutely nothing. Not a thing

There are other reasons to use CloudFlare, like speeding up your site and getting some level of downtime protection, but for a company which markets itself as a security solution and Web Application Firewall, I find these results extremely troubling.


Do you know how your sites are protected? You should. From these results, using CloudFlare is not a security solution. I know some popular hosts have a one-click install for CloudFlare in their control panels, and it might well still be worth doing that for their other benefits. But not for security.

Talk to your host about mod_security, and ask them what else they do to keep the server secure. A lot of things they won't tell you, but they should be willing to tell you some information about how they keep your server  – and your business's reputation – safe.


Why you shouldn’t use an Administrator-level WordPress user whenever possible

If you're like most people, you use an Administrator-level account for your WordPress site all the time. Even doing something simple like comment moderation or posting something new, you use the admin account (minus 5 Spanky-points if its username is “admin”). It's just easier, right?

What if an asshat hacker gets into that account? They can do anything you can. Delete posts, put spam links in content and menus, mess up your theme settings, even create their own user so they can get in if you change your password.

How could they get in, you ask? A few ways…


The obvious way is password-guessing. Just throwing password after password after password at your site, trying to log in. Good news – this is easy to stop! Don't use admin as your Administrator username (which means they'll have to guess at the admin username as well as the password); use a strong password; and, limit the number of times someone can try to log in and fail.


Because password-guessing is so easy to stop, the asshats have come up with other methods. A favourite method is to infect as many computers as possible with a virus, and have the virus keep an ear out for passwords. This way, they can get a lot of FTP and logins for things like WordPress, but it doesn't really take them much effort. The only way to defeat this type of attack is make sure your computer – and your team's computers – have good, up-to-date anti-virus and anti-malware software. Especially if you're using a Mac. There's still an idea in the Mac community that Macs don't get viruses – and the asshats takes ruthless advantage of this myth.

And it's not just your computer you should be worried about. Are you sure your VA's or team's computers are secure?


This last way is probably the scariest one. They take advantage of when you're relaxed, enjoying yourself… thinking you're safe. You're in Starbucks. Having a coffee (or five), doing some work. But who's that sitting innocently at the next table? He's stealing your login information? Surely not!

Wireless networks for customers, like you get in coffee shops, aren't secure or encrypted. Everyone's computer “sees” traffic for everyone else's. You don't see what other people are doing, because your computer knows to ignore it. But what if you tell your computer not to ignore it? To suck it in. Analyse it. Look for logging in events and passwords.

Programs that do that – literally suck usernames and passwords out of the air – do exist. And they're easy to use. There are even programs dedicated to looking for social media logins. So, on any network you don't absolutely control and are sure of the security, don't go logging in to anything you care about.

Action steps

  • Create yourself a new WordPress user with the lowest level of access that makes sense for you. Normally, this is Editor, which allows you to create and publish content, approve comments, and manage categories and tags. Use this user whenever possible, and always in public places.
  • Create a new user for each member of your team (or edit their current user to give it a lower permission level)
  • Have a cookie (you deserve it 🙂 )

Is your host ready to nuke your business?

What do you think could be crazy enough to make a mellow nerd see red? Let me tell you a story. A couple days ago I heard about a case of a really bad web host.

You need to read this, because there's a cautionary tale, and I want you to be aware of what kind of scoundrels you might be dealing with, who are hosting your websites.

You count on your host. Your business depends on them keeping your site online and safe. But what happens when things go wrong?

The host in our story, who I’ll call Dr Evil, Inc, don’t like it when their clients’ sites get hacked. Far enough, I don’t like it when sites get hacked either. It’s nasty. It’s traumatising for site owners. It’s damaging to your business. And it’s expensive to clean up.

But there’s traumatising and there’s traumatising, and Dr Evil, Inc seem to be going for the gold medal.

Their procedure when a client’s site gets hacked is to immediately block access and not let the client get in again. At all. Until the account has been totally deleted. Totally deleted. Including the backups.

That isn’t quite believable, so I’ll repeat it. Totally deleted. Including the backups.

To cover their ass, they make you email them an authorisation for the site to be nuked before they’ll give you access again.

Wiping out an entire account, and all the backups, potentially destroying your business is so far out of proportion I’m not sure I can come up with a comparison. It’d be like someone stealing a chocolate bar and the government believing the appropriate response is to nuke the entire city.

What Would Austin Powers Do?

So what should they do? (aka “how does a good host behave?”)

The first job of a host when something goes wrong is to help you relax. Being panicked doesn’t do a damn thing for your website, and it does hurt you.

Automatically blaming clients and going full on Storm Trooper isn’t helping – it's making a bad situation worse. A hack usually is the client’s fault, but there’s no need to be a dick about it.

Fact is, most people do not have a recent, off-server backup of their site. Odds are you don’t. You know it’s important, you know you should, but it’s got pigeonholed in your brain into the “someday” category… which we all know actually means “never”. Even if you do have a backup, it’s probably on the same hosting account, by nuking it they’re getting rid of your one chance for salvation.

And the worst thing is: it doesn’t fix the problem. Most hacks we see have actually happened days, weeks, months or even in rare cares years before the website is defaced. Restoring from a backup doesn’t fix the problem at all.


The really stupid thing is they’re missing out on great profits for providing a valuable service to their clients.

What they should do is have their own team, or professionals like us or Sucuri, clean up and remove the hack, then secure the site (do all needed updates, check code quality, etc) and charge a monthly maintenance fee.

Or even let clients do it themselves; we’ve worked several times with people who have had their hosting turned off – but not wiped – and the hosts have been happy to turn the account back on so we could work.

Results? Happy, grateful clients and a new revenue stream.

Takeaways (mmm… takeaway)

  1. Don’t choose a host for your business based on price
  2. Keep control of your backups – have them run automagically, and automagically moved off the server (e.g. to your Amazon S3 account)
  3. Ask your host today what their policy is for dealing with hacked sites

How to know if that security plugin is any good

A few days ago a friend asked me to take a look at a new security plugin for WordPress. I was not impressed. Let me tell you how I evaluate a new security service, most are little tips you can do yourself without needing to know code.

How much is it

I don’t much like prices outside the middle ground.

Too cheap means they won’t have the money to pay for a decent support team, and with a security plugin (which are more complex and error prone than most) you’re going to need good support backup.

But, too expensive is also a problem. A service at $30, $60 or even $100 a year isn’t pocket change (okay, it might be pocket change to some people, but it’s enough that expectations get raised). A lot of plugins sold around these price points, and you have a right to expect them to work and fulfil all the promises on the sales page. Most don’t, of course, nature of pretty much any information or software product.

Does it actually protect you?

Here you have to play detective a bit. The tricky bit is that with clever marketing you can spin one actual feature into 6 or 7 benefits or features with no trouble at all. So we have to read between the lines a little and think about the types of attacks your site faces and how to stop them.

Types of threat

  • Code injection (can an asshat get their own HTML saved into your WP settings and output)
  • SQL injection (can they delete your database, or edit your posts)
  • Bruteforce (password guessing)
  • Specific, know vulnerabilities (like the TimThumb remote file upload bug)
  • Unknown threats (vulnerabilities we don’t know about yet, but that follow a pattern of an earlier vulnerability)

Does it protect?

Read the feature list carefully, even without expert knowledge you can make a pretty good guess at which category each feature falls under.

What doesn’t it protect against?

This is the most important part of your analysis.  Only when you know what the plugin/service doesn’t protect against will you know what you still need to protect against, and if the commercial plugin you’re considering is worth the price.

Can free plugins do the job?

There are a lot of free security plugins for WordPress in the repository.  Of course, many are crap. A few are excellent. Often, commercial plugins will use code from the repository for their own product. This is perfectly legal and ethical (as long as it is acknowledged in the code), I don’t have a problem with it at all, but you might and it is nice to know when someone is making money off other people’s volunteer efforts.

Does it do anything stupid?

My two top indicators for “this person should burn in hell” (in the context of security plugins, at least J ) are disabling the right click and “securing” wp-admin with a password. Why? Because disabling the right click is harmful to users (there’s a lot of reasons someone might want or need to right click, and taking that away without a damn good reason is not kosher), and it doesn’t even fulfil its stated purpose of “protecting” your content from getting copied – getting around a right click disabler takes about 3 seconds, and any thief who’s passed kindergarten will know how to do it, so all you do is hurt innocent visitors.

Passwording wp-admin is equally stupid. Not only does it do little to nothing to improve the security of your site, it completely blocks AJAX for visitors of your site (interactive tools). Not cool.

Is the code secure?

Finally, look at the coder themselves. What qualifications do they have to be writing any plugin – let alone a security plugin, which should be the most secure code possible. Pretty much anyone can write a plugin, hardly anyone can write one correctly and securely. Has the code been audited by an expert, like Mark Jaquith?

Does the coder use modern best practices, like using the data escaping tools WordPress provides? If they don’t, they have no business calling themselves a coder, much less and security system coder. Write and ask them.

I hope you’ve found this article useful. Is there anything you’re wondering about that I haven’t covered?

Display Buddy worth it?

A friend of a friend messaged me on Facebook tonight, asking about the Plugin Buddy developer pack (which includes Backup Buddy, the Display Buddy suite, Frolic and Email Buddy).

He'd seen my status messages about Backup Buddy. I talked about how important it is to have automagic backups for your site. It is especially important to take a backup before you upgrade your site.

The developer pack, with unlimited licenses for all plugins is $197, but an unlimited license for just Backup Buddy is $147. So you have to figure out if the extra plugins like Frolic are worth $50 to you.

Display Buddy

The display buddy set can be useful, very flexible. If what they do is exactly what you need, wonderfully quick, if not forget about them. For me it's worth having access to them just in case I need to do a basic slideshow or whatever. I haven't really explored them in depth, but a couple of them have been very useful (read: saved me from having to code my own) in a couple of projects I can remember off the top of my head.

Come Frolic in the water

Frolic is pretty new but I'm impressed with the power & options it gives. It's a one-stop-shop for social media in WordPress.

You can create Like and Send buttons for Facebook, publish Facebook comments on your site, and a whole lot more.

For Twitter, you can display your recent tweets, let visitors follow you or tweet to you (@youraccount) or your hashtag.

Google Plus has the normal +1 button, as well as a Share button and a display of people who have +1'd the page.

LinkedIn is new in Frolic, and I haven't had a chance to play with it yet. I'll test it out and write about it soon, but it does look impressive.

Buy or do not

I think it's probably worth the extra $50 if you're likely to need any of the things they can do in the near future. Otherwise, wait & upgrade later on when you need them (email and they'll sort you out a price-difference upgrade).