Nik, Author at Flat Cap Creative

Yuzo Related Posts: A reminder about the importance of website maintenance

April 24, 2019 By Nik Leave a Comment

I sometimes wonder whether our clients think website maintenance and WordPress security advice are not really very important. But recent events with a popular free plugin have changed many people's minds.

Yuzo Related Posts - Zero Day Vulnerability

Yuzo Related Posts was a simple plugin designed to keep visitors on your website for longer by suggesting more content that they might be interested in. Similar to most news websites at the end of a WordPress post it would show related articles.

It wasn't a particularly special plugin - there are many that do the same job - but it had a few useful features and worked nicely out of the box, so over 60,000 websites had chosen to use it.

On the 10th April, security analysts Wordfence posted news of a zero day vulnerability in the plugin. Essentially this meant that there was a security problem in the latest version of the plugin that people were using on their websites. Worse still, another security analyst had publicised the flaw online and so websites started to come under attack. Websites were being hijacked to forward users onto bogus external sites which featured contact forms to steal contact details from unwitting website users.

These are the moments that send chills down the spine of any website owner.

One of our Care Plan clients was (very briefly) affected by this. As it was being actively maintained by our systems, it was picked up by a routine security scan.

Security tools by Google and Sucuri failed to diagnose the root of the problem. The Yuzo plugin had been hidden from view in the WordPress Dashboard, making it impossible for a non-expert user to even realise it was running, much less remove it.

Within an hour of becoming aware of the issue we had patched the flaw and tested the site with three different security scanning systems to be sure that there were no lingering bad effects.

I dread to think what could have happened if it had been weeks or months until the issue had been addressed. I hope some of the other 60,000 website owners were as fortunate as our client.

It's awful that this is the world we live in now. But with software systems growing ever more complex, to the point that even Governments can't be sure they are getting secure services (I'm looking at you, Huawei), this sort of thing will only continue to happen.

How do I keep my WordPress website safe?

Please, take this as a reminder. Your WordPress website needs regular, ongoing maintenance on a monthly basis if you want your data and that of your customers and users to to be safe.

Here are some essential tips:

Be wary of free plugins and themes. A special few, like Contact Form 7, Yoast and Jetpack, are well supported and regularly patched and updated. But there's loads of abandoned or rarely updated things in the WordPress repository that represent a potential security risk in the future.
Keep your licences up to date for premium plugins and themes. If you're leaving software out of date, you continue to take risks with your site. If it's

WordPress Gutenberg: What is it and how does it affect my business?

January 14, 2019 By Nik Leave a Comment

[Because, if you haven't written a blog post about Gutenberg, are you even really a WordPress developer?]

The new version of WordPress opens up opportunities to make websites richer and more creative. But it arrives with a steep learning curve for casual users and widespread compatibility problems for millions of websites.

Read on to learn more about this major update and the approach we've chosen to look after our own clients.

Gutenberg: A long time in the offing

The WordPress industry spent most of 2018 waiting on the release of WordPress version 5 and its new system for editing posts and pages, Gutenberg.

Gutenberg had been in development since mid-2017 but plans to bundle it with WordPress took far longer than its creators had hoped. This is perhaps unsurprising; there are 38 million WordPress.org websites out there, in endless combinations of plugins, themes and custom code tweaks.

Despite the delay, when it finally landed in December 2018, it caused widespread problems across the millions of WordPress sites it was installed on. Most reputable web hosts didn't force the new software on their customers straight away. Many of the brave sites that did update immediately had compatibility issues. The WordPress team had realised this would happen, and had already released a plugin designed to undo the effects of Gutenberg.

So Gutenberg is, at least in the short term, potentially problematic for your website and your business. Before looking at how you should avoid it though, let's try to get to know it a bit better.

What is Gutenberg?

The Gutenberg software changes how you put content onto your WordPress website.

Instead of the old system of one editing box, with editing controls familiar to anyone who has used Microsoft Word or Google Docs, the new page editor starts with Blocks. In fact, WordPress are now referring to Gutenberg as the Block Editor.

Blocks are sections of content - headings, images, text, contact forms and so on. Gutenberg allows you to arrange these in the page editor and so produce complex page layouts more quickly.

The Classic Editor

The Gutenberg Block Editor

Get to it, how does Gutenberg affect my business?

There's probably two ways this could affect you:

1. If you edit your own website. Gutenberg is completely different to the old page editor and will need some time to get used to. Fortunately there's lots of videos on YouTube already, and thousands of blog posts.

2. Compatibility issues with your themes and plugins. A lot changed under the bonnet with this WordPress update. Lots of themes and plugins, particularly premium ones from established developers, have been updated to play nicely with Gutenberg. But lots haven't.

In either case, there's one route you can try - the Classic Editor plugin. This disables most of the new features in WordPress 5.0, including Gutenberg, and so resolves most (sadly not all) of the glitches that users are experiencing.

The Classic Editor plugin has had a massive uptake, being installed on millions of websites in a matter of weeks. WordPress has outlined plans to maintain the plugin until at least 2022. Even so, it's really only a temporary measure so I've planned carefully to make sure our clients' sites are future-proofed.

(If you need help with your WordPress website, skip down to the last part of this post.)

Are you going to use Gutenberg?

Most reputable WordPress studios have been using advanced page builders similar to Gutenberg for years now already. While it's great to see WordPress starting to catch up with the professional tools, it's unlikely to affect our workflow anytime soon. If we build your site, you're not that likely to encounter the Gutenberg Block Editor for the foreseeable future.

I'll be making sure we have the expertise here to support our clients, whether we built their site or they took out a Care Plan with us for a site that uses different tools.

Speaking of which...

How are you handling this update for your existing clients?

If you're on a Care Plan, the good news is that I've taken the decision to include this unusually large update for all our clients at no extra cost. This will include installing the Classic Editor too, so very little will really change.

To carry out the update we'll use staging versions of hosted websites to learn about the behaviour of our usual trusted combinations of WordPress software extensions. We use our scale to licence these annually and include them in the cost of Care Plans. It's an economical approach that means our sites are always secure and packed with the latest features.

Once we're happy, we'll take a final backup and start updating WordPress on your live site.

If we find compatibility issues with unusual specific pieces of software that you or your previous developer chose, we'll get in touch with you to agree a plan.

If you want to start using the new Block Editor, we can enable it for you and support you as needed.

If you're not on a Care Plan, but we host your site, you need to urgently address the question of compatibility for your own website. Our hosting systems will soon (potentially before the end of January) have to automatically update your site to WordPress 5, for our own systems' security and to keep us focused on supporting the latest software. If you need help carrying out a managed update and identifying any compatibility problems, get in touch.

Can you check my WordPress website and get it ready for Gutenberg?

Of course! If you're not a Flat Cap client, we offer a flat price website audit to quickly give you a technical and strategic assessment of your site. The insights are usually pretty eye-opening!

If needed we can also carry out safe, staged updates to your site and walk you through the upgrades without any technical knowledge needed on your part.

If you want a website audit, get in touch here.

Summing Up

Gutenberg is a game changer in the world of WordPress. Individuals are going to have access to tools similar to what the pros use. But it's not going to be replacing those more mature page builders, and it's going to upset a lot of hobbyists along the way. The Classic Editor plugin will help lots of people in the medium term.

Our advice? Get your site securely and safely updated ASAP, and embrace the new features.

Leave your questions below!

Switching from http to https – the benefits of having a secure website

October 26, 2018 By Nik Leave a Comment

Over the last year or two, the big internet companies have started to encourage website owners to deliver their sites over a secure, encrypted connection. Read this article for a quick look at the benefits and how to get switched over properly.

Help! My browser says my website is insecure - what do I do?

Until relatively recently, encrypted website connections were saved for sites handling sensitive data. If you were handling payment details, banking information or health data, you paid for an SSL Certificate. The certificate allowed you to deliver your site over a secure connection, and gave you a warranty to protect your users against loss of money.

Most other sites didn't bother paying for this type of protection.

Then along came a revolution in website security, and its name is Let's Encrypt.

Let's Encrypt offer free SSL certificates that don't include technical support or warranties, but do allow any website owner to switch to an encrypted connection. Read on for why this is a good thing! But, now that you can get SSL for free, the big internet companies really want you to switch to an SSL-encrypted website.

You can tell these sites by looking in the address bar and checking whether the site's address starts with http or https. The secure sites are the ones that start https:

Check for the 's' in the address bar

Why is having SSL encryption a good thing for my site?

There's lots of reasons!

Your visitors want to know their data is safe

It's not just about payment details any more. Your site visitors want to know that if they talk to you on live chat, or fill in an enquiry form, or use your search function, that their words aren't being received by anyone other than you. If someone is intercepting data sent to your website over an encrypted connection, they're just going to get a bunch of gibberish. If it's being sent over an http connection, then the data will be available for any hacker to read.

Browsers are warning visitors away from non-SSL websites

Starting in July 2018, Google started using its Chrome browser software to scare visitors away from websites that can't load over https. This is terrifying for web users and potentially damaging for website owners!

Google has factored SSL/https into its search ranking positions

That's right - just like when they started punishing websites that weren't mobile responsive, they're now giving an extra push to secure websites. If SEO is anywhere near your mind, this is a no brainer that you have to fix immediately.

You're less likely to get into a sticky GDPR or PECR conversation

I'm not a solicitor but after all the publicity around improved data governance laws, I reckon I want to be sure my website is taking good care of any personally identifiable data it stores.

Your website probably has some user accounts with people's email addresses. It probably has a contact form or two where people can put in their names and other info.

Yep - I'd want to be able to say all that was being transmitted securely.

OK, but my WordPress site isn't secure - how do I fix it?

You may want to talk to your web developer to do this properly. But with most hosts, who tend to use an Apache server setup, the basic steps are:

1. Get an SSL certificate installed

You can request this through your web host. Your host should offer Let's Encrypt by now. If you're running a shopping site it might still be better to pay for one with a warranty though.

2. Change the URL of your WordPress website

Head over to Settings -> General and change both URLs over to https:

Change your URLs to https

On a brand new site, this might be enough to get your the magic padlock in your address bar. But for most sites, you've got some more work to do.

At this point you're possibly getting the closed padlock icon (it's green on some websites) on some pages, but on others you're still getting a 'Not secure' message or a 'mixed/insecure content' warning.

This is because you have lots of old http links throughout your website and - if you want to get the benefits - you're going to have to fix them.

3. Change all your old URLs - internal links, images and documents - to https

If you're good at this sort of thing, you can log into your site's MySQL database through software such as phpMyAdmin and do a Search and Replace. This can throw up one or two unexpected issues though, so go carefully, especially if you haven't been using well supported, up-to-date themes and plugins.

If you're not so good at that, you play cat and mouse with your old http links by changing every one you can find until you get the closed padlock. Everywhere you find an address starting with http://, change it to https:// (unless it's a link to an external website that's not yours).

You might need to check in all of these places in WordPress:

All your Pages, Posts and any custom post types - Use the Text editor and check all links to other pages and all URLs for images and other media that load in your content.
Menus - If you've used the WordPress pages then the URLs got updated as soon as you saved the screen in Step 2. But if you have any Custom Links or have things set up carefully in extensions like Ubermenu or ShiftNav, these will need looking at.
Widget areas - Again, ignore links to other sites, but look carefully for URLs that relate to your own site.
Theme files - If you have a custom theme, a custom child theme or have (heaven forfend!) manually edited any of your theme's core files, you might to check these through. You're probably looking for static links in your Footer or Header areas. If you're using Genesis you're probably using a plugin to edit your footer, so this is a common culprit when trying to get the coveted green padlock for a site.

Once that's done, your site should be perfect. Green padlock heaven!

But what if you forget about https in future? And what about all your precious inbound links - SEO backlinks, your customers' own bookmarks, and every time you've posted something linked to your site on social media?

4. Make sure this never happens again - force all visitors to connect over to https

There are plugins for this sort of thing, but really you want a permanent solution, not some extra software. The answer is 301 redirects.

301 redirects tell your visitors and the search engines that your pages have permanently moved to a new address. In your case, they've moved permanently from http://yourawesomewebsite.com to https://yourawesomewebsite.com.

If your site has an .htaccess file you can add a simple wildcard 301 redirect rule so that every old page on your site gets redirected to the exact new location. So http://yourawesomewebsite.com/mailing-list/sign-me-up-scotty/ automatically redirects to https://yourawesomewebsite.com/mailing-list/sign-me-up-scotty/.

There's no need to update all your backlinks around the web, or to bin all your flyers and business cards prematurely!

A simple block of code you could drop into your .htaccess file would be:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

But be careful - if your site uses www. before the address, there's some other bits you should add in. There's hundreds of threads full of community-reviewed help in editing .htaccess on Stack Exchange.

Some hosts don't use .htaccess (usually because they run Nginx servers, which work differently to Apache). Those hosts will probably have their own 'force https' option right there in the hosting control panel, and their support people will help you through any hiccups it causes.

Bonus Step 5. Update your properties in Google Search Console

You want your new https home to be listed in the results pages in Google, like this:

We have https! (But our title is too long - whoops!)

Assuming you're already set up in Google Search Console (formerly Webmaster Tools), you will need to add and verify your https website as a new property. Google doesn't share the data between https and http properties, or between www. and non-www. properties, so you need to have every version in there.You may possibly want to setup a property set and choose the new one as your preferred default address, but Search Console has just been updated to a new interface and property sets can only be found by going to the old version, so put that in the maybe box for now. When they get round to updating the documentation, there's a load of help available on this on Google's support site.

So there you have it. Well done for making it to the end! You now have a secure website which loads over an encrypted connection. You protected your backlink integrity, made it idiot-proof for your visitors to load the new version, and your browser software has a happy padlock-shaped smile right next to your address.

Still got questions? Drop them below and I'd be happy to help out.