WordPress security (revisited)

A few months ago I wrote about WordPress security. In that post I mentioned a couple of plugins that we use here at K4 Media: iThemes Security and Securi Security. While both are fine plugins, and configured correctly they should protect your site from hacks, it can be challenging to get the settings right. Very challenging, we found out.

Case in point — one of our sites running both plugins got hacked.

It wasn’t a bad hack, mind. And we caught it almost immediately. Still, having your web site hacked is bad. It rattles the confidence of your customers. Plus, cleanup is time-consuming, and the threat of re-infection is nerve-racking. As a result of the compromise, we reached out to one of our most trusted tech partners, Sydney E-Commerce. After a bit of head scratching and code re-evaluation, we are moving away from the two-plugin approach outlined previously. That security stance will be replaced by the WordPress security plugin Wordfence. Wordfence seems far easier to configure, and the reporting and monitoring is far better, which leads to a greater degree of confidence in the abilities of the plugin. Plus, it’s only one plugin, which makes management far easier.

As always, web site security is a never-ending battle. Constant vigilance is necessary. So is change.

P.S. For a great introduction to keeping your site secure, read WordPress Security: The Ultimate 32-Step Checklist.

OPCC extends condolences to the family of Kem Ley


11 July 2016

PHNOM PENH – The Overseas Press Club of Cambodia (OPCC) offers our deepest condolences to the family of Kem Ley. He was a friend to journalists and our community feels his loss along with his family and Cambodian civil society.

We urge a thorough and independent investigation into the circumstances surrounding his death and the general rise of violence and repressive acts that appear politically motivated.

Kem Ley was a respected political commentator and Cambodia has lost an important political voice. We’re extremely concerned that this killing will have a quietening effect on freedom of speech nationwide which is crucial ahead of next year’s commune elections.

The Board.


The New York Times on Quest for Land

I just ran across this story by Seth Mydans on the New York Times Lens blog about John Vink’s excellent app Quest for Land.

“One goal stayed in my mind throughout,” he said in a telephone interview from Phnom Penh. “The mechanisms of an injustice hitting thousands of people in Cambodia had to be told. That’s what it is about.”

He has produced an intimate, passionate, almost palpable documentation of their lives — a decade of photographs, tens of thousands of images, the vast majority of which have never been published or exhibited.

He has become so immersed in his work, he said, that it has been hard to find a point at which to pause and pull it all together. “When living in a country instead of popping in and out, the flow of events is immersive,” he said. “You can’t escape it.”

Looking for a home for some of his 3,500 edited images, he has turned to the most modern of technology, creating an iPad app called Quest for Land, available through iTunes. In 20 themed chapters containing more than 700 photographs, he invites a viewer to join him in his immersion.

John spoke to the photographer Erik Kim about the project, and the interview provides some interesting insights into the process behind building the app. Of course, this is all a bit old news. The app was released in 2012, when iOS was in version four. But it’s not every day that your work gets discussed in The Times, so you have to grab the opportunities when you can.


The Teamviewer hack

This is not good.

For more than a month, users of the remote login service TeamViewer have taken to Internet forums to report their computers have been ransacked by attackers who somehow gained access to their accounts. In many of the cases, the online burglars reportedly drained PayPal or bank accounts. No one outside of TeamViewer knows precisely how many accounts have been hacked, but there’s no denying the breaches are widespread.

TeamViewer denies it has been hacked. The company has instead blamed weak passwords and password reuse for user’s woes. Regardless, if you have TeamViewer installed on your computer you should probably change your password. Or better yet, delete the program all together.

Hide Buddypress member pages from non-logged-in users and search engines

Sometimes you need to restrict Buddypress member pages from search engines and/or users who are not logged in. There are a few ways to solve this, but the easiest method is to require users to be logged in to view member pages. To do that, just drop this code into your functions.php file.

function k4media_buddypress_member_pages_login_check() {
	if( bp_is_user() && ! is_user_logged_in() ) {
add_action( 'template_redirect', 'k4media_buddypress_member_pages_login_check' ); 

The code is pretty simple. The function bp_is_user() checks to see if the user is viewing a Buddypress member page. The function is_user_logged_in() checks to see if, well, it’s pretty obvious what it checks for, right? The exclamation point means “not”. In human-friendly terms, the line of code reads like this: if the user is viewing a Buddypress member page and the user is not logged in, then auth_redirect(), which is a built-in WordPress function that sends users to the login page.

Top 10 design factors that influence credibility

A poorly designed web site undermines your credibility. The research is clear.

Three studies were conducted to ascertain how quickly people form an opinion about web page visual appeal. In the first study, participants twice rated the visual appeal of web homepages presented for 500 ms each. The second study replicated the first, but participants also rated each web page on seven specific design dimensions. Visual appeal was found to be closely related to most of these. Study 3 again replicated the 500 ms condition as well as adding a 50 ms condition using the same stimuli to determine whether the first impression may be interpreted as a ‘mere exposure effect’ (Zajonc 1980). Throughout, visual appeal ratings were highly correlated from one phase to the next as were the correlations between the 50 ms and 500 ms conditions. Thus, visual appeal can be assessed within 50 ms, suggesting that web designers have about 50 ms to make a good first impression.

50 milliseconds. That’s it. You literally have an instant to make a good first impression. But how do you make a good first impression?

The Standford University Web Credibility Project spent three years and interviewed 4,500 people to find out. The project offers a Top 10 List of design factors that influence credibility.

  1. Make it easy to verify the accuracy of the information on your site.
  2. Show that there’s a real organization behind your site.
  3. Highlight the expertise in your organization and in the content and services you provide.
  4. Show that honest and trustworthy people stand behind your site.
  5. Make it easy to contact you.
  6. Design your site so it looks professional (or is appropriate for your purpose).
  7. Make your site easy to use — and useful.
  8. Update your site’s content often (at least show it’s been reviewed recently).
  9. Use restraint with any promotional content (e.g., ads, offers).
  10. Avoid errors of all types, no matter how small they seem.

Only two — items 6 and 7 — are specifically related to visual design. But we know these two factors have an outsized influence because users tend to base their initial impressions on what they see. Fifty milliseconds is not nearly enough time to read. Quite simply, bad design (like bad photos) makes you look bad. You’re better off with nothing.

Book binding in Phnom Penh

Book binding. It really is an art form.

Good commercial printers in Phnom Penh are everywhere. None of them, however, specialize in book binding, and high-quality book binding work is rare. A few printers I’ve visited just looked sheepishly at the floor and acknowledged that, while they can print books, they are not very good at it. A quick glance at the spines of sample books made the point all too clear. A few others did decent, if not great, work. And while print quality was generally pretty good everywhere, paper stock was narrow.

WordPress security: 3 plugins to get your site hacked

Wordpress security

Getting a solid grip on WordPress security can seem a full-time task. The web currently comprises more than a billion web sites. And as the digital universe continues to grow, it continues to attract more and more black hats prowling the web’s digital back alleys looking for an easy mark.

According to a recent report from Sucuri, the new numbers are disheartening.

As of March 2016, Google reports that over 50 million website users have been greeted with some form of warning that websites visited were either trying to steal information or install malicious software. In March 2015, that number was 17 million. Google currently blacklists close to ~20,000 websites a week for malware and another ~50,000 a week for phishing. PhishTank alone flags over 2,000 websites a week for phishing. These numbers reflect only those infections that have an immediate adverse effect on the visitor (i.e., Drive by Download, Phishing) and do not include websites infected with Spam SEO and other tactics not detected by these companies.

The report doesn’t say how many sites Sucuri included in its research, but it does say that vulnerable plugins were the number one means of site compromise. The top 3 offenders?

  1. RevSlider
  2. Gravity Forms
  3. Tim Thumb

Fortunately for WordPress users, there are good security plugins on the market. Each one approaches security a little differently; it’s more than worth the time to read up on each of them and see which one (or two) best fits your needs. Infosec give a good intro to the big 7 here.

At K4 Media, we use two: iThemes Security and Sucuri Security. What do you use?

(Interested in a professional security audit of your WordPress web site? Get in touch.)

Google page speed 100

No one likes to wait for a slow web page. But blinding fast sites don’t just happen.

For those that don’t know, Google PageSpeed is a free tool that assesses the performance and usability of your website for mobile and desktop platforms. It’s extra important because Google uses it in determining key elements of our SEO ranking, i.e. how high we appear in their search results.

On our first pass recently, the K4 Media site scored 86. Not bad. But not great. WordPress doesn’t make it easy, either, with bloated themes and unnecessary plugins. If your aim is Page Speed 100, however, Jeff Reifman at Tutsplus shows you the way.