Website design & hosting | 07769 900262

Security

How to secure your website … and why you should

As 2018 drws to an end, around 82% of web pages are served over secure https protocol.

If your website is in the other 18%, you really need to understand why and how to secure your website.

The official Google Webmasters blog includes a series of videos for websters, and the Novermber 2018 video was dedicated to HTTPS migrations, and is well worth a watch.

The video covers:
  • What HTTPS encryption is, and why it is important to protect your visitors and yourself,
  • How HTTPS enables a more modern web,
  • What are the usual complaints about HTTPS, and are they still true today?
    • “But HTTPS certificates cost so much money!”
    • “But switching to HTTPS will destroy my SEO!”
    • “But “mixed content” is such a headache!”
    • “But my ad revenue will get destroyed!”
    • “But HTTPS is sooooo sloooow!”
  • Some practical advice to run the migration.

Watch the video on YouTube here

Email marketing and GDPR

Many of our web design and hosting clients also have email newsletter lists, and have been asking us what they need to do, to ensure their lists and email marketing is fully GDPR compliant.

Whilst we can’t offer legal advice, we can offer some advice and point you towards some really helpful and easy-to-understand resources that we have found.

The first thing to be aware of is that email marketing is not only affected by the forthcoming General Data Protection Regulation (GDPR), but you should also be aware of the PECR (Privacy and Electronic Communications Regulations). PECR also has a new version is on its way, but unlike GDPR, the rules aren’t finished, and so it’s replacement, the upcoming ePrivacy Regulation, is still in draft. – See more at: https://ico.org.uk/for-organisations/guide-to-pecr/what-are-pecr/

For now though the most common questions we get are

  • Is my email list GDPR compliant?
  • Do I need to gain re-consent?
  • They’ve said yes before, surely I don’t have to ask again?

A significant point to remember, is that there are 6 lawful bases for processing under the GDPR and of these, the two that are appropriate for direct marketing activities, either Consent or Legitimate Interests.

 

When do you not have to have consent?

There is an exemption within PECR, rather ambiguously known as the “soft opt-in”, whereby you can send emails without Consent as long as the following conditions are met:

  • You have obtained the contact details in the course of a sale (or negotiations of a sale) of a product or service
  • You are only marketing your own similar products and services
  • You provided a simple opportunity to refuse or opt-out of the marketing, when you first collected the contact details and in every subsequent communication.

This means you may well be able to email your own customers without Consent, but this will not apply to prospective customers or bought-in lists.

 

What do I need to do if I’m not relying on Consent?

Under GDPR, to have consent you will need clear and more granular opt-in methods (so for example, if you want to send newsletter emails and special offer emails, you should ask them to tick two boxes), good records of consent (so for example be able to prove the opted in, what they asked for, what form you used etc,) and simple easy-to-access ways for people to withdraw consent (lucky most email marketing platforms have been including this in the footer of emails for a while now).

 

What are the key changes to make in practice?

You will need to review your consent processes to make sure they are specific, granular, clear, prominent, optin, documented and easily withdrawn.

The key new points are as follows:

  • Unbundled: consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
  • Active opt-in: use unticked boxes (pre-ticked opt-in boxes are invalid) or similar active opt-in methods (such as a choice of two buttons).
  • Granular: give granular options to consent separately wherever appropriate (so not “email newsletters, text offers and postal vouchers”)
  • Named: name your organisation and any third parties who will be relying on consent
  • Documented: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented

How do I ask for re-consent?

Given the likelihood that your existing list was not obtained in a fully GDPR compliant manner, you will need to as for re-consent, prior to 25th May (after which, legally you should not email them, as you don’t have compliant consent).

If you have a small/medium-sized list, the easiest way is to email them, and ask them to confirm they wish to continue to receive marketing emails from you (you will probably of had numerous such emails from shops and other businesses yourself asking this recently). This email must be GDPR compliant (e.g. include unticked boxes/s, be granular if necessary, say what you do with their details, and include a link to your Privacy Policy).

There is no free/easy way to automate this, so for a small/medium list (under 300), I suggest you create a new blank list (or group within your list), send a compliant email with two buttons (one saying I do consent and one saying I don’t consent), and they buttone email you an email with a pre-formatted subject. The recipient just needs to click the button, and then hit send on the email. For each email you receive, you will then move them to the new list (or new group), keeping the email as proof of consent. This Facebook video shows how this works in MailChimp.

Up to 25th May you can send a few more emails to those who have not replied, and after 25th May just use the new list/group.

You will have  high percentage of people who do not re-consent (or just ignore you) … that’s fine, they don’t want to hear from you, so don’t waste any more time worrying about them … this is the perfect opportunity to ‘clean’ your list!

Is you have a large list (over 200 or 300), this method is likely to be too time-consuming.

You have a few options, which you can see here

The easiest of which is to buy a re-consent service, this is one I am aware of  – reconsent.co.uk/
This won’t do everything for you, but for £230-£250, they will set up everything you need as well as a comprehensive guide to implementing.

 

More information

If you use MailChimp (or other email marketing systems), we highly recommend you join the ‘MailChimp and GDPR‘ Facebook group, run by MailChimp expert Robin Adams. This group has lots of ideas and suggestions, and you can even ask Robin email marketing questions directly.

GDPR has been on its way for about two years, and although many businesses still aren’t’ sure what they need to do, it not something to be worried about.

It’s good news for consumers (as we’re all consumers aren’t we!), and once you have the systems in place and a clear understanding of what is required it is actually beneficial … even if just to encourage you to clean that ageing email list you’ve been meaning to do for a while!

 

 

Your website … and the dreaded GDPR ;-)

You may be fully aware of the new EU regulation, and confident that you’ll be compliant by 25th May, in which case that’s great! On the other hand, like thousands of small businesses, charities and organisations in the UK, you may not be quite there yet (or even thought about it).

Whilst we can’t offer legal advice, we can help you to meet the GDPR requirements around your website, and point you towards some really helpful and easy-to-read resources.

For all our own hosting clients, we are happy to update/replace your Privacy Policy and/or Cookies Policy, and make minor changes to your copy free of charge … if you’ve not yet done this, then please get in touch today.
The GDPR requirements mean that most website owners will need to make some changes (such as replace their Privacy Notice, update some copy and possibly revise their newsletter sign-up process) … and anything more significant we will always advise clients of any costs in advance.

If you don’t have GDPR-compliant polices and would like this, along with plain-English, actionable legal advice, please see the ‘GDPR Pack’ information below.

Remember: your organisation is responsible for ensuring its own legal compliance, so it’s up to you decide what needs changing and to provide the relevant information (copy, policy etc). Whilst IJL Web Solutions can’t provide legal advice, we do highly recommend the GDPR Pack below.

GDPR Compliance Pack

Many trade organisations are providing practical advice to those in their industry, but there are many small businesses, charities and organisations who still don’t know where to turn for help.
We can than thoroughly recommend this GDPR Pack, which includes pretty-much everything you’ll need (the checklist, suggested email re-subscription wording, Privacy Policy, cookie policy, etc).

The pack contains instant access to:

  • Email for refreshing consent
  • GDPR compliant privacy policy
  • GDPR checklist inc processing checklist
  • Data processing inventory
  • Legitimate Interests Assessment form
  • Data transfer checklist
  • Marketing checklist
  • Records retention policy
  • DPO checklist
  • Employer checklist
  • Employee privacy statement
  • Employee subject access request form
  • Response to employee subject access request
  • Processor agreement
  • Subject access record
  • Data breach record
  • Data breach checklist
  • DPIA form

The pack costs £197 via this link, and gives you instant access.

These are written by Suzanne Dibble, who is a multi-award winning business lawyer who consults with multi-nationals on data protection law and the upcoming GDPR. She is one of the few lawyers who really understands small business owners and puts law and regulation in the context of your business. There has been a lot of scaremongering and hype about GDPR (with the headline fines of €20m) and Suzanne brings a practical, balanced approach.

Suzanne has also recorded a number of ‘plain English’ Facebook videos around GDPR compliance which you can see

Free GDPR Guidance Videos

This page here lists all of Suzanne’s GDPR videos so feel free to browse them. They include many relevant topics, such as:

 

This is the information IJL Web Solutions are using to ensure we meet the compliance requirements of GDPR, and we can personally highly recommend them.

We truly hopefully this information has helped you to relax and worry a little less about GDPR compliance!

 

Please note: the GDPR Pack link is an affiliate link from which we earn a small fee, you can of course order direct if you wish, but the cost/support/product is exactly the same to you.

Is your website secure and are your plugins updated?

When managed effectively, WordPress is a fantastic tool and is well protected, but there are certain measures that any website owner must take to ensure their website and plugins remain secure.

In addition to the vital WordPress updates, you also need to be vigilant with the plugins which your website uses, and ensure they are also monitored and updated, as the recent incident we discuss below highlights.

Plugins need to be updatedNot confident in managing the security of your WordPress website and plugins yourself?
IJL Web Solutions offer a monthly plugins/security service as part of which we ensure that the WordPress, theme and all plugins are kept up to date. During this we first back-up the site to a remote location, perform the required updates and then test. If anything fails we restore the back up and discuss with you, to decide how to proceed. Often this will include replacing the plugin with an alternative (when one is delisted or no longer kept up to date). This provides peace-of-mind, ensures that you have the reassurance that all updates are checked and updated regularly. For more details please contact us.

A recent article from Wordfence, highlights a great example of where our plugins/security service would have been invaluable. Issues like this are picked up with our service, but can be missed by yourself.

 

“If you have a plugin called “Display Widgets” on your WordPress website, remove it immediately. The last three releases of the plugin have contained code that allows the author to publish any content on your site. It is a backdoor. The authors of this plugin have been using the backdoor to publish spam content to sites running their plugin.”

“This company and the individuals behind it appear to be responsible for injecting malicious code into a plugin used by over 200,000 websites.”

 

The WordFence blog covers article gives the full detail:
www.wordfence.com/blog/2017/09/display-widgets-malware/

XSS Vulnerability found in Product Vendors Plugin for WooCommerce

Do you use the ‘Product Vendors’ Plugin for WooCommerce on your website?

Important information of an  XSS Vulnerability found today

A reflected cross site scripting vulnerability has been reported in a premium WordPress plugin for WooCommerce called the ‘Product Vendors‘ plugin, which is used by nearly 30% of all online WooCommerce onl;ine shopping sites.

This affects Product Vendors version 2.0.35.

Website security

If you are using this plugin, you need to upgrade immediately to at least version 2.0.36, which includes the fix. The current version of Product Vendors is 2.0.40.

For more information and to keep informed of current web security issues, we highly recommend following the Wordfence website and blog

Support available whenever you need it – 24/7

Do you have access to 24/7 support, 365 days a year?

Easy access to a knowledgable help service, who talk in plain English?

IJL Web Solutions provide personal support, whenever it’s needed

You need the reassurance that you can access technical support whenever you may need it, at IJL Web Solutions provide just that for all our hosting customers.

Help and support

As well as our front end support which our clients can contact directly and which runs seven days a week, we also have direct access to a backend has a team of around 15 server admins with senior server admins specialising in cPanel, Linux, MySQL and security. The server team is online 24/7/365 and we also use a range of comprehensive server monitoring software to ensure the smooth running of all servers at all times.

So for detailed technical support, or just some advice around running your website, you can be rest assured that we are here to help you, whenever you may need us.

How can we support you today?

 

Free SSL/HTTPS encryption for every website we host

Have you heard talk about SSL certificates and how Google are penalising websites which aren’t secure?

Secure green SSL padlock icon shown by Chrome
The ‘secure’ green padlock icon, as shown when using the Chrome browser

Have you noticed the green padlock icon on some websites and not on others?

We offer free SSL encyrption with our shared hosting packages

Back in 2016 Google Chrome announced that it will be marking on-HTTPS websites as ‘insecure’. Anyone using the Chrome browser visiting a website which does not have an SSL certificate will see a red X over the padlock symbol, indicating that the site is not secure.

Green SSL 'secure' padlock in the Firefox browser
The green ‘secure connection’ padlock, as shown when using the Firefox browser

Firefox has also floowed suite and now willshow a green ‘secure’ padlock simbol only if the website has encryption in place and is delivering content via https

With search engines and browsers now pushing for SSL/HTTPS on all websites, all website ownersshould be updating existing sites and ensuring all new sites are built with SSL/HTTPS in place.

A major stumbling block so far has been the cost of buying SSLs and the limitations of installing SSLs on shared IPs. However, we are offering a free solution to all our shred hosting ciustomers , with a free SSL certificate issued via “Let’s Encrypt”.

Enable https for your website or to find out more

Getting started with Let’s Encrypt

Using free Let’s Encrypt SSLs could not be easier:

  1. Sign up to our Web Hosting
  2. Configure your site to use SSL/HTTPS (we can help)
  3. DONE! You are now running over SSL/HTTPS

read the full article …

WordPress Backups are critical – so who does yours?

Cloud WordPress backupsIf your WordPress site is compromised or your server fails, having access to a recent WordPress backups can make your life considerably easier. The fastest way to recover from a hacked website is to restore the latest version of the site that existed prior to the hack. You will still need to close the security hole the attacker used to compromise your site after your site is back up and running, but at least you’ll have your site back to working order in hours or even minutes.

 

How often should you back up your site?

The frequency with which you should back up your WordPress site should be determined primarily by how often your content changes. Sites that change infrequently may be able to get by with weekly WordPress backups. Sites with constant updates, like new users, blog posts and comments may need to be backed up hourly. Many websites will be somewhere in between.

 

How should I manage my WordPress backups?

The easiest way to manage your WordPress backups is via a plugin that meets your needs. There are a wide variety of options available, and depending on the cost and settings, some can perform regular automated backups. Backup location is also vital to consider – most solutions allow you to store your back-up in various locations, but it is crucial that this is carefully considered. Backing up up to a folder where your website is can be futile if your server crashes, and backing up to your laptop is pointless if your hard-drive fails. Its critical that backups are stored in a location separate physically and geographically from your website.

Contact us about our WordPress plugins/security service

 

read the full article …

Is your router is vulnerable to being used to hack WordPress websites?

Its been revealed that over 6% of all attacks on WordPress sites come from hacked home routers.

In one month alone, over 57,000 unique home routers we used to attack WordPress sites.

Those home networks are now being explored by hackers who have full access to them via the hacked home router. They can access workstations, mobile devices, wifi cameras and any other devices that use the home WiFi network.

Luckily the fabulous guys at Wordfence have provided an easy-to-use online tool, which can quickly check if the router you are using is vulnerable to this vulnerability.

For full details, a link to the tool and details of what to do if you do find you are are vulnerable follow this link: Wordfence Router Check

At IJL Web Solutions we take security seriously, and Wordfence is just one of the tools we use to help secure our clients websites, data and information. If you’d like more information on this, or we can help in any way regarding website development or management, please don’t hesitate to contact us … we love to talk!

Highly effective Gmail phishing technique being exploited

What you need to know

A new highly effective phishing technique targeting Gmail and other services has been gaining popularity during the past year among attackers. Over the past few weeks there have been reports of even experienced technical users being hit by this.

This attack is currently being used to target Gmail customers and is also targeting other services.

The way the attack works is that an attacker will send an email to your Gmail account. That email may come from someone you know who has had their account hacked using this technique. It may also include something that looks like an image of an attachment you recognize from the sender.

You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail to sign in again. You glance at the location bar to check it’s legitimate and you see accounts.google.com in there.

You go ahead and sign in on a fully functional sign-in page that looks completely as it should.Once you complete sign-in, your account has been compromised.

For full details, we suggest you read this post – httpss://www.wordfence.com/blog/2017/01/gmail-phishing-data-uri/

How to protect yourself

When you sign in to any service, check the browser location bar and verify the protocol, then verify the hostname. It should look like this in Chrome when signing into Gmail or Google:

Make sure there is nothing before the hostname ‘accounts.google.com’ other than ‘httpss://’ and the lock symbol. You should also take special note of the green color and lock symbol that appears on the left. If you can’t verify the protocol and verify the hostname, stop and consider what you just clicked on to get to that sign-in page.

Enable two factor authentication if it is available on every service that you use. GMail calls this “2- step verification” and you can find out how to enable it on this page.

Enabling two factor authentication makes it much more difficult for an attacker to sign into a service that you use, even if they manage to steal your password using this technique. I would like to note that there is some discussion that indicates even two factor authentication may not protect against this attack, however there is no harm in adding this.