Affiance Coaching Minneapolis Website

Posted by & filed under Mobile Websites, News, Responsive Design, Website Design, Websites, Wordpress.

We are happy to report that we recently completed a brand new website for the Minneapolis-based business coaching organization Affiance Coaching.

We worked closely with the owner to produce something that was attractive, modern, and easy-to-use. The resulting website is full responsive, mobile-friendly, and pleasing to the eye.

We also built it in WordPress and utilize the Cornerstone plugin which actually allows this client to easily edit their own content; even all of the complicated parts! It doesn’t need to be a simple text block like many WordPress sites. We hope the website will help this client grow to the next level.

 

Stupid Computer User Clickbait

Posted by & filed under Opinion, Strategy, Tutorial, Twitter, Websites.

If you’re anything like me, you know that the only way to trick people in to visiting your crappy website is to manipulate them using clickbait titles on all of your articles. Of course you recognize that producing quality content would be better, but quality content doesn’t grow on trees and you can just as easily deceive people into thinking your site might be worthwhile. You are also aware that the only thing you need to know about the words “ethics” and “dignity” are that they have no place in your life, or your article headlines.

Let’s get started!

1. Don’t worry about grammar or journalistic best-practices

In the traffic game, it’s all about quantity over quality. And let’s face it: we aren’t exactly targeting the cream-of-the-crop when it comes to internet users, so no one is really going to care anyway. While titles like: “What happens next will be amaze” won’t be winning you any Pulitzers, it doesn’t matter because anybody who is going to be visiting your dumpster-fire of a website won’t even know what a Pulitzer is.

2. Completely omit what the article is about

There is nothing more powerful than the imagination. Especially not your writing. Capitalize on that by neglecting to inform the visitor that your worthless post is nothing more than a crappy viral YouTube video from 2008 that they’ve already seen dozens of times. Think about it: would you click something if you already knew that it didn’t interest you in the slightest? Of course not! But if you saw a link titled “She opens the door. What happens next will leave you speechless”, you have no idea what’s going to happen after she opens the door.

I know what you’re thinking right now. “What happens after she opens the door?” I don’t blame you! But that’s the magic of clickbait titles. It doesn’t matter what happens after she opens the door! If it’s on your website, we both know that whatever it is, it will be a colossal waste of time for all parties. By the time the Pentium 4 in the server you pay Host Gator $10/year for finally renders the whole page, your “guest” will have already seen so many ads that their computer will either have crashed, or they’ll have finally seen the folly of their ways and cast their laptop into the sea. Either way, you just got paid by your advertisers and no one even got far enough to see just how terrible your content is.

3. Always use the definite pronouns “He” or “She” when possible; never correctly identify who is involved

This one is similar to #2. “He” could be anyone. It could even be your favorite person! You never know until you click. That’s psychology 101.

Another tip is that if you aren’t sure whether the individual is a man or a woman or if your control of the English language is simply inadequate, you can always substitute ‘he’ or ‘she’ with ‘they’. Example: “This baby opens a present. You won’t believe what happens when they see what’s inside!”

4. Inject your own vapid commentary, as if people care what you think

Your post is pure drivel, you know that. But perhaps if you feign approval for it, people will believe it’s worthwhile. After all, it’s been working for rednecks selling their Firebirds on craigslist for years, so why shouldn’t it work for you? But remember, don’t do this one halfway — You need to COMMIT. Here’s a good example:

“She goes in to a store. What happens next is LITERALLY THE MOST INCREDIBLE THING I’VE EVER SEEN”

Another gem.

5. Put everything into a BS numbered list

This one is all about knowing your audience. The people dumb enough to end up on your website simply don’t have the attention span to wade through multiple sentences or complete thoughts. That’s why everything needs to be numbered and to-the-point.

But again: know your audience. If you can’t count any higher, neither can they. That’s why I like to keep the number of items in the single-digits.

6. Split all types of content into as many pages as possible

This works particularly well for galleries, but is a great tactic even with written “articles.” You want them to click “next” as many times as possible, so that you can force the maximum number of ads down their throat before they choke and die. Another great strategy is to put the most interesting photo from a gallery as the image they see when clicking through, and then bury it as the very last one in a massive gallery. Or better yet, don’t have it in there at all! Because **** them.

7. Blatantly lie

Odds are if you’ve gotten this far, you haven’t the slightest clue what you’re doing at any point and are thus not a stranger to saying things that aren’t remotely true. This should be a walk in the park for you. We’ve already established that integrity is not your strong-suit, so why not spice up your godawful articles with some flat-out lies. There are a lot of things you can try here: say something happened that didn’t, say something is good when it’s not, or simply inject mystery or intrigue where there is none. This is especially useful for convincing the committed dimwit who managed to trudge through to the end that he or she should actually share this garbage with their zombie friends. Who knows, you could be the one to come up with the next “Vaccines cause autism!”

Here’s to hoping!

8. Game the system by forcing tweets

As of the time of this writing, it has become evident that Google has streamlined their ranking algorithm to just a single factor: shares on Twitter. Using this knowledge, we can focus all our energy maximizing the number of tweets we get for our articles. This will allow us to be #1 in Google results, even for search terms that are completely irrelevant.

Traditionally, websites have focused on producing quality content to maximize the number of social media shares they get. But as we’ve already established, that takes effort and talent, two things we are desperately lacking. So instead, we need to force users to share the article. Simply making it easy to share isn’t enough in today’s competitive marketplace. If we could go to every visitor’s house and hold a gun to their head, that would be the most effective. But unfortunately it’s not especially scalable.

Instead, we simply need to require visitors to tweet the article before they’ve read it or, better yet, figure out a way to do it automatically without them knowing. Piggybacking off another app is the best way to accomplish the latter, but the former is still a good option. Your visitors, having already committed to clicking the link, will have no choice but to share before reading. Or better yet, allow them to read for a few seconds and then have a popup that requires them to share. Then they’ll really be hooked and will have no choice but to do your bidding.

9. Show your visitors your contempt for them by throwing all usability considerations out the window

Here’s just a handful of ideas you can use to really expand upon this:

  • Ensure each page has more ads than one man can conceivably read in a week
  • Put the actual content several page-lengths from the top of the page, forcing everyone to scroll all the way down
  • Have a mobile site that is about 80% fixed ads and menu, so that at any given time, users can only see about 2 lines of text
  • Popunders are so much better than popovers

While you’re at it, it wouldn’t hurt to install a tracking virus on every computer that visits so that you can find these people in real life, go to their homes, and literally spit in their faces. A well-placed cinder block through their window couldn’t hurt either.

 

Hopefully with these strategies in mind, you will be left with renewed vigor in focusing even less on producing quality content and more on coming up with lifeless, asinine headlines that no one with an IQ under 80 could resist. Good luck!

k9ConnectionWordPressSite

Posted by & filed under Mobile Websites, News, Responsive Design, Website Design, Websites, Wordpress.

We actually completed this site last year, but I’ve got a backlog of sites I’d love to share! This one was a fun one. For those who don’t know, K9 Connection is a unique business that basically puts on events where dog-lovers can go and socialize with each other and with their dogs. Venues typically include popular bars throughout the Twin Cities, such as the Nomad.

Their old site was already WordPress and they were happy with the functionality and structure, so mostly we just wanted to revise the whole look and the layout of the homepage in particular. What was a flat, cramped, non-responsive website is now clean, attractive, open, and fully mobile-friendly.

The client loved the changes, and also loved the fact that we did it with very little input and direction from the client. Normally we work very closely with our clients, but in this case, the changes were very time-sensitive and they just wanted something done. So we accommodated.

Take a look around, let us know what you think! http://www.k9-connection.com/

k9 Connection WordPress Site
Using a Phone to Take Photos for your Business Website

Posted by & filed under Website Design, Websites.

So you’ve ignored the pleas of your web designer and decided to take some photos for your website yourself. Not only that, but you don’t even have a decent camera so you’re just going to rely on a device optimized for taking Snapchats and Vines to handle this critical business piece for you. I could go into detail about the importance of professional photography for your website, but this post is assuming that you’re just going to ignore it anyway.

Do you have any better options?

First things first: are you sure a cell-phone is the best camera you own? Even though it doesn’t seem like it, most point-and-shoot cameras from the last decade are going to take better photos than your cell-phone. The difference is that your phone boosts the color saturation and usually has a much better display, so the resulting photos usually look more vibrant and stunning. If you really look closely though: they aren’t nearly as good. So if you have an old point-and-shoot lying around, I recommend using that instead.

Search within your network as well. Did your spoiled nephew just get a new Canon Rebel T5i for getting straight C’s this quarter? Take it while he’s at school and use that instead.

That being said, cell phone camera technology has really come a long way in the last few years, so use the newest phone you have access to. iPhones for the last couple years and some of the very newest Androids all have pretty good cameras on them now. If yours isn’t as good, use a friend’s, or an employee’s. You RAZR from 2006 is not going to cut it.

 

Posting selfies on your business website is a good way to let visitors know that you are as vain as you are cheap

So you’ve settled on the phone. How can you take the best photos?

There are many things you can do to ensure that the photos you take will work well enough on the website. Especially given the limitations of a cell-phone, it’s important to keep these things in mind.

 

1. Shoot in broad daylight.

Some people don’t realize just how much better phones do in daylight than at night or in indoor-lighting conditions. Because the lens is so tiny, it cannot take in as much light as a ‘real’ camera (small aperture), and it compensates by both using a longer exposure and boosting the gain, resulting in blur and graininess, respectively. Both are things you don’t want! This happens in all but the brightest conditions. During daylight hours, outside, you may notice your images are pretty sharp. Any other situation: they’re about as sharp as a chihuahua barking at its own tail. Even if you’re just doing portraits of people, do it outside.

2. Don’t clutter the scene.

Rather than taking a picture of someone in your office with mountains of Taco Bell wrappers and stacks of unpaid bills lying around, bring them outside and put them against a solid wall. Or possibly have open sky behind them. You may find that your wall of awards an accomplishments is bare; that’s a good place, too. Photography isn’t that complicated; just remove anything that doesn’t contribute to the photo. If it’s a person, focus on the person. If it’s the exterior of your office building, don’t include a bunch of pedestrians in the way, garbage cans, or parked cars if you can avoid it.

3. Consider the site usage.

This one is pretty straightforward but somehow people always seem to forget it: think about where the photo is going to be used on your website. If you want a nice, wide image slider on your homepage, consider the fact that you need the photo to be wide. So if you need a picture of your office, realize that you need to crop out half of the vertical space of the photo. So should you really be standing so close that it takes up the whole frame? No. Back up! You need to have lots of room to the side of it so you can get that nice, wide photo. Just make sure you look both ways if you are backing into a busy street.

Same with staff portraits. You’ll want them to be consistent for all your staff. Whether that means headshot-style or pictures of your employees engaging in strange activities, make sure they are consistent.

4. Shoot in Landscape.

Most of the time you are going to want to use your phone in landscape orientation, not portrait. This is particularly true if you are taking pictures of buildings, scenery, or really any scene other than a single person. If you’re not sure which is which, just remember that one is wide and great for pictures of landscapes and one is tall and only suited for portraits. I’ll give you two guesses which is which.

Portrait should be reserved for really tall things that you can’t fit otherwise, things you want to display tall and skinny on the site, and sometimes, you guessed it, portraits of individual people.

As for video, always shoot in landscape. And that goes for more than just for websites; whether you are sending a Snapchat of your kid’s birthday cake or trying to shoot a commercial, it virtually never makes sense to shoot video in portrait orientation. Just don’t do it.

5. Use the rear-facing camera.

While some (very few) phones have the same camera on the front and back, yours is probably not one of them. Most phones have significantly better cameras on the back than on the front to try and crack down on selfie-taking and also to remind you not to take selfies for your website. Always use the rear-facing camera.

6. Send your web designer the full image files, unedited.

Do not run your images through your favorite image-sharing and editing app, instagram, or anything else. Unless you really know what you’re doing (read: you don’t), don’t bother editing the photos. If it needs to be sharpened (and it likely never does from a phone), your web designer will handle it. And if it needs to be cropped, they can do that too. There is never a situation in which a photo should be cropped to just someone’s eyeballs and mouth, so don’t do it. And certainly do not resize them; the designer will take care of that.

7. Have your photos added to the site, take note of how much worse it looks, and then hire a professional photographer.

It makes such a huge difference… Professional photographers have years of experience learning what makes photos good; they have much more than just better equipment. Though just so we’re clear: their better equipment alone justifies the expense. Because their equipment really is that much better than your phone. But more than that, they know what looks good, what will work on a website, and many other things that you’ve never even considered. You know how to point at something and hit a button. And hopefully now a little bit more. Either way, it’s not the same.

 

In conclusion, taking your own photos with a phone should really be a last-resort when you truly have no budget for photography whatsoever. But if you’re going to do it, follow these steps and hopefully your web designer won’t have to drink so much to forget about the fact that their personal Mona Lisa was just covered with tasteless graffiti.

Good luck!

Broken Glass - Like Our Hopes & Dreams & WordPress

Posted by & filed under Comprehensive Website Guides, Problem Fix, Tutorial.

I’ve learned a lot of tricks over the years about WordPress, and I’ve found that many of the same issues come up over and over again. I figured I would explain how to solve these issues all in one place. This list is ongoing and I will add to it as more issues come up!

Only the Home Page Comes Up: Rest of Site Offline / Returning “Not Found”
This is an easy one. Your permalinks are probably messed up! Reset them by going to Settings -> Permalinks -> Click “Save Changes.”

A Single Page or Form is Missing / Not Displaying
Check the trash for your forms or pages / posts, whichever it is. I’m not sure why, but I find people accidentally delete their stuff all the time. If the form is simply missing, when other forms from the same plugin are working fine, again, verify it’s not in the trash. Then match the embed code to make sure there really is a form associated with it.

Some / All Images Not Showing Up, Especially When Some Links Bring You to 404 Pages
Resetting permalinks like in the first issue may solve it, otherwise, inspect where the images and links are; check the URL. If you find that the URL points to a different location than your actual website, you have a problem. You may be pointing to an old site location or possible the test site location. If you happen to be hosting with Cloud Access, you can follow the numbered steps from this article. Otherwise, I recommend the Search and Replace DB tool, which has instructions and the download on that page.Search for the old URL (e.g. example.com) and replace it with your new URL (e.g. brianjohnsondesign.com).

The Website Is Completely Offline With or Without a Blank White Screen
I have a comprehensive tutorial on troubleshooting a downed WordPress site.

Fatal Error Message On Some Pages with Any Amount of Page Loaded
Take a look at the error. Is the file pluggable.php mentioned? If so, it’s almost definitely a plugin issue. Are there any other files mentioned? Usually it will mention another file and give an entire path to that file. If that path includes wp-content/plugins/ and then a plugin directory, that plugin is probably the one causing the problem. If you can get to the WordPress backend, disable that plugin. With FTP access, you can also rename that plugin’s folder and it will disable it. If it’s out-of-date, updating the plugin (and WordPress) will often solve the issue. If not, you may want to leave it disabled until you can figure out the problem.

A Plugin Stops Functioning
Is it updated? Update it! Make sure you run a backup first. But short of custom coding and themes, typically updated plugins will play nice and actually function just fine. Make sure WordPress is updated too! Occasionally you may need to reconfigure something too. Go through step-by-step and make sure each piece of it is set up correctly; the shortcode, the widget, the form, the settings; whatever is involved!

That’s it for now! I’ll be adding more of these as I think of them.

SSH and FTP Tutorial

Posted by & filed under Comprehensive Website Guides, Tutorial.

I want to present a quick jumpstart to connecting with and using FTP and SSH, which are both very useful tools. Let’s jump right in and start with FTP.

Getting Started with FTP

FTP is slow if you’re dealing with lots of files, but it gets the job done and is very reliable. I typically use Dreamweaver for my FTP since I code while I’m doing it, but Filezilla is a much better FTP client and is a great piece of freeware. I will include screenshots from there as a guide.

The Requirements

To establish a connection, you will need the following:
1. A username.
2. A password.
3. An address. Sometimes an IP Address, sometimes a domain / subdomain.
4. An FTP client such as Filezilla.

Once you have those from your host, web person, or client, you can connect. This tutorial does a good job of covering the basics of moving files. I recommend, if using Filezilla (or any client), that you use synchronized browsing by navigating to the corresponding folders on your local machine and server, and then clicking the chain icon in the toolbar. This ensures you are always working with the correct files in the correct location.

FTP Tips

  • If you get a generic error that you can’t connect or the connection times out, you probably have the address wrong. Try using the IP address from the website’s A record (which you can look up here), or simple ftp.example.com is sometimes how it’s set up.
  • If your error says incorrect username or password, that is probably accurate.
  • Sometimes the username ends with @example.com. For example, if you thought your username was testuser, it may actually be testuser@example.com.
  • Port 21 is for regular FTP, port 22 is for SFTP, which should work the same but is encrypted and on secure servers, often the only way to do it.
  • FTP almost never times out when uploading large files, even if they are many gb. Use it in favor of an online file manager.
  • FTP is actually very slow for uploading large directories. If you have a way of unzipping files either via an online file manager or via SSH, you should zip all your local files up and upload them that way. It will be many times faster.

Getting Started with SSH

SSH is very powerful and very useful in many circumstances. You can easily unzip files, search for files with a given name or search the content of files for strings or anything else. What you can’t really do is upload files. Let’s get started!

First, you need Putty. It’s the best SSH client. For SSH, much like FTP, you’ll need a hostname / IP address, username, and password. Usually you will enter the username and password in once you’ve already connected, so you don’t need to enter those in right away (though you can in more advanced settings). This tutorial will get you started right away if you don’t know how to initiate the actual connection.

If you don’t know what your username, password, and hostname are, Google how to use SSH with your particular host, or just contact the host. Many hosts, such as Godaddy, don’t have SSH activated by default, and are strange in where the username and password come from.

Controls and commands once you are connected

To paste – Right Click
This is useful for copying passwords and scripts you have prepared.

To enter a command – Type it and then press enter

Commands

pwd – Print Working Directory
This will print the full path to the current directory you are in.

ls – List all files and folders
This will list every file and folder in your current folder.

cd examplefolder – Change Directory
This changes your current directory to one specified. For example, if you’re in your website root, you might type “cd wp-content” and it will bring you to the wp-content directory.

unzip filename.zip – Unzip a file
Obviously, this is how you unzip a file. By default I believe it doesn’t overwrite existing files and folders, but you will be prompted if it is trying and have the option of saying yes or no. Note that if you are just listing the filename by itself, you will need to be in the same folder as that file.

Those are really all the commands I find myself needing! I have used it in more advanced ways, but for the most part that’s all I need. Take a look at my post about removing malicious code for how to use SSH to remove malicious scripts.

SSH Tips & Tricks

  • The first time you connect, Putty will typically warn you that you don’t know who you are connected to. If you are sure your IP address is correct, you can usually just say to go forward anyway, as this is what always happens. If you want to be really secure, you can use RSA keys but they are a pain to work with.
  • SSH can scan files very quickly, because the server runs these commands locally and returns the results to you when it’s done. Filezilla can search for filenames, but it takes a very long time.
  • Unzipping files and deleting files is also very fast and very easy with SSH.
  • There is basically no limit to what you can do with SSH, just Google it.

There you have it! FTP and SSH are both very powerful and useful in the right situations. Learn to use them, and Google anything you don’t know.

WordPress Coffee

Posted by & filed under Comprehensive Website Guides, Tutorial, Websites, Wordpress.

Changing out WordPress content is usually pretty simple, but every once and a while it’s easy to get stuck. I have assembled a list of places to check, in order from most likely to least likely that should help you to change anything on your website. Here we go!

1. The Post / Page Content

This is the normal place to look. Go to the page, and click “Edit Page” from the toolbar on the top. Don’t have a toolbar? You should still be able to get to the page by going to the backend and clicking “Pages” if it’s a page and “Posts” if it’s a post, and then finding it in the list.

2. Widgets

Widgets are commonly used for sidebars and footer content, but in many themes are used for much more. Go to Appearance -> Widgets, and take a look at the content of each widget area and see if you can find what you’re looking for. Need a little help? Sometimes you can find out which Widget area a page or post uses by editing it, and looking on the right for anything that specifies a widget area. Sometimes the “Page Template” may give it away as well. If you are familiar with coding, using the code inspector in your browser will usually make it clear that it’s a widget, and will sometimes even tell you which one.

3. Theme Options

Themes sometimes control much more content than they really should, especially header / footer content, and sometimes even more than that. Search thoroughly in your theme options, usually located in either Appearance -> Theme Options or Appearance -> Customize, but sometimes the theme will have its own menu item in the backend, named after itself or its framework. Things like copyright messages are very frequently found here.

4. Post / Page Meta

Sometimes your website may have custom meta data associated with each page or post. Scroll down past the main content area of the edit screen and you may find what you’re looking for.

5. Hard-Coded In To Your Theme

If you have a custom website or theme, this is a very possible spot to find content. Things like menus, footer messages, and other complicated setups are very commonly handled directly in the code. You will need to edit your theme to get to them. Header and footer content will usually be in header.php and footer.php, respectively, and content specific to a page may be found in the template for that page, such as front-page.php or page-name.php, though many variations on the name are possible.

6. In a Content Block

Some websites use content blocks to display content, usually repeated throughout the site. Look for menu items in the backend called “Content Block,” “Modules,” “Blocks,” “Home Page Content” or anything along those lines. It can be tricky narrowing down which block goes where, but if you edit the page you are trying to change, usually you will find a shortcode that specifies which block is being used.

7. Other Posts

Sometimes content comes directly from other posts. Usually in this case you will need to either view the content of the page and look for shortcodes, or check the theme files to figure out where it’s coming from. This is especially true of “Featured” areas, which typically display recent posts of a specific post type, or sometimes posts of a specific category.

8. Iframes

Usually you should be able to find the code that’s loading an iframe, but looking on the frontend it can be confusing. An iframe, for those of you who don’t know, literally loads an entire external website in a little window or ‘frame’ if you will, within your own site. This includes every part of that website, including the <html> and <body> tags. Iframes are frequently used for video embeds, contact forms, and other times where it’s the only thing that works or the developer is lazy. Note that you have no control over the content of an iframe without having control over whatever webpage is being included by that frame.

9. CSS

Every once and a while, you may want to change some content that’s being generated by CSS. Inspect the element with your browser, and if you’re seeing :after or :before selectors, you are going to need to change their values to change the content.

10. Other

There are other places content can come from as well, including the WordPress core files, translation plugins, misc. scripts that change text strings, and much more. These are less common, however, and not likely to affect large blocks of content.

 

There you have it! That should cover pretty much everywhere you may have to go to change something on a WordPress website. Over the years I’ve been stumped before, and I think this guide would have helped me quite a bit. Let me know if there’s anywhere else you have had to look!

WordPress Website Hack

Posted by & filed under Comprehensive Website Guides, Problem Fix, Tutorial, Wordpress.

I’ve dealt with quite a few WordPress website hacks and infections, especially lately. While there is a virtually unlimited number of ways your site can be compromised, I am going to focus on some likely ones and the methods I’ve used to fix 95% of the sites I’ve seen hacked.

These methods all assume that you still have WordPress admin dashboard access. If not, you may want to consider restoring the site from a backup. This may require speaking with your host depending on your situation. If you don’t make many changes on your site, this also may be a good solution, as you can just restore your site to before it was hacked.

Once I’ve identified that there is a hack (or even just if I suspect), here are the steps I take.

Use the Wordfence Plugin

  1. From the backend, go to plugins -> add new and search for “Wordfence”. Click “Install Now” next to “Wordfence Security.” Activate it when done. If you can’t do it from the backend, you could always download the plugin, extract the files locally, and upload to the wp-content/plugins directory using FTP.
  2. We need to configure something quick. Go to Wordfence -> Options and scroll down to “Scans to Include”.  Ensure that “Scan theme files against repository versions for changes”, “Scan plugin files against repository versions for changes”, and “Scan core files against repository versions for changes” are all checked. Save changes. Optionally, you can check to scan files outside of WordPress if you want to be really thorough, but this often takes much longer.
  3. Go to Wordfence -> Scan and start a Wordfence scan. Depending on your setup, this will usually take anywhere from 20 seconds to 10 or 15 minutes.
  4. Analyze the results and take the recommended action in most cases.

Basically what you are looking for is malicious code. If the results find files and it says, “this file contains malicious code”, odds are you want to follow the recommended action and delete it. If WordPress core files have been modified, repair those. If there are files that aren’t part of the plugin or core but are in those folders, delete them.

You don’t really need to worry about notices with “Warning” severity (the yellow exclamation point), especially if it’s just a .txt file, as they can’t run scripts. Plugin developers frequently change this file without releasing a new version, so it triggers this notice. Sometimes they make minor changes to PHP files as well, let Wordfence decide whether it’s a critical issue and go from there. You can also view how the file has changed. If some variables were renamed or minor code changed slightly, it’s probably not a big deal. If there are large strings of nonsensical text, especially combined with base64 decodes or eval functions, it’s probably malicious.

Oftentimes, this is all that’s needed. Update all your plugins and themes, and continue scanning to see if you need to do more.

Restore WordPress Core Files

This isn’t always needed, but it’s often a good idea to restore all of the core WordPress files. This basically includes deleting the wp-includes and wp-admin folders as well as all the files in the root directory that aren’t needed or part of WordPress, except wp-config.php. You may also want to restore that one, but you’ll want to back it up and take note of the usernames, passwords and other info so that you can set up a new one.

  1. Download the latest version of WordPress.
  2. Unzip it to your local machine.
  3. Zip up everything into a new file, except the wp-content folder. Most operating systems can do this natively, otherwise 7-Zip is the best freeware in the business.
  4. Upload this file to your website’s root folder using FTP or the online file manager through your hosting cPanel or similar.
  5. Backup your entire website. The “BackUpWordpress” plugin does a great job, but you could also zip everything up using SSH or your online file manager.
  6. Delete the wp-includes and wp-admin folders, as well as all of the WordPress related files in the root.
  7. Unzip the file you uploaded with all the core files.
  8. Test your site! If you deleted wp-config.php, you’ll be prompted to set up your new site. Enter in your database info, etc, and you will be good to go.

Search for Malicious Code Using SSH

For basics on connecting with SSH, check out my blog post on that topic.

  1. Connect to your server using SSH.
  2. Find out what your root directory is. The command “pwd” will give you the full path to your current directory. “ls” will list all files and folders where you are. If you see an httpdocs or public_html folder, you’ll probably want to navigate to that by using “cd httpdocs”. Change “httpdocs” to the name of the folder you want to navigate to. Once you use “ls” and see your WordPress install (wp-admin, wp-content, wp-includes etc), use “pwd” and it will give you the full path to your site root. Copy this down.
  3. Run the following scripts, one at a time, replacing the path with your site’s path.
    egrep -Rl 'function.*for.*strlen.*isset' /path/to/your/website
    egrep -Rl '\$GLOBALS.*\\x|function.*for.*strlen.*isset' /path/to/your/website
    egrep -Rl 'isset.*eval' /path/to/your/website
    
  4. View the contents of any files that it turns up. If they contain eval or base64 scripts that are basically just long strings of characters, such as:
    eval('KD819DNIKEULSDF8983NHKWED7BN3HJ1RHJK1R12JKSDLQUBYU3')

    Then it’s more than likely malicious code. If that’s all that’s in the file, the whole thing should probably be deleted. If there is a regular file that’s not suspicious for the rest of it, you may just want to remove the suspicious part, likely located right at the top, but maybe obscured by hiding it a few hundred lines to the right.

    Note that some legitimate plugins do use eval and base64 legitimately, especially plugins dealing with credit card transactions and passwords. If one plugin has multiple files that do this, and Wordfence didn’t pick up on it, I’m sure it’s fine. You can always download a fresh copy of the plugin and compare files to be sure.

Searching the Rest of the Server

If you have other websites on your hosting server, you are going to want to run these same actions on them. Infections can and do spread easily. If one of your sites was infected, I’m betting others are too.

You can do all these same processes for the other sites. Using the SSH searches, you could also just search the root of all your websites at once to get an idea of how much it has spread.

Preventing Hacks from Happening Again

  1. Update.
  2. Update.
  3. Stay updated.

That’s basically all there is to it. Update WordPress, update your plugins, and update your themes. Vulnerabilities are constantly being exposed, and automated hacks can easily take advantage of them to compromise your site.

It’s also critical to check your premium plugins to ensure they are up to date. They don’t always warn you, and are typically the biggest targets. In my experience, the following plugins are most likely to be compromised and most critical to update:

Revolution Slider
Gravity Forms
Visual Composer

So go ahead and Google what the most recent version of these plugins is, and compare it to what’s on your site.

Also make sure that you update ALL of the sites on your server. You are only as safe as your weakest link!

There are lots of other things you can do to harden your install and server to prevent hacks. And they can be a great choice, but in my experience, 95% of hacks are prevented by simply keeping updated. You should update everything, at a minimum, on a monthly basis to prevent issues. I offer a service that is very reasonable where I go through and update your site for you on a monthly basis and also deal with any upgrade issues that may arise. So for those of you that don’t want to do it yourself, I can make sure it’s done and that it gets done right.

DNS Explained

Posted by & filed under Comprehensive Website Guides.

DNS is something that sounds incredibly complicated and takes quite a bit of messing around with to actually learn and get a decent grasp of. So I decided to make a guide that tells you exactly what you need to know to work with your own website or, as a web developer, to work on client websites. I’m going to try to keep this thorough yet concise; I don’t think it’s necessary to know HOW everything works, just that it does! And truth be told, I don’t know all of the behind-the-scenes stuff anything. What I have is a very practical working knowledge of DNS and how it works, which I will share with you now.

DNS Basics

The purpose of DNS is basically to tell visitors what server a website is hosted on. There is a lot of fluff beyond that, but really that’s what it comes down to. To understand how it works, we first need to understand all the pieces involved with determining where the DNS records are. To do that, we need to understand the following terms:

Hostname
This basically says, “This is where the nameservers (see below) are located”. Most of the time, this will be set for you and you won’t have to mess with it, especially if your site is hosted through your domain name registrar. If you are ever trying to change your DNS records and you see a message like, “This domain’s zone file is not hosted here,” it could be because you have a hostname that points to a different server, though more than likely it’s because your nameservers are pointed elsewhere. Honestly, I’m not sure why you would ever mess with the hostname and I don’t think all hosts/registrars even have an option for it.

Glue
Don’t worry about this. I barely understand it, and I can tell you that I’ve never once needed to know how it works or had to do anything with it.

Nameservers
The nameservers are the servers where the DNS records are physically located (within the zone file). I believe every website is supposed to have a minimum of two separate nameservers, though in practice, every site pretty much has exactly two. I believe this is done for redundancy, though you don’t really need to know why, just know that there are two. They are always a name, never an IP address. The often will look like “ns1.example.com” and “ns2.example.com” and are typically always a subdomain. Hosts like Godaddy often use their own nameservers for your websites which usually look like ns64.domaincontrol.com and ns65.domaincontrol.com. In fact, that’s one way to determine that the DNS is being hosted by Godaddy: if the nameservers are on the domaincontrol.com domains. Other websites and hosts will frequently locate the nameservers directly on the domain name (e.g. ns1.example.com).

Zone File
The zone file is a file that resides on the nameservers and contains the DNS records themselves. It contains all different types of records in one file. You will likely never edit the file itself; instead, you’ll work within an interface to add or edit entries. Sometimes this will be called a “Zone File Editor”, while other times you will just have to follow instructions for “Changing the DNS” or “MX Record Entry” for email records.

DNS Records

The records themselves are what determine where a site is hosted, where email should be routed, and more! A record typically consists of a value, a location (IP Address or domain), and a TTL (time to live – this is just telling other servers how often they should check back and see if the record has changed, usually in seconds). There are several types of records within a zone file.

A Records
These are the main host records and should point to an IP address. These should be reserved for your main host record, whose value is simply “@”. The “Points To” field should be the IP address of your hosting server. TTL can vary, 600 seconds is a common value. You would also put subdomains here (e.g. blog.example.com). A subdomain also points to a server, and behaves like its own domain in virtually every way. The value for the subdomain in the example would simply be “blog”.

Cnames
Cnames are for domain prefixes that aren’t their own subdomains and aren’t their own website within your website, such as ftp.example.com or smtp.example.com. The most commonly used one here is “www” and it’s how you make sure that visitors to the “www” version of your site are seeing the same thing. The value would simply be “www” and the “Points To” would be “@”. The “@” symbol basically just points it to your main host record, which is what you want here.

Note that Cnames should be domains or “@”, not IP Addresses.

MX Records
MX Records are for email. Usually, your mail host will tell you exactly what values you should be using. These records also have an additional field, “Priority”. I believe you need to never have more than one record with the same priority. Again, ask your mail host what records you should be using.

Other
Really the only other main one you might need to know for troubleshooting purposes is the AAAA record, which is just like an A record except it uses IPv6 addresses, which are the new IP addresses and are more complicated. I don’t believe it is ever necessary, and in fact sometimes I’ve seen it cause problems. If your hosting server definitely has an IPv6 address assigned to it and you know for sure what it is, go ahead and use it. If not, it could cause trouble! I’ve seen a website that seemed to unpredictably be offline for just some people, and it’s because they used an AAAA record when they weren’t supposed to be.

There are also TXT and SRV records, but you don’t need to know much about them. Sometimes you may be asked to add one, but if you are, you’ll be given everything you need.

DNS Propagation

You might hear about “propagation” from time to time. You don’t need to know how it works, but just know that it can take some time for your newly-saved records to “go live” across the internet. During the transition period, some users may see the old record, some may see the new. It can take 24-48 hours officially for a change to “Propagate” and go live across the internet. However, depending on many mysterious factors, it can take much, much less time than that. Sometimes, especially with Godaddy, it is often less than 5 minutes.

Always plan for some lag time, and prepare accordingly.

Tips & Tricks

DNS can be complicated, but most issues can be flushed out just by checking some things.

  1. Use this tool. It can tell you whether your changes have propagated, including Nameservers and all other records. It shows different locations across the globe and what they are seeing, so you can get a good feel for whether it is in transition. Sometimes the tool intoDNS is helpful too, but I get the feeling its information is not always up-to-date.
  2. If your changes don’t seem to have any effect, double check the Nameservers using that last tool. Sometimes you’ll find that the zone file you are editing is not at the correct location! Might want to have your host support help you.
  3. Plan major changes for weekends and nights. That way if there is downtime, fewer people are around to see it.
  4. Don’t recklessly change Name Servers, especially if you don’t have access to the old ones. Odds are you’ll take down the website AND email for that domain.
  5. Email is tricky, and difficult to change without having downtime; plan accordingly. And make sure you actually have email inboxes set up at the new location.
  6. You can change the host records without affecting email, as long as you leave the MX records alone.

DNS is a tricky beast, but most of the time you don’t have to get too complicated with it. Let me know if you have any other tips or tricks!

 

Analytics Specific Page

Posted by & filed under Analytics, Google, Tutorial.

Sometimes you just need to see how visitors arrived at a specific page on your website. You may want to know about the referring domain, or maybe even which pages on your own website referred users to a particular other page. This also works for a multitude of other uses. Pretty much anything you can find out about a website, you can also find out about a particular page.

You can watch the video, otherwise I have basic instructions here.

Drill Down the Content to Your Specific Page

1. Go to your Analytics Dashboard, and go to Behavior -> Behavior Flow -> Site Content -> All Pages

2. Find the page you want to view data for, and click on it

3. Find where it says “Secondary Dimension,” and go to Behavior -> Full Referrer. This will show you the full paths to pages that referred visitors to this particular page. Or, you could do Behavior -> Previous Page Path to determine which pages on your own website led visitors to this specific page.

The possibilities are endless! You can mess around with the datasets and also do searches to narrow down pages containing certain strings in their URL, etc.