August 2014

Any successful online store, which will provide its owner with excellent sales, should have the following elements as described in the article prepared by Utah Web Design Company.

In this article you will learn steps on how to improve website speed and performance. These guidelines, if followed, improve your pages loading speeds.

Recently, I have had experience that a few of the clients reported that our company’s website had a virus or some kind of malware. I was not aware of it, until I started digging into it and found out that a few files have been injected with some kind of malicious code that would either redirect users to other websites or collect users information. I hurried and took care of this issue by removing the malicious software and establishing the security policy for our website. Results were positive and I continue until today to observe security policies and practices for each website that I am working on.

When we create a website most of the times from my personal experiences most of us don’t think of the most important thing, it is its security. Probably because we don’t have much experience working on creating new websites that’s why we do not think about it, but now it’s time to start thinking about it. The most important thing is always ask yourself the question: “What would happen if …?”. If you always ask this question, then your website will always be protected by almost 100%.

The site security is an urgent task for many website owners today. The emergence of a huge number of resources such as “Hacking for Dummies”, even those Internet users who previously had no business to your site or did not know much about Internet in the past, are eager to try their gained knowledge and brag about it by hacking your site.
What to do to protect your website from hacking? Where to start?

I will try to provide a few steps you need to start taking in order to secure your website from hacking. Security policy should start from the safe use of development tools to build your site. But I will not go into the details of programming, and present a number of actions of Safety when working on site that is built on content management system (CMS). I will continue to emphasize that the most secure sites are the ones that are written by yourself, as a programmer, from scratch.

For a start I will list non-programmatic methods that I use to protect the site from hacking. Surely, you have not even heard about them, but maybe you just did not pay attention.

Here is the Website Security List:

Please consider these main “anti-hacking” actions to secure your site:

• Do not use the services of programmers, amateurs, and use the scripts that are properly written. When testing your scripts on the local machine in debug mode, do not be lazy to fix any bugs in the code that you find.
• Do not offer free downloads or sell scripts written by you as the resource for others: having your source code before the eyes of others can help the hackers to calculate the principle of how you have written all the rest of your scripts.
• Make periodic partial or complete testing of the resource from different browsers (especially Internet Explorer, which has a number of bugs (errors), which is actually an “open door” for hackers). Put yourself in the place of a possible intruder and try to find vulnerabilities from all possible positions.
• Use .htaccess file for your root directory of the site and regularly browse logs. As an example of how your .htaccess file should look like to protect your site from hackers see my sample code below:

# Use PHP5.3 Single php.ini as default
AddHandler application/x-httpd-php53s .php
##### RewriteEngine enabled – BEGIN
RewriteEngine On
##### RewriteEngine enabled – END

##### RewriteBase set – BEGIN
RewriteBase /
##### RewriteBase set – END

##### File execution order — BEGIN
DirectoryIndex index.php index.html
##### File execution order — END

##### No directory listings — BEGIN
IndexIgnore *
# For security reasons, Option followsymlinks cannot be overridden.
#Options +FollowSymLinks All -Indexes
# For security reasons, Option all cannot be overridden.
#Options +SymLinksIfOwnerMatch All -Indexes
Options SymLinksIfOwnerMatch ExecCGI Includes IncludesNOEXEC -Indexes
##### No directory listings — END

##### Rewrite rules to block out some common exploits — BEGIN
RewriteCond %{QUERY_STRING} proc/self/environ [OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] RewriteCond %{QUERY_STRING} base64_(en|de)code\(.*\) [OR] RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule .* index.php [F] ##### Rewrite rules to block out some common exploits — END

##### File injection protection — BEGIN
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC] RewriteRule .* – [F] ##### File injection protection — END

## Disallow access to rogue PHP files throughout the site, unless they are explicitly allowed
RewriteCond %{REQUEST_FILENAME} (\.php)$
RewriteCond %{REQUEST_FILENAME} !(/index[23]?\.php)$
RewriteCond %{REQUEST_FILENAME} -f
#RewriteRule (.*\.php)$ – [F] ## Disallow access to htaccess.txt, php.ini and configuration.php-dist
RewriteRule ^(htaccess\.txt|configuration\.php-dist|php\.ini)$ – [F] ##### Advanced server protection — END

• When the website engine is used such as CMS, watch for updates and install them in a timely manner. Do not use the demo version of the components, even if they have the appropriate functionality.
• Use a reliable software:
  • The use of licensed software will ensure that no other person introduced “extra features” that are not needed to your site. Download distributions of web applications and extensions / plugins for CMS, widgets and libraries only from official sites or from trusted sources. Of course, the temptation to use the free, fully functional version of the paid version of the CMS is very large. But you need to understand two things:
  • First, it is often distributed in a network “broken” the engine through the efforts of hackers already have a built-in scripts that simplify hacking.
  • And secondly, even if the download CMS «clean”, it will most often be an older version, which is much easier to break – all of the vulnerability has long been known to hackers. And, of course, the lack of support from unlicensed versions also complicates management.
  • If a distribution is necessary to download a dubious site, be sure to check if it contains malicious code.
  • Carefully study the code of any additional components you want to add to CMS.
  • Update your CMS and server software on regular basis and follow the news about the vulnerabilities used by CMS.
  • Perform regular security audits of servers.
  • After installation, remove the CMS installation and debugging scripts.
• The choice of hosting should be considered before launching your website. To believe that all hosting offers differ only in terms of disk space, supported languages and other general parameters is a big mistake for such an issue as security. And even though by law, the responsibility of the service provider does not include additional activities to ensure burglar measures, a minimum set of security tools from the host must be present and it is summarized as follows:
  • System directory (public_html, cgi, logs, etc.) should have limited access and is within the directory;
  • To make sure we do not put in the free review of restricted files not intended for outside world when adding files to the server any right to view them should automatically be limited;
  • The equipment must operate without host failures, outages and other factors that reduce the efficiency of the resource.
  • Consider using Linux-hosting, which in itself is incomparably more stable than Windows-based hosting.
• Use complex passwords for web server software (FTP, SSH, administrative panel of the hosting and CMS).
  • Choose complex passwords. A complex password contains at least 11 characters and includes mixed-case letters, numbers, and special characters. Experience shows that even the most nimble software for simple brute force password guessing copes with a password of eight characters a little less than a year. The fact is that there are 2?1012 combinations of the password with 8 characters, and there are even more combinations of the password with 8 unidentified attacker characters.
  • Do not use the same password to access different services.
  • Even the most secure passwords should be changed every three months to insure that it is not accidently released to anybody.
  • Do not store important passwords in a web browser, file manager such as FTP-, SSH- client, and on any other unproven resources and anywhere electronically. If you need to store passwords, use the special password managers, if not rely on your memory. Password Manager is a special program that allows you to store and organize your passwords in an encrypted file. To access the password manager, a separate password or also known as a key is used. By the way, to remember one password is much easier than the dozens of different passwords. So, if you need to store your passwords, use the Password Manager.
• Follow the security policies for your PCs used for business purposes. On all computers that are working with the server (the computers of the webmaster, administrator, content manager, sales manager, etc.) must be installed anti-virus software with support for regular updates. Also each computer use need to make time to update their operating system and software applications. There is special anti-virus software designed for installation on the hosting. These programs allow you to quickly identify the entry of unauthorized files on the site, to determine their harmfulness and be promptly removed.
• You must use a reliable antivirus on the office computer, and if you suspect a virus is then it is better not to go to the admin panel of the site and hosting features until you complete the “recovery” of the original files.
• Control data entered by users. Monitor user activity on the hosting or the admin panel. If you are the administrator of the resource, you must be aware of what other people or other moderators should have access to. Therefore, attempts to login to the admin panel and the more other management areas from unknown IP-addresses is often a signal the attempts to hijack the site. Most often, you can activate the monitoring of activity of the CMS by installing additional plug-ins or activating logging modules on your hosting.
  • Filter the HTML-code in user input fields, which can be built into the code pages.
  • When getting data from the user, check on the server, for example if their size, is transferred to a value in the list of permissible length.
  • Never insert from users of the data directly into calls to eval (), SQL-queries or conversion. Always check and clean the information received from the harmful elements before storing data.
  • Do not leave in the working version of the code parameters entered for debugging.
  • Use a WAF (Web Application Firewall).
• Keep a “white list” of the authorized IP addresses from which authorized users can login to use your website’s resources.
• Control user access rights, in particular, provide protection from cross-site request forgery (CSRF). Do not give permission to the admin panel of the site untested people. Otherwise, do not be surprised why the site has been hacked. Also, do not give the right to add HTML-code for everyone, because unscrupulous users can add to the site with malicious code. Restrict access to the administration panel and CMS database (eg, phpMyAdmin), as well as to the following resources:
  • to backup copies of the code;
  • write to a configuration file;
  • metadata version control systems (such as directories. Svn or. Git).
• Protect against bots. To protect against robot-hackers you can use special plugins for CMS or you can find IP-addresses of the users in the blacklist online.
• Here are a few things you can do to check the data that users can enter.
  • Do not give the possibility to insert JavaScript-code inside <script>, in tags or links.
  • Do not put directly on the pages of the site code in the tags <iframe>, <object>, <embed>, or file that is uploaded .jar, .swf and .pdf (with their help, the site can generate such tags automatically.)
  • Maintain a “white list” of allowed HTML-tags so you can without additional processing discard all the rest.
  • Check references or links inserted by users through the Safe Browsing API.
• Be careful with the ads and third-party code you insert into your site (i.e. affiliate programs).
  • Plug into your site only those commercials that have been provided by a proven advertising system or a program.
  • Before connecting the site to the new affiliate system, look for reviews about it and examples of distributed content.
  • Avoid “unique offerings” (suspiciously high fees for counters and blocks, the monetization of mobile data traffic).
  • If possible embed on your pages static content (such as links and images). Avoid loadable <script> and <iframe>. Flash, Java and ActiveX-components are only accepted in the form of source code, which you can check and compile yourself.
  • Do not use affiliate programs with hidden elements.
  • If your site is static, some affiliate systems can request access to FTP, to independently change the banners. Providing such access is dangerous: if the database of an affiliate system is compromised, the attacker will have direct access to the files on your site.
• Closely monitor the access to the service interface. Access to the site should have only those to whom access is necessary and as long as it is needed.
• Revoke access to specialists, performing short-term jobs on your site, previous owners, people who are not responsible for the operation of the site (for example, marketing professionals or managers).
• If you need to some strangers to work on your site, try to get some recommendations about them. After finishing necessary work disconnect their accounts or change passwords.
• Change folder permissions (CHMOD) usually to no more 755 and for files to 644. This prevents unsafe scripts to be injected in your hosting.
• Try to make a backup of your database and the content of your site folders at least 1 time per week.
• Make sure that the site is free of bugs and errors. If any found, remove them as soon as possible so you dont allow hackers with an opportunity to find vulnerabilities on your site.
• To ensure that your domain is not flooded add CAPTCHA on all forms, including the registration, comments, feedback, etc.
• Make sure you find possible modules and components for your site after its creation to ensure the safety of your site and its data.
• Before adding the file to the site materials, check with the Antivirus on your computer.
• Make sure to check the server for the last modification date of folders or files. Typically this can be accomplished by checking files and folders creation date in the Control Panel with the file manager.
• Unfortunately, when it comes to DDoS-attacks, the invulnerable sites do not exist. DDoS-attack is an attack that is produced with a large number of computers trying to connect to your website and the site begins to receive a lot of requests. The Server cannot process a large number of requests and the site can stop working. In addition, if the script is very complex, then to “freeze” the site can be done with a small number of requests.
• If you don’t know or don’t understand the steps you need to take to secure the site then you need to seek the advice and help of an experienced administrator who will advise, install and set up properly secure operating system (eg, Linux or Mac), which is difficult to infect with viruses. Even on Linux or Mac machines I would suggest using licensed antivirus software.
• Mask addresses access to the admin panel of the site. Most of the standard CMS addresses have require user login and password to manage the content. For example, to enter the admin area of WordPress it is almost always done by typing in the browser www.yourdomain.com/wp-admin.php. However, in any CMS almost always you are able to change the default login form access to the site, replacing it with a less obvious URL address.
• Encrypt data on the site. This method is required if the resource contains data that should not be accessible to a wide audience. Hacking threat is always there, and for sites with sensitive information, it is even higher. Encryption complicate the extraction of valuable information from hackers stolen information, and give you time to take the necessary measures to eliminate the consequences of breaking.
• Always check that the user entered into the form. To do this, use regular expressions.
• Always pass incoming data through htmlspecialchars (), which replaces the dangerous characters to entities, except in cases where it is necessary to leave the HTML-tags.
• Check all incoming data for accuracy, using string functions and / or regular expressions.
• If the user entered a database query, this input should always be escaped using addslashes (). This function should be used only if the directive is disabled magic_quotes_gpc. If it is enabled, all incoming data is escaped automatically.
• Ignore incoming data through functions such as stripslashes (), if used in a query to the database. Do not worry, that will fall to the base escapes. No, the data in the database will be the same as when they were sent in the form. Simply request itself will be safe.
• Always check the scripts work on a variety of input data. Do not forget that if a user needs to enter their name, you will not want to enable them to enter any JS-code.
• Always turn off the directive register_globals in your php.ini file (php_flag register_globals off). As practice shows, the vast majority of programmers do not initialize variables. I will write more about the importance of register_globals in the future. As for now, here is a simple example of the usage of register_globals:

<?php
$mysqli =new mysqli(“localhost”,“root”,“”,“mydb”);
$array[“first”]=“1”;
$array[“second”]=“2”;
foreach($array as $key => $value){
$mysqli->query(“DELETE FROM `my_table` WHERE `field`=’$value'”);
}
?>
If you initialized the array so: $ array = array ();, then everything would be in order. However, I am sure that not all of you are doing it. As a result, the attacker goes to the following address: http://www.yourdomain.com/your_script_name.php?array [zero] = 0, and your script safely removes that record, which should not have been removed. And nothing would have happened if it had been that the directive register_globals was disabled.

• Make sure your web host runs suphp. Under normal PHP, scripts run as “nobody,” your script has open access. With suPHP, access is limited to the user or to those explicitly granted permission. Not all hosts use suPHP, so make sure your host does and set up another potential roadblock for hackers.
• Use SSL to send emails especially if, somewhere in any of your millions of untrashed emails, you’ve ever sent sensitive info via email.
• Use SSL to access your control panel or any other site resources (i.e. FTPS for FTP file transfers).
• Here is what you need to do if the site has been hacked:
• identify and remove malicious code. If infected many files then restore the site from backup.
• change passwords and access to super admin FTP.
• If Google or any other provider had marked your website to be malicious, then write a letter to Google webmaster with a message that the site is safe for visitors, after you made sure that it is.
• Enable cloud hosting if possible. With cloud hosting, your files are backed up off site in a safe place. In the event of failure of the equipment, you can simply insert a new hard drive to your server and start downloading your backup files to the new hardware.

Conclusion:
Perhaps you will find safety a troublesome occupation, but do not forget that you and only you are responsible for keeping the passwords to access the site safe. Also, you must understand that even the use of all these tools do not give 100% guarantee of protection against hacking. Also remember that the probability of a hacker attack is directly proportional to the value of the information stored on the server. If you own a personal blog, these steps if followed help to forget about the Internet intruders. And, finally, you don’t have to be the one doing all the work. Hire someone who has experience and knows how to do it.

Today is the first day of the new column, I will share useful / interesting links for a web designer.

A huge collection of icons Iconmonstr (SVG, PNG)

Collection of design for e-mail newsletters from MailChimp

selection templates for various devices sketches 

Most Popular Flat-color

gridwax – horizontal rhythm

Net Browser hexcolortool – instument for quick selection of hues

retinize – Script for those who are already working with the retina. Accelerates the process of cutting @ 2x

Pen-panel linked to the pixel

Fancy matches in Japaneese 

Website Redesign Guide – a Utah Web Designer’s Perspective. In order to increase the probability of successful website redesign, here are a few tips that will help you along the redesign process.

As a Webmaster I have been asked "What information do you need to design a good website". I follow a few steps as outlined in "Website Design" article.

Here is a list of Free search engine optimization tools that I use for Search Engine Optimization to obtain high ranking on search engines:

FREE: Good Keywords – free downloadable software which can be used for preliminary keyword research. (http://www.goodkeywords.com)

FREE: Ontology tool – finds related keywords using the Google ~ search. (http://www.gorank.com/seotools/ontology/)

Various Prices (Can be FREE or Paid Membership): WordTracker – web based leased product which has many more features than the other tools. WordTracker traffic is generally more representative of actual traffic than Overture’s tool since many fewer automated bots scour its data collection network than Overture’s. (http://www.wordtracker.com). This tool can be used free for one day, but you will have to register. WordTracker will send you a temporal link, that you can use to log into your temporal account and research keywords for your website.

Various prices: Keyword Discovery ‐‐ deep database of keyword data. Contains historical data. Some of their partners made them sign a non disclosure agreement. The database may not be as clean as the WordTracker database, but it does contain more data. (http://www.keyworddiscovery.com/)

FREE: Overture Search Term Suggestion Tool – offers search frequency for the prior month throughout the Overture network. Please note that many bid checkers and other automated bots cause this number to skew high. (http://inventory.overture.com/d/searchinventory/suggestion/)

FREE: Google Keyword Sandbox – shows related search terms but not search quantity. (https://adwords.google.com/select/main?cmd=KeywordSandbox)

FREE: Google Search Suggestion Tool – auto‐completes search queries to help you find more related search terms (http://www.google.com/webhp?complete=1&hl=en)

Once I wrote an eBook entitled “Vital Search Engine Optimization: Simple Steps to get to top of Google Pages for Free“. The main reason I wrote this eBook was just because after so many years of doing organic Search Engine Optimization on one of the websites, and collecting so many useful tips and tricks about it, I had to write about it and remember what steps I took to make sure that my website gets to very top of Google without spending a peny.

Well, what did I write about in this eBook and How do you get on Google Top Searches for Free?

There have been many books written on how to do search engine optimization. But for a man who is familiar with coding it is too much information. Therefore I prepared a few checklists that will help you get to the top pages of Google. If you follow all of the items in these checklists it is guaranteed that you will get the best position on Google.

If you have already created a brand new website and posted it live hoping that you will see it on Google without using Search Engine Optimization then you ought to rethink it again. So, to help you in the process of achieving the best results on getting to the top pages of Google or any other search engines, I’ve put together this eBook. In here you can find a few checklists that help you to quickly identify key points that may affect the Search Engine Placement.

“Vital Search Engine Optimization” has four main sections.

The first section is called “Where to start”. This section provides the basic steps for optimizing web pages. For those who want to make changes to their current website to make sure Google or other search engines see them in no time, this section is the way to go. Once completed steps in the first section, I would recommend moving on through the remaining sections in this eBook.

The second section “Best practices of well optimized and designed websites” talks about key points of a website that may be considered Search engine friendly. You may want to review this section before planning to develop your new website or redesigning your current one. Then, during the development phase you should implement the key points described in this section. Although you don’t have to follow all the steps in this section, for best results I highly recommend to read it before doing any work. It is important that you do your homework first before doing the actual work.

For detailed steps on search engine optimization you should visit sections called “Search Engine Optimization Checklist” and “How-To”. Both of those sections will tell you in detail what professional SEO consultants do to their clients’ websites to ensure their web pages high rankings. “How-To” section provides visual examples of certain software and online tools that I use for doing Search Engine Optimization and Website Analysis. Oft times I find these basic tools helpful if you don’t own a complete package for Search Engine Optimization of your website.

For more advanced tools used in Search Engine Optimization, web developers, and web/SEO consultants should reference my last section called “Free Search Engine Optimization Tools”. Definitely, some of those tools made it possible for me to achieve positive results in Search Engine placement today. You shouldn’t be afraid to try new tools in your web development and marketing process.

So, let get right into the vital information about this long process of Search engine optimization and good practices of website design.

I will be posting some tips and tricks from this eBook under “Search Engine Optimization (SEO)” category of my blog.

While working here in America, I have learned a few things about writing business type emails. Although there are many good things that are already on Internet about Business Writing, I would like to add my few cents in this article “5 Things Worth Remembering When Writing Business Emails”. Those are just a few things that I apply every day at work.

I understand that those may not be the best practices, but if you have any other great ideas on this topics, you are welcome to comment here.

Remember, that by following any rules when writing emails (either personal or business) you provide clarity in your expectations, are able to persuade your readers, show your professionalism and care, and avoid an opportunity of your emails being deleted before your message is read (about 80% messages are not read because of not following simple rules in writing).

So here they are, 5 Things Worth Remembering:

1. When having more than two replies, start with a new email that summarizes the previous two emails and include a new subject line
2. Always leave ONE space after punctuation mark that ends a sentence
3. Apply 10 second rule (skim and scan) – decide what to do with an email (delete or continue to read). Look for sign posts (headings, bullets, bold/italics, color, etc.) they will help you to make a quick decision about the importance of your email
4. Always start your emails with the most important sentence at the top and then say why. I always map out my emails ahead by:
   • Setting a conversation goal (decide what do you want to achieve by sending the email)
   • Do reader analysis to understand who your readers are (do they prefer to read papers, like detail or process oriented; do they like to be concise and shorter emails,is “less is more” important to them; are they bottom liners, never print, do they prefer text to pictures, etc.)
   • Brainstorm for key ideas (write them down without thinking “why?”, basically write the first thing that comes to your head on that matter). Come-up with 40 keywords, then group them to 3-5 categories. If it does not matter what you want to say, it matters what they want to know
   • Sort your ideas using conversational goal. The sorting process must always support your goal
   • Outline support (visual support: charts, graphs, diagrams, etc; non-visual support: examples, experience, research, comparisons, etc.)
   • Outline your email for quick comprehension (introduction, content set, body with support points, conclusion).
   • Write your first draft
   • Read
   • Finalize your email with the coleague or read a couple more times to see if you will achieve the goal you are looking for
5. Maximize the power of subject lines by writing your purpose (goal) and action (for example, instead of using acronims ASAP, be specific and let your reader know by what date it should be done, i.e “Need $200 by this Friday” vs. “Need Money ASAP”).

Here is an example of the email I wrote to one of my clients at work:

Subject: Follow-up on Pricing Discussions – Please reply by 12-20-2012
Dear Joe Doe,

I am writing to you to follow-up on our pricing information that we have presented last week during our visit.

First of all, I appreciate the time you took to meet with us and to discuss current and new business opportunities. Based on our discussion we had last week, I would like to present to you our updated pricing information:

We are confident we can help you create a plan to get your new business off the ground. Working with The Company would be an effective way to do that because The Company provides the four things you need most at this point in your business:

• A plan – together we will create a production plan that is tailored to your needs and would provide confidence in delivery schedules.
• Accountability – We will keep you on track with our phone calls and visits (since we are close to each other) so your production doesn’t get put on the back burner.
• Quality and Assurance – The Company will continue delivering good quality Product XYZ based on years of experience in our production.
• Peace in mind – Using multi-sourcing will keep your process up and will protect you from supply failures and safeguard against supply uncertainties by having several alternative suppliers.

I’ll call you next week to continue the conversation but in the meantime, please reply to my email and let me know by this Friday, 12-20-2012 whether presented pricing is acceptable and when should we expect a Purchase Order from you.

Looking forward to hearing from you.

Regards,

Vitaly

Well, good luck in your business writing. Comments are appreciated!emai