CLUE #1: No one refers to me as DEBORAH ANN, so that is clue number one, albeit not necessarily a red flag.

CLUE #2: Now look at the link. It starts with http://… Most reputable sites, especially domain companies will be using httpS://… The S is for secure and many of us in the know have changed ours two years ago. And again, we see the signature area missing the S on http://.

CLUE #3: Look inside the link. A real url will be simpler. For instance it would read something like …bluehost.com/account/reactivation.html. Instead, we see “bluehost.com/cyberlegosite.com/account/reactivation .html. This is a fake site. Now here is your red flag!

CLUE #4: So if you have been unlucky enough to actually experience malware on your Bluehost site you might have taken the bait and clicked the link. Like me, you’d hopefully get the warning below. If you missed the first few clues, do pay attention to any warning…and call your web site manager to check it out!

P.S. I had a chat with Bluehost and they confirmed it was malware and they have been getting a lot of reports on this today.

Here’s a sad story one of my clients is going through right now. Five years ago, my client purchased a domain at Go Daddy as many people do. Then she hired me to create a website, still working today and hosted at Blue Host. Last week, she called Go Daddy to check that her domain was up-to-date and paid up. The domain is on auto renew, but Go Daddy took advantage and sold her a five year hosting plan. She paid them $99 additional to migrate the website to their server and they put it in a folder called “CloudTech”.

This came to my attention this morning when this client forwarded an email from Go Daddy listing suspect malware files in a folder named “CloudTech”.  Not smart if you want your wily ways to go undetected by the webmaster…!  Not smart to call attention to your own malware. Here’s the details. After a short conversation with the client, and logging into her account, I called Go Daddy immediately.  I received a call back from Sales and Security nineteen minutes later. The tech guy explained that CloudTech was legitimate and informed me the site had been migrated over. Confused, I exclaimed., “This does not make any sense, since the domain is still pointing to BlueHost…!”  Before instructing him to remove the folder I wanted to call the client to get her permission.

And the story gets worse.

Not only was the client duped into the extra hosting and migration, she has been paying them yearly hosting and SSL fees for at least a few years. Why do they take the money if there was no website being hosted? ….Because they can. Many people don’t know the ins and outs of internet set up and will pay what a large commercial company asks for. The tech guy’s excuse for the recommendation? The server was old and needed to be upgraded to php 7.0. Again, I pointed out, that BlueHost had already upgraded, so the website was fine. The old server they were referring to is theirs…

Lesson to small business owners: If you wonder why you are paying for hosting in two places, please contact your webmaster. If you are given an option to pay more money, consult with the person who knows what you need. There are 164 one star reviews of Go Daddy at Consumer Affairs. Posted, are many similar stories. It is unconscionable that a company with Go Daddy’s resources and reputation is taking advantage of small businesses.

Addendum: I spoke with another Go Daddy associate today. He has cancelled the hosting account and the ssl and returning almost $300 to the client. I doubt that this includes the migration fee of $99 however. I’m also giving free hosting to the client for the rest of the year to make up for some of her lost revenue for the excess hosting. Lesson learned: add a line to the contract that clearly states where the fees should be paid.

The hosting company, Bluehost, in this case, has a professional relationship with Site Lock. Site Lock immediately offered an expensive and unnecessary contract that would cost at least $50 per month. Not only that, they called the client numerous times to talk them into it, even though I had already talked to Site Lock and the client about my solution. This is not only disappointing but bad for Bluehost’s ongoing business relationships with designers and developers.

After dealing with this annoyance, I looked on the server and immediately saw a recent folder with suspicious php files in it. I deleted these files first and then, with the help of my developer Pat, replaced the good working folders with a previous backup from two weeks prior to the hack. (always back up your site at least once a month!) Next, all I had to do was chat with Bluehost and ask them to run a virus check. Everything was good and It was up and running soon after.

After a hack, It’s imperative that you reset all the passwords both to the server side and to WordPress. In this case, the client’s password to the site was not secure enough. These days, you need at least 12 characters. Most people, including myself, resist using the complicated combination of key characters that are always selected by password generators. One way around this is to use a password keeper such as Last Pass. It will pull up your password automatically for you.

Another new idea being talked about is to use a long phrase that you can remember, such as hanselandgretalleftbreadcrumbsonatrailandwererescuedbythehunter. You will still have to use unique phrases for each login.

In addition to backing up your site to the cloud, maintain your software (WordPress, Theme, Plugins) by updating it every week. Remove any unwanted comments or spam comments. Check your WordFence or Sucuri plugin. Ask your hosting company to apply the https:// to your website. (See my post on this for more information.) If you don’t have time or patience for these preventions, ask your consultant to do these for you for a reasonable fee.

Use safe practices when working on your computer at a coffee shop or public place. Never store passwords in a file on your desktop. Use a password keeper instead. Also, don’t click any suspicious links sent by email… especially when invited to “unsubscribe”. That link could lead you to a nightmare in the form of a lot of lost time, frustration and fees.

On the first day… you are notified that your domain will expire in 6o days. The domain was purchased years ago and the registrar is a place you never heard of before. Worst case scenario: You ignore the message and your site goes down. The domain goes public and someone buys it. He asks for $6,000…. Best case scenario: We transfer the domain to our host and update it for you without you having to worry about it again.

On the second day… your WordPress website gets hacked because you followed a scam email. Worst case scenario: you never made a back up and you have to hire a security company to clean your website. It takes a month and you have to take your site offline. Best case: Luckily, you signed up for a maintenance plan with us so there is a backup of your website that we restore for you. But no worries, our maintenance plan should prevent it in the first place.

On the third day… you are having problems with your website made by an acquaintance who is now too busy to help you update it. We find out your custom hand-built theme has never had security updates and it has malware. We recreate your site using our module based theme that gets regular security updates.

On the fourth day… the free plugin on your site is abandoned by the developer and is no longer working correctly. We replace the plugin with one that is similar but supported. When using free plugins we like to contribute to the developer so they can continue working, but they are still a good value.

On the fifth day… the Paypal Donation button stopped working on your website. It could be a number of reasons including someone changed your pp password. We reset the code and fix the problem.

On the sixth day… your company is moving and you need the addresses and Google maps to be changed. We also help you by creating an announcement on the website prior to the move.

On the seventh day… you have been adding images to your blog posts but forgot to reduce their size. Your site slows down because each image is over one megabyte. We reduce the sizes of your images and recheck the performance of your site.

On the eighth day… you want to highlight a new service or product but don’t know the best way to do it. We make recommendations and make the changes for you.

On the ninth day… You want to send your clients a holiday email card but don’t have an image to use. We find a great inexpensive image from a stock agency and send the samples for you to choose. We set it up for you.

On the tenth day… You forgot how to add a photo to a newsletter, so you call us and we help you by walking you though it over the phone.

On the eleventh day… One of the plugins on your WordPress website won’t update in the dashboard. You call us and we download a new version from the developers website and replace it.

On the twelfth day… You have text and pdfs to add on a new web  page and you want help organizing the material to fit your design and brand. We are happy to assist.

Merry Christmas and Happy New Year to all!

Perhaps you made a major marketing effort the previous month and want to see how that affected your website’s SEO. You can see here that visits were doubled in the period from October 11 to October 22. I made some home page edits and wrote a few blog posts. I was surprised to see the change. The chart on the right side lists my top competitors in the area.

This tool also allows you to track specific key words

Let me give you an example. The keywords I wanted to track are “web design” and the also towns where I do the most business, such as Framingham, Natick and Boston. One of the ten keywords I chose is “Framingham Web Design” and another “Boston Web Design”.

How did I do?

I am on the first page of Google for the keywords “boston divi theme”, “framingham website design”, “natick web maintenance” and wellesley web maintenance.” Perugi Design is number 12 for “natick website design” and number 14 for “boston wordpress websites”. I think that’s quite good considering the number 12 spot is located on  the second page of the orgainic area on Google.

Part of the work is figuring out the best keywords for the audience you are trying to attract. There are other tools we use for that too.

The softeare creates a pdf booklet that itemizes everything that is updated on a weekly basis. such as number and dates of backups saved, plugins that have been updated, security checks, spam comments that have been removed and if and when and how long your website was offline.

Only clients on the monthly web maintenance plan gets these reports, either monthly or quarterly. (It cannot be accessed via the dashboard.) The pdf report is great for presentation purposes, too. If you are an existing or new client thinking about taking advantage of this service, message me. I’d be happy to talk to you about it!

The sad truth is that hackers are more sophisticated at catching us unaware. Their success relies on quantity. If one person buys their bogus offer, then maybe others will as well.

In the past, we learned, that you never go to your bank or Paypal website by clicking a button sent by email. Always go to the url of the company and then look for the message or offer on their home page. The bank will be well aware by then and post a warning. Misspellings were often a giveaway. You can be pretty sure Bank of America will not publish an email with a misspelling. But, look out… Today, it may not be so easy to detect.

If you start receiving annoying emails with a big UNSUBSCRIBE button flashing at you, don’t go near it. Malware could be inserted into your email to then gain access to your email address and send out the same offer to many other people you don’t know. Your hosting company, always on the lookout, will shut down your website (and your POP email) if they catch malware in your files. It is your job, then, to get it cleaned out by contacting a company such as WeWatchYourWebsite.com. It may take a day, or two, or even a whole week before you can ask your host to get you reinstated.

But, how do we avoid malicious code in the first place? Here is a list of ways you can be proactive in the fight against malware:

1. Add spam filtering to your email. This prevents the spam email from gaining your attention. If you aren’t receiving junk email, you won’t be tempted.
2. Add the Surcuri plugin to your WordPress website. This is a free plugin by a reputable company. Update your plugins and WP software regularly. They often come with security updates.
3. Back up your website, weekly or monthly.  I back mine up to Amazon S3, but you can back a website up to your computer or server also.
4. Back up  your computer. Use an external hard drive or the cloud. Do it monthly.
5. Use secure passwords. I can’t emphasize this enough. I use a password generator to create mine, then copy them to a secure area on my laptop.

And always be on the alert. If you detect anything suspicious, run to We Watch Your Website, and hope for the best!

“A colleague just called and told me her website had been hacked.  It was now all in French and only the home page was visible.  She has no back up and warned me to find out if I have one.  Do I?

I just took some screen shots of the pages – but does BlueHost – or do you – keep a backup in case I were to be hacked too?  Just wondering….”

Imagine you spent several weeks writing and honing the text and choosing just the right images for your web site, only to lose it overnight to a hacker months later. The above message is an actual email I received this week, and a perfect opportunity to discuss what Bluehost, Perugi Design and you can do to protect your web site and restore it to its original state. Whether your site is old or new, you want to keep text, posts and images for the next iteration, so you won’t have to recreate the wheel again.

For starters, Bluehost, amazingly, backs all sites on its servers every day… for free. I must admit, I have had to rely on them a few times when a site was lost. One client forgot his dashboard password and instead of submitting for a new password at the login page, he went into Bluehost and reinstalled WordPress. Yikes! But, that’s a story for another day. Not every hosting company does this for free. Not even Go Daddy. However, Bluehost asks that you arrange for additional backup as well, just in case.

The minimal approach
You could copy and paste the text into a text editor. But, that does not protect the theme layout and code installed with WordPress. Instead, try this. Go onto the dashboard and to the Tools button on the side bar. Hit the Export button. That will download an xml file of your site. Keep this somewhere safe inside a folder, but not on the desktop.

Amazon S3 backup in the cloud
Perugi Design also offers regular monthly backup to Amazon as a yearly service. The tool we use also allows us to clean out spam comments, update your plugins on a weekly basis and check for malware monthly. Ask us for more information.

So, if you are hacked and your site is in French and all but gone, don’t fret. Bluehost can restore the site to a previous week. It’s a good idea to ask also your web developer to look for possible weaknesses in the site and check for malware.

Vladimir Prelovac is the Founder of ManageWP, and is a frequent contributor to the WordPress community – in the form of numerous plug-ins, tools, and a book by the title WordPress Plugin Development. His blog, accessible via the weekly notices you get when you subscribe, provides timely and interesting posts, such as the aforementioned Shellshock security nightmare.

If you are a diligent web developer, you try to make your client’s sites as secure from infection and inform them when their site has a problem. Viewing their dashboard on a weekly basis is necessary. When ManageWp sends me the email, I follow the link to my ManageWP dashboard and make the updates right away. While there, I can easily enter client’s WordPress dashboard and poke around.

I looked into ManageWP, as Bluehost recommended, was because I wanted to offer hosting as a reseller for clients who wanted their websites managed. For a small monthly fee, I can follow up to 30 websites, But, the hard part was, moving their sites into my reseller server area. Bluehost charges $100 for each website move and Go Daddy even more. With ManageWP, I can do it in minutes and charge just for my time.

Back up is also a handy tool. Before you make any major updates to the sites, they should be backed up. I have an account on the Amazon S3 cloud and all I have to do is create a bucket for the new site on Amazon and ManageWP handles it with the push of a button. One more great feature incorporates Google Analytics. You can import the data and create a report to email.

If you are running your own site, or fewer than 5 sites, the software is free. Check it out and let me know how you like it and or if you have any questions. Better yet, contact them yourself, as they have a pretty good help ticket desk on board.