cPanel allows you to turn on web compression for serving your website files. What this means is that cPanel “compresses” the size of many of your site files when sending them to the browser, thus optimizing your site. For most sites, this is safe and makes things much faster – sometimes up to double the […]
In order to be cautious, cPanel does not turn this compression on automatically as there is a small chance that some websites will break with it on. However, if your site does break you can always turn it off really easily and then turn it on later for only some file types.
To turn on the compression, follow these steps:
- Log into cPanel
- Go to the Software tab (halfway down) and click on “Optimize Website”
- Click on “Compress All Content” and then the “Update Settings” button at bottom
- Test that your site still works on a desktop (PC/Mac) and mobile (iDevice/Android)
- You’re done!
This does speed up some websites enormously, particularly when you’re on slow internet connections, yet other websites don’t notice it as much. Nevertheless, we do recommend you turn it on for your site so long as it works. When you do turn it on, we strongly suggest you test on a desktop browser and on a mobile device just to make sure everything does work. Viewing the key pages on your site is really important. The good news is that nearly all modern sites benefit and work with it.
Just so you have some idea of whether it helped much or not it’s quite a good idea to run a test at www.webpagetest.org before and after and compare. (We recommend logging in to webpagetest so your page speed history is retained).
One of the hardest issues to solve with broken WordPress sites is finding out what broke the website. To find the answer to this, we need to find out what was changed that broke the site. Being able to find out what changed easily and can quickly shorten a difficult investigative process – which is hard even for seasoned site administrators and developers – to minutes rather than hours.
In the past, there’s been few ways to do this and developers have been restricted to searching a website for recently changed files; which sometimes provides clues but more often doesn’t. Sometimes it’s been possible to use the WordFence security plugin to find where files may have been changed or corrupted from the originals, but more often that fails as the problem can come from an official update (thus Wordfence assumes nothing changed).
We’ve recently found a new plugin called WP Security Audit Log. This plugin allows you to check a list of what changes have been made on the site, including WordPress updates and plugin updates, and is a very useful tool in tracking down problems and solving site problems (or even just eliminating site changes as a cause of a breakage). It’s particularly important to have something like this on your site as a medium-sized WordPress site can easily have over 7,000 files in it spread through core, themes and the various plugins you might have installed.
Obviously, this plugin is a life saver, but it’s rather like a life insurance policy – you have to have it there and running already for it to be able to help you. We’re in the process of installing it on many of our sites and it hasn’t caused any problems so far; it also has a good number of reviews, has been updated recently, and has 4.7 stars on wordpress.org (See https://wordpress.org/plugins/wp-security-audit-log/ for more information).
If you have a large site, this plugin is particularly important as more than one developer or admin may be working and it’s very easy for one person to make a change and not remember what they changed.
So, we rather suggest you take 2 or 3 minutes and install this plugin on any sites that are important to you as soon as you can so it’s there when you need it. (The plugin does have some commercial options available, but they’re not essential). We look forward to you saving hours on support issues!
Here’s a short video from the plugin documentation that explains what it does:
This is a simple tip that will save you a lot of pain down the track – don’t publish your email address!
What do I mean by that? I mean, don’t put your email address in clear text anywhere on the web. Not on your web pages, not on someone else’s and never in any long term resource. The reason for this is simply that, if you do, the spambots will harvest it into their evil spam databases and over time you’ll see more and more spam coming in, until the email address becomes unusable because of a torrent of spam. While anti-spam systems will help, a heavily spammed account will still receive so much email that even highly effective filtering systems such as Google Apps will not sufficiently protect you.
Tim, a long term user (not his real name!) came to us recently. He was receiving literally hundreds of spam emails per day and it was becoming exhausting, and this was despite good filtering being available. We were able to work out some solutions for him, but it served only to reduce the spam to a manageable amount (5 a day at the time) rather than totally eliminate it.
“But I need to put my email address up so people can email me!”, I hear you saying.
There are several solutions you can use to keep your email address from getting destroyed.
Publish an alias or forwarder, not your main email address
This is simple – instead of publishing your firstname.lastname@example.org email address, publish one like email@example.com. Then when it starts receiving a lot of spam, delete it and replace it with firstname.lastname@example.org. These can be easily set up in cPanel’s Email Forwarder menu.
If you use Google Apps for your email, you don’t need to setup anything as you can already use syntax like email@example.com. If it starts getting a lot of spam, you can delete it.
Please note that while this method works nicely, you may not want to make it too obvious to guess the “real” email address behind it. The Google Apps method above does suffer from this, as it’s easy to guess the main email account name.
Use a contact form
Contact forms are the “gold standard” recommendation. Most contact form systems allow the use of dropdowns to select various departments, which then can be routed through to particular email addresses without exposing those email addresses in clear text.
This solution is the best possible, as it exposes nothing and will always be secure. You may though, want to include a “human” test on the form so you don’t get spam from it, and all the good contact form solutions do include these.
The two leading WordPress contact form solutions are Gravity Forms and Contact Form 7 and if you’re a do-it-yourselfer there are many good video tutorials. One important factor here is to choose a well-supported contact form system – look for good reviews, number of reviews, good documentation, and some reasonable ongoing program of releases.
Email address obfuscators
Obfuscation (in this case) means to alter your email address so it isn’t recognizable to a spambot, but still works when you click on it in a web browser. There are a number of methods used:
- Converting the email address letters into encoded characters (ie &37; etc)
- Using PHP code to generate the email mailto: link
While all of these methods appear to “work” at this point, they rely on spammers not having caught onto them. Surprisingly, as money is involved, spammers can be quite switched on and while you may be safe in the short term they will eventually catch up and grab your email address, and once they’ve grabbed it, you’ll start getting increasing amounts of spam.
The best and simplest summary here is that we recommend the use of contact forms rather than the other solutions. While the use of temporary email addresses is reliable, it does require changeover and contact forms will just keep working.
Oh – and by the way, our spam filtering does work – it’s just that nothing can cope in the long term with huge amounts of spam involved in this situation.
Website speed (or “performance” as we like to call it) can be a tough and complex area and can be very difficult to get right without experience. However, there are some basic techniques that give big returns and in this article we’d like to share some things that normally give quick wins when your website is slow. Using these tricks alone we’ve seen many websites go from display times of 30 seconds to 3 or 4 seconds, just to give you an idea of the results possible for really slow pages.
This article is written mainly as a management overview of performance, and it also contains some quick pointers for technical people.
- Website download time
- Website “first byte” time
[code language=”php”]#Start Gzip
[code language=”php”]#Start expire
ExpiresDefault “access plus 1 week”
- WP Supercache – an easy to install plugin
- WP-Rocket – probably the easiest caching plugin, very simple to install
- W3 Total Cache – the most complex of the performance plugins, it also provides good CDN integration. Be warned, it’s complex!
As this is an overview article we won’t go into these plugins in depth other than to say that very detailed instructions are available on how to install them if you do some quick searching.
- Use a different webserver stack – we prefer LEMP for speed, Apache degenerates badly under load
- LEMP/Nginx can deliver static files 10x faster due to use of kernel optimization hooks
- PHP accelerator – retains compiled code in memory, approx 2x benefit depending on site
- Use a CDN to move the work for static files onto a fast-dumb architecture
- Use the above techniques – File compression, Expiry etc
- Consider Google optimize – can work well, but can increase CPU load
- We tend to use a faster database than MySQL – this can give a 2-3x benefit
- Avoid needless database queries, and make sure any queries you do are not slower when the database gets bigger. (See next point!)
- Use performance profiling plugins to help reveal any problems with SQL queries or plugins you may be using on a site (eg NewRelic)
- Use the available WordPress debugging plugins to make life easier for yourself
- Try to cache slow operations and only re-run them occasionally. eg: Don’t re-run complex queries every time the home page loads!
- Always use a cache when you develop a site (so you can fix problems as they arise)
- In Australia, avoid the Google Hosted Library versions of things like jQuery as the lack of AU-based POP can add a whole second to your site load time (per file!)
Of course, there are many other things that you should be aware of and we highly recommend a visit to the webpagetest.org performance measuring tool as you develop your code. It’s too late to test right at the end as it’s much easier to fix problems as you go; and progressive checks will help you improve your website optimization skills quickly.
A new generation of internet virus has been generating growing industry alarm over the last few years and costing business owners enormous amounts of time, angst and money.
Since late 2013, groups of internet pirates have been running a number of related scams where they hold all your business files to ransom. Just like a pirate on the High Seas, until you pay them a ransom (usually $300ish in Bitcoin) they lock you out of all your files. Some businesses have lost all their files and often the business as a result, so this article discusses how you can keep yourself from being a victim. We’ll call this virus “crypto-locker” in the rest of this article – as that’s the best known variant historically, though there are actually many similar varieties.
Even large businesses are not safe and this attack is becoming increasingly common, with informed IT providers being very familiar with protecting you. We do recommend that if you haven’t talked to your IT provider about this, that you do so – show them this simple overview article as it may help.
To understand how the process works, what crypto-locker actually does is usually this:
- A fake email containing the crypto-locker virus is sent to you (actually a small bootstrap for the virus).
- The user is tricked into clicking and running a link in the email; they often ignore warnings displayed.
- Crypto locker runs in the background, encrypting your files as quickly as it can before you notice. The virus is very smart and will also encrypt your server files and often even your backups.
- Once finished, your PC will display a (usually) big red screen warning that all your files are now encrypted and you have 24 hours to pay a ransom or lose your files forever.
- You then pay a ransom by Bitcoin of around AU$300 or more, which provides you with a restoration key which (if it works!) you can then use to un-encrypt your files and get back up and running again.
This article lists a number of useful techniques which you can use in combination to keep yourself safe.
Avoid falling for the email and clicking the link
Perhaps obviously, avoiding clicking the link in the first place is the basic place to start. The people who are most likely to click are those who are busy and not thinking, and/or those who are less computer knowledgeable – often reception, but just as likely to be the CEO. Clear reminders to staff not to click ANY links in an email unless they’re absolutely certain they know what the email is about are essential. And never, ever to run file attachments without confirming with the sender – real people rarely (if ever) send .exe attachments!
This is so critical it can’t be emphasized enough; if your team can get this one thing right you will save yourself thousands. One recent similar test in a large bank had some 70% of the staff clicking malicious links, so it’s not as obvious as it might seem. Education is the key!
It’s important to bear in mind that the pirates are constantly engineering their messages to look legitimate and very safe and it helps to explicitly warn your team of this up front. For instance, the last few batches of emails have all appeared to be from credible Australian companies and are often spelling and grammar perfect.
Current anti-virus software will sometimes detect the virus and protect you. Bear in mind that the pirates hire the best and smartest virus writers so this will only protect you some of the time, and rarely protects against the very newest varieties.
While antivirus is a simple step, it can be easy to neglect over time and is such an essential layer. Some IT providers are able to help here by providing a monitoring service where they can detect antivurs failures and warn you or help reactivate your antivirus.
Provider email virus scanning
Many webhosts will provide virus scanning for their email – that is, if someone emails you a virus you’ll never receive it as your email server will intercept it and delete it on the way.
This is a critical layer as it stops the email for both this and other future virus problems from even getting to you in the first place. However, it’s worth mentioning that the bad guys are constantly working on how to work around this – they actually test and change their stuff all the time to avoid detection!
Again, this is a useful layer that I wouldn’t leave home without. WD3 provides regularly updated email antivirus scanning as part of our standard email product.
Current backups – server shadow protect
Having some form of backup is critical; and the more important your files are to the running of your business, the more careful you should be about backup. While you’ll probably never be hit, the cost of being hit badly, whether from virus or hardware failure, is so extreme you’ll want to make sure you do cover yourself well with backups.
While we’ve heard a number of stories of IT providers being able to save people via good backups, we’ve also heard stories of crypto-locker encrypting or destroying backups so they can’t be used. This is insidious as it means backups alone are no longer enough to keep you safe. One protection for this is obviously to have offline backups that can’t be touched by the virus.
OpenDNS on router, or a security applicance
OpenDNS is a free DNS service that uses some seriously clever techniques to distinguish the crypto-locker control sites from normal sites. This means that in some situations it is able to immediately “lock out” crypto locker from communicating with it’s controller sites and thus prevent it from doing anything. This doesn’t work all the time, but is so effective and so low cost that it’s really worth it as another layer, and OpenDNS locks out some less sophisticated viruses as well.
OpenDNS needs to be installed in your router usually, and that’s generally something best left to your IT provider. Once installed it should keep you safe from crypto-locker and can even be used to help keep you away from adware and other viruses across all your onsite computer equipment.
Superior results can be obtained from onsite security appliances which can also detect dangerous sites and these should be considered in conjunction with IT providers where any incident could cause serious loss of business, or your files are critical (eg patient data, confidential information, critical Intellectual Property etc).
Software monitoring your computer looking for dangerous behaviour
A virus like crypto-locker exhibits some very characteristic behaviour, for example, opening and rewriting every file on your computer. Software exists that can catch this behaviour, backing up the files being changed to enable restoration, and locking out the virus or malware at an early stage before it has a chance to do much damage.
One example of such a tool is the award-winning “Webroot” software. Your IT provider should be able to advise on getting hold of this and getting it setup, and there are other tools out there that do similar “heuristic” protection – that is, they notice dangerous behaviour and catch it early.
Because antivirus packages often rely on “signatures” to detect viruses, unknown or new viruses often slip through and some form of heuristic protection will catch most of these new “0-day” viruses before they do damage.
While you don’t need to take every single step listed in this article, you’ll be very well covered if you do 4 or more. By the way, security professionals call this “layered security” or “security in depth” – multiple layers increase the probability you’ll be safe and this is in fact the strategy we use to keep our own servers from being hacked.
An interesting side story is that, in 2014, a group of some sophisticated good guys including federal authorities and top security consultants reverse attacked the pirates and managed, for a while, to make it possible to unencrypt your files. Unfortunately, the pirates adapted quickly and there’s information suggesting this no longer works for new infections.
References and more information for the detailed at heart
Technical details for techos: