Standby for HTTP/2 – A faster, more secure internet!

A faster internet with HTTP/2

Image source: www.trainersonsite.com

The internet is going to get faster. Yowzah!  It’s a tad techy, but trust me this is a BIG DEAL. The connection between your browser and internet stuff will be able to run faster and more securely using the all new and improved HTTP/2. Its good news for all internet users.

When we be going faster ?

When both your browser and the web server/resource you’re connected to both have HTTP/2 support.

Browsers are ready. Maybe.

Chrome 40 (already released) includes HTTP/2 support
Firefox 35 already supports HTTP/2
Internet Explorer (You want performance and you use IE. Really??!)

Web Servers are ready. Maybe.
IIS released in Windows 10
Apache requires mod_spdy to be deployed
* see Industry Comments below
Litespeed can support HTTP/2

The HTTP/2 low down

* Warning there’s some techy stuff here!*
HTTP/2 is nearly here. About time! The HTTP/2 standard which has been under development since 2012 is nearly ready to be released into the wild. HTTP/2 offers a number of ‘modernised approaches’ to shifting data across the wire that are quite normal now in other communications mediums so its good to see the internet finally catching up.

Binary transfers

HTTP 1.1 currently only allows text transfers over the wire. HTTP/2 will inherently improve online transfer speed and security by providing for binary data transfer.

Multiplexing

HTTP/2 allows for multiple bidirectional streams, multiplexed over a single TCP connection, and multiple HTTP/2 TCP streams can be used (up to 100, all independently) as well. Wow!

More compression coming to an internet near you soon

Standby for the HPACK http header compression standard to be published soon

Industry Comments

Andrew White, Technical Support Manager at Micron21

At this stage we have no plans to implement HTTP/2.0 (or HTTP/2 as it’s also called) due to software incompatibilities. Currently cPanel provides very limited unofficial support for mod_spdy (the origin of HTTP/2.0) due to incompatibilities with the latest Apache version and dependencies on a flawed version of OpenSSL.

This standard has only been approved by the IESG for 7 days now – the technology would definitely be classed as bleeding edge software. The environment we provide is an enterprise production based one, so we will likely not run this on any of our servers at any time soon.

A point of interest is that Litespeed (the primary HTTPD we use on our shared hosting, we ditched Apache a few years ago) has put in preliminary support for HTTP/2.0 on their open/development application OpenLitespeed, so we’ll likely have provisional support in Litespeed within the next month or two.

Kind Regards,

 Andrew White
Technical Support Manager
www.micron21.com

 

 

Read more:

Wordpress is a hacker target

How safe is your WordPress site?

Wordpress is a hacker target

WordPress is a hacker target

Long live WordPress …as long you don’t get hacked.

A huge portion of contemporary websites are built using WordPress but unfortunately it is a ‘soft target’ for hackers. Your WordPress website’s security relies on:

  • Your web server ‘neighbours’ security efforts
  • The weakest login to your site
  • and more

WordPress is ‘easy’ so we get complacent.

Website owners tend to get complacent, or are just too damn busy ‘doing the doing’ to be distracted with geeky stuff like website updates, backups and site security… WordPress reinforces this view too, because it just keeps on running…

Web Builders not Website Maintainers

The other thing I note is that majority of web developers tend to be ‘Website Builders’ rather than ‘Website Maintainers’ beyond occasional design or content updates. WordPress needs much more maintenance attention that older ‘flat HTML websites’

Your Web Host is not a Website Maintainer either

The typical web hosting business is focussed on their infrastructure of web servers and internet connections and likely see WordPress as a problem child because it:

  • Uses considerably more server resource than flat HTML sites
  • Is a potential hacker entry point to their servers

WordPress website owners become a headache for Web Hosts because they need more sophisticated technical support. Even restoring WordPress from backup is much more complex (ie time consuming) than a flat HTML site and not something that a web host can afford resource in their modest hosting fee.

Let’s look at some facts about your WordPress site’s exposure to hackers

The hack attacks you don’t know about

Unfortunately your site doesn’t tell you its being attacked. Many of hacked websites I’ve been asked to fix were hacked for days & even weeks before the business owner realised. Its not a good look when your clients have to tell you your site is hacked

But it is possible to see if your site is being ‘probed’ by hacking software looking for ‘exploits

We use a sophisticated firewall in our Website Concierge hosting which dynamically blocks any suspicious activity. If the ‘bad behaviour’ recurs we permanently block the IP. This chart shows the blocks applied by our firewall in the last 12 months.  Feb 2015 is looking to be boomer month with 680+ permanent firewall blocks (that’s over 22 hacker blocks per day)

Firewall blocks Feb 2015

 Where are the hackers from ?

As we reported in Sept 2013 the vast majority of hackers we see are still from China (by an order of magnitude). Surprising by true.

firewall blocks by country

 Server hack types?

This chart shows the nature of server hack attempts, which reveals some interesting if not frightening information.

  • LF_SSHD (yellow) The majority of hack attempts probe the web server’s Secure Shell (SSH)
    A successful attempt would enable the hacker to take over the web server to destroy not only your website but all other sites on the same server. Website Concierge servers have this service disabled because of the significant risk.
  • LF_SMTPAUTH (green) Hackers are trying to gain access to the email server. That’s right – access to email accounts can be a valuable resource for hackers.
  • LF_FTP (pink) Hackers attempting to access your website via FTP to gain control of it and make any changes they want.

firewall blocks by medium

Brute Force Login attempts

In addition to server ‘back door’ hack attempts, hacking software can attempt to break into your WordPress site through the ‘front door’ – your website login screens. Here the hackers software will cycle through User ID and password combinations to attempt to gain an illicit login.

Admin brute force attempt
The Simple History WordPress plugin enables you to conveniently see these hack attempts. In these examples, the hack software made nearly 37,000 attempts to login in as ‘Admin’ – persistent isn’t it? As a basic security process we delete the default WordPress administrators account ‘admin’ for Website Concierge sites.

Do you have the Admin ID active in your WordPress site ? I’d suggest you should remove it!

simple history admin

FYI www.ip2nation.com says this hack attempt was from The Netherlands

Smarter brute force attempt
This hack attempt was slightly smarter, as it first uncovered a real login name for the site, then tried 263 times to login

Simple History Brute Force attempts

FYI www.ip2nation.com says this hack attempt was from Canada

Security depends on the weakest password

The weakest point of defence for a brute force attack is the easiest password to guess, so are you managing the password strength in your site ? There are some excellent password strength WordPress plugins.

Takeaways

OK so maybe there’s more hacking activity than you might have guessed, what should you do so you can get back to doing the doing without spending too much money.

  1. Get some secure hosting
    Cheap hosting is cheap for a reason. You might also end up with website ‘neighbours’ who aren’t as interested in website security as you. In fact you wont even know who they are…
  2. Invest in some good quality WordPress support
  3. Use a professional ‘website maintainer’ to ensure your WordPress site is
    1. Backed up
    2. Updated regularly
    3. Has security strategies implemented and monitored

 

Mobile Usability warnings reinforce Google’s mobile intentions

If you have Google’s Webmaster Tools setup for you site (and you REALLY should do it!) you may have received an alert email from Google warning “Fix mobile usability issues found on <your site>

mobile-friendlyThis is a further step in Google’s current campaign to improve its support for mobile searchers. Back in Oct 2014 they started telling searchers that some websites are Mobile Friendly by displaying a ‘Mobile friendly’ badge in search results.

Google are progressively assessing websites (page by page) to see if mobile visitors to your site have “a meaningful “after-click” experience that helps (them) use information relevant to their task.

They’ve also got new reports in the wings to compare search performance between desktop and mobile devices.

Its quite clear that mobile compatibility is emerging as another key SEO element.

What are Mobile Usability Issues?

What sorts of things are Google checking to decide if your site is ‘mobile compatible’ ?

Flash Usage
Poor old Flash. Once the internet’s dominant multimedia technology, Flash inadvertently fell into the trap of not being Apple’s friend, leading to incompatibility with the largest selling mobile devices and now as a result, not Google’s friend either ;(
I bet Adobe didn’t anticipate that when they bought Flash from Macromedia.

Viewport issues
The viewport tag tells the browser how to display the page’s dimensions and scaling.  In the contemporary internet, 100’s of different devices with different screen requirements can visit a site, so the viewport tag is very important to ensure the website is displayed sympathetically in that individual device.  Google assesses situations where the viewport isn’t working properly including:

  • Viewport not configured
  • Fixed-width viewport
  • Content not sized to viewport

Small font size
Google defines this as “the font size for the page is too small to be legible and would require mobile visitors…’ to pinch to read the text. A no-brainer really…

Touch elements too close
Yep its frustrating when you try to click a button with your finger but the adjacent one is clicked.
There’s got to be some space between the buttons… 

New WMT Measurement Tools too

Google’s as yet unreleased WebMasters ‘Search Impacts’ reports further reinforce how serious Google are about this. These new reports will breakdown organic performance by device (amongst other factors) which will provide accurate and presumably ‘character building’ moments for those without mobile compatible sites.

Google WebMasters Tools draft 'Search Impacts' reports

Draft Webmasters Tools ‘Search Impacts’ report. Source: Search Engine Land

 So who cares? You should!

Rachel Lindteigen from Search Engine Land suggests the next logical step is that poor mobile compatibility will be damaging to your site’s organic search performance – at least in Google searches anyway. Read Rachel’s article here.

Its a logical deduction given Google has already indicated “mobile usability is now relevant for optimal search results”

Haven’t got an email from Google yet?

Haven’t received an email from Google (yet) ? This might be because:

  • Your website passes Google’s mobile usability tests
    Well done! Go to the top of the class. Standby to be loved by Google for mobile searches
  • You don’t have Google WebMasters Tools setup for your site
    Sorry but you are flying blind. If you cant see it, it cant hurt you… Right? (refer Ostrich Survival Techniques)
  • Maybe Google WebMasters Tools is setup, but not sending notifications to an accessible email address
    Oops. Better get that fixed.

Why are Google doing this?

Don’t underestimate the impact on your business of Google’s enthusiastic pursuit of all things mobile. Google has access to more online usage data than anyone. Even the data we can access clearly shows the Internet’s rapid domination by mobile devices. Google want to be sure they maintain their domination in search by presenting mobile searchers with good quality mobile-compatible websites in their search results.

..and what will happen to the sites that aren’t mobile compatible? They will fall through the rankings to the ‘cutting room floor’ and quietly swept out sight.

But really, why are Google so keen on Mobile?

Yes mobile is a big slice of the internet, but its more than that. Mobile device Apps let people escape the tyranny of search by directly connecting them to their chosen resources. People used to search (in Google) to find that resource. If an increasing slice of internet users don’t need Google, they wont click on their Adwords ads and Google’s revenue stream (and share price) starts falling.

So Google’s investment in Hummingbird -which gives it voice search (ie sematic search) technology makes it easier/more intuitive for mobile users to lock them into search.

Takeaways

So if you know your website is not mobile compatible, now is an excellent time to be considering an upgrade, otherwise you’ll be playing catchup to your competitors when Google moves into the next phase.

– Confirm you/your SEO service provider have access to and monitor Google WebMaster Tools
– Check if you/they received Mobile Usability warnings
– Address any mobile warnings (and others) ASAP
This might range from a few tweaks, through to deploying a responsive website.

‘Authorship’ and ‘Author rank’

It seems like there’s been so many changes about Google ‘authorship’ that I really cant keep up!

For a short time authorship ‘displayed’ a thumbnail portrait of the author which helped to establish creditability in search results – then that changed and now Google have stopped ‘authorship’ altogether 

This article by Danny Sullivan helps to clear up some of the mystery and speculates on where this might head in the future.

My view is that some form of ‘author creditability’ is inevitable, and if you are involved in cranking out blogs then keep this concept in mind and be prepared to leverage ‘author rank’ in what ever form it eventually does take.

 

Should you migrate to HTTPS for better ranking?

Google HTTPS EverywhereGoogle are encouraging ‘a safer internet’ by rewarding websites that use HTTPS with improved ranking. I’ve had several calls from concerned business website owners wanting to know if they should also change over to HTTPS to maximise their website’s Google exposure.

What is HTTPS?

HTTPS secures the online communications between your site and your visitor by encryption. HTTPS stops ‘middle men’ from listening into your visitors ‘conversation’ with your website. HTTPS is typically used for sites where sensitive information (like credit card details etc) are sent across the wire and encrypts the data so it is only readable by the two participating devices.

Interesting, HTTPS is not as secure as you might think, as a major security flaw code-named HeartBleed was discovered recently in an open source implementation of supporting software and impacted many high-profile websites globally.

Should you go to HTTPS?

I unreservedly recommend that website owners do everything that will improve their online exposure, and as Google is ‘King of the Internet’ for the foreseeable future then sure, it makes sense to do everything they want.

BUT…

Has your site other significant SEO issues?

Let’s put this into perspective – the HTTPS benefit is apparently very small and likely completely masked/wasted if your site has other SEO related issues, such as a Google penalty from backlink naughtiness, or poorly SEO tuned. If your site is not already operating at peak SEO performance, in my view it’s probably not worthwhile migrating to HTTPS straight away, and certainly not until you address any other issues.

Does HTTPS cost anything?

Implementing HTTPS involves registering and deploying a SSL certificate for your site which costs around $AU 300 per year plus installation fees. Your website may also require a dedicated IP address which is likely to incur additional web hosting costs.

A soft-cost is the slightly reduced performance that comes from the on-the-wire and server processing overhead of HTTPS. Notably web page load performance is also a ranking factor, so the slow down of a poorly specified web server loaded with the additional processing of HTTPS may further reduce any SEO gains for the HTTPS migration – What a dilemma!

What should you do ?

  1. If your site is already performing well for organic traffic, (ie you get about 70+% of your visitors via organic search)  then monitor your online exposure and if you see a performance dip, then consider rolling over to HTTPS.
  2. If your site doesn’t already compete well in the organic space, invest the money on identifying and resolving the current SEO issues and on-site tuning. You’ll see a dramatic increase in organic traffic and if its done well an increase in online sales leads.
    Once you’ve done that, go to step 1 and reconsider.

 

More reading:

AdWords announces integrated Call Tracking

Google is now providing Call Tracking in its AdWords campaigns.

Prior, you would have to engage an external digital telephony provider to get a trackable number and Analytics integration to trace call leads from your Adwords campaign. Now you can manage this from within the AdWords campaign – and it is ‘free’… Well you don’t have to pay any more than the the click costs…

This will allow you to track inbound calls generated as leads from your AdWords campaign to reveal your best converting keywords etc a key piece of online marketing data.
When you’ve established this, you can then apply this in your organic search effort as well. Read more in Google’s announcement.

Mobile phone callers are an important channel, with smartphones used increasingly for online product research, followed by the seductively convenient “click to call” to make a call based enquiry direct from your website & or Ads. The new Adwords offering also works for inbound landline calls too although it does take a bit of digestion to get your head around how and why Google have used dynamic telephone numbers generated ‘at each ad click’.

Avanser a prominent Australian digital telephony provider noted that the Adwords Call tracking was not a fully rounded offering such as their offerings.

Why AdWords ‘Close Variants’ removal might Cost You More

Google AdWords has announced that they will be removing the option to choose a Close Variants Only setting from your Adwords campaign. Even if you’re busy, don’t have time or energy time to digest this gibberish, take a second and you might prevent wasting your AdWords budget.

This background might help you understand why this change is important for you:

A KEYWORD is not (always) the same as a SEARCH TERM

Understanding the difference between a KEYWORD and SEARCH TERM will help retain your sanity in this discussion:

  • Keywords: You want your ads to be displayed for these words.
  • Search Terms These are the searches that Google decides to show your ads  for

 

Why is there a difference ?

AdWords loosely matches your campaign keywords with punter’s searches, which can be helpful for your ads to be seen in related searches such as:

  • typos
  • misspellings
  • synonyms

But as smart as Google tries to be, is it doesn’t always get the matching right. In fact in some AdWords Account reviews, I’ve identified up to 30% of clicks that are not relevant. You might also be interested to know that the largest amount of work for ongoing AdWords support is identifying search term mis-matches (ie wasted clicks) then applying negative keywords to prevent Google from using that dead expense again.

 

What are Close Variants?

No it’s not about a friendly group of related people… Close Varants is  abasic setting minimising mismatch between your selected keywords and prospect searches. It was one step toward bounding Google’s enthusiastic attempts to attract more, often unrelated clicks.

They’re just being helpful.. oh and taking more of your more money too…

 

What is AdWords changing?

“In late September’ Google are removing the Close Variant option in AdWords accounts.

How will this impact me?

If your campaign AdWords campaign uses the Close Variants Option, you will notice a jump in ‘loosely matched’ clicks with the possibility that many will not be sales leads. Even though you’re busy you might still notice your sales leads drop slightly, so you’ll throw more money at AdWords to compensate.

Your most cost-effective approach will be to:

  • reduce/avoid broad matching in your campaign
  • monitor search term reports closely
  • frenetically add negative keywords to prevent future irrelevant search term matching
  • monitor conversions to target and benchmark your best converting search terms

 

Beware of a ‘Negative SEO’ Scam

Please be aware that there are ‘Negative SEO’ extortion emails currently circulating. These may represent a real risk to your business.
What is Negative SEO ?
Google has been penalising websites it believes don’t comply with its ‘WebMaster Quality Guidelines‘  Unfortunately it is possible make an ‘innocent’ website appear to be non-compliant, and after Google applies a penalty, that site’s exposure can be dramatically reduced, along with the businesses online commercial opportunities.
Google have historically dismissed the existence of Negative SEO, and even their current position remains ambivalent. There is growing speculation among the SEO Community that Google’s penalty strategy is to covertly drive businesses to use its primary income stream – AdWords – rather than rely on ‘uncertain’ organic search.
Are you already penalised ?
I’m surprised by the number of websites that are already unknowingly being impacted by Google penalties. Many don’t realise that there is increasing aspects of traditional website ‘craft’ that may put your website and business at risk for example:
  • Innocent acknowledgements of your business (eg sponsorship on a local sporting club site)
  • Submitting your business to ‘low quality’ directory sites
  • Footer Links from other sites
  • Website defects
  • Poor mobile device support
  • Commonly re-used content eg supplier provided product information
  • Slow or unreliable web hosting
  • and many more…
What can you do ?
If you receive a Negative SEO extortion email you could:

– Ignore it… (high risk)
– Take Google’s suggestion “report it to law enforcement” (good luck with that 😉
– If the senders email is a GMail email account report it  
– Report it to your Internet Marketer

My advice is ‘Be Prepared’ 
Sadly Google doesn’t normally declare if it has penalised your site, so removing one starts with trying to determine which penalty maybe the problem. Monitoring your site’s performance over time enables traffic drops to be accurately matched to Google updates, giving your Internet Marketer a head start on identifying which penalty has been applied and maybe how to solve it.
Am I already penalised ?
If you believe your website under-performs contact me and I can provide a quick ‘penalty risk’ evaluation
If that raises any red flags then I can research and provide a detailed report including a penalty removal strategy
Here’s a sample of a Negative SEO Extortion Email

The email reads:

Subject: I Want To Buy. Please Guide Me.
Hello,
Read this email very carefully.
This is an extortion email.
We will do NEGATIVE SEO to your website by giving it 20,000 XRumer forum profile backlinks (permanent & mostly dofollow) pointing directly to your website and hence your website will get penalised & knocked off the Google’s Search Engine Result Pages (SERP) forever, if you do not pay us $1,500.00 (payable by Western Union).
This is no false claim or a hoax, download the following Notepad file containing 20,000 XRumer forum profile backlinks pointing to http://www.negativeseo.cn.pn/ (this is our website and go and see on this website, you will find our email address issmt1@yahoo.com from which this email right now is being sent to you) :
http://www.mediafire.com/download/eizjwnpq2rsrncu/20000-XRumer-Forum-Profile-Backlinks-Dofollow.txt
Just reply to this email to let us know if you will pay just $1,500.00 or not for us to refrain or not from ruining your precious website & business permanently. Also if you ignore this email and do not reply to this email within the next 24-48 hours, then we will go ahead and build 20,000 XRumer forum profile backlinks pointing directly to your website.
We are awaiting your wise decision.
RS

April 2017 Update

The guys at www.siteoscope.com have a great post on anti-SEO prevention strategies that is well worth a read

Important WordPress Security Release

While I bleat regularly about WordPress updates, please pay special attention to version 3.9.2 ‘The Security Release’
This release addresses a number of security exploits, but key is a denial of service issue found in both WordPress and also Drupal that was discovered in the way both these systems process XML. Read more at WordPress.org news

 

 

Project Zero launched to help make a safer internet

Website malware distribution

Source: Google Security

Does your website have some protection against hackers or is it a sitting duck?
Just so we all understand how caustic is the internet can be, especially for unprotected websites, be aware of that:

Google has 12 to 14 million search queries per day with warnings flagging
that one of the websites in the search results were compromised.

To Google’s credit they have announced the launch of Project Zero  – a research commitment to find, investigate and report vulnerabilities etc. ultimately make the internet a safer environment.

I was surprised to see this chart in Barry Swart’s article showing the dramatic increase in ‘attack websites’ ie sites with nasty software that try to load malware onto your system when you visit them.  I imagine that many of these sites have been quietly infected with the owners blissfully unaware that their visitors (ie prospective clients) are at risk of being attacked by the website.

Its a bit like standing at the door of your showroom with a loaded shotgun… Do you think you might scare off a few prospective clients ?

Typically website owners don’t even know that their website has been hacked until either:

google-harm-your-computer

  • Google puts up a search result warning or
  • A client complains that their firewall software wont let them visit the site

Sadly often I’ve had to resort to restoring the website from a backup to remove a hack and get the site operational again, so make sure your website is backed up regularly too, otherwise no-one will be able to resource your site.

Succinct Ideas also offers ‘hacker resistant’ hosting and regular backups under our Website Concierge brand principally for WordPress sites – because they are most at risk.