Security Breach Identified for Users of Popular WordPress Plugin and Theme

If you used WordPress to set up and maintain your website and you downloaded the JetPack plugin or the TwentyFifteen theme, you could be vulnerable to a newly-identified cyberattack.

According to the web security website Sucuri, any WordPress plugin or theme that uses the popular genericons package could be at risk of a DOM-based Cross-Site Scripting (XSS) vulnerability.

Both the JetPack plugin (which has more than 1 million active users) and the TwentyFifteen theme (which is WordPress’s current default theme) use genericons. The threat has been identified in the example.html file that comes with the package.

Eliminating the Threat

The quick fix is to remove the example.html file from the genericons package, which you don’t need anyway.

Sucuri said it detected this vulnerability before it ever became active, so it hasn’t done any known damage so far. Due to the website’s wicked fast response time, the threat level to WordPress users isn’t considered serious. But the site warned that it would be easy for the vulnerability to be exploited.

Sucuri reached out to the most popular web hosting services and notified them of this vulnerability and gave them the patch they needed to eliminate it. So if you use any of these services, you already have the virtual patch you need to protect yourself:

– GoDaddy

– HostPapa

– DreamHost

– ClickHost

– Inmotion

– WPEngine

– Pagely

– Pressable

– Websynthesis

– Site5

– SiteGround

But if your site is hosted by a different company, you may need to manually fix the issue yourself. All you have to do, according to Sucuri, is go to the genericons directory and delete the example.html file and you will be completely protected.

Who Is Responsible?

How the vulnerability got there in the first place and what its designers’ intentions were is not known. It’s strange that Automattic and the WordPress team would leave a simple example.html file in the genericons directory. Was this simply an oversight or something more sinister? At the moment, we don’t have a good answer for that question.

Here’s a wonky description of what it does from the group OWASP:

“DOM-Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the Document Object Model (DOM) “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.”

What that means, I don’t know. But I do know that the XSS payload is never sent to the server side and is executed entirely at the browser level.

So even if your website has a firewall, it can’t do anything about the vulnerability because it doesn’t ever see it. While it’s possible to patch the exploit, DOM-based XSS can be very difficult to block.

A Close Shave

But they also are more difficult for hackers to exploit because they require a high level of social engineering to get people to click on the exploited link. But if hackers can get someone to click through, it provides the same level of access as other types of XSS attacks.

Theoretically, the exploit could be used to execute javascript in your browser and take over any site you are logged onto as the admin.

Had this exploit not been caught, it could have had a devastating impact on unsuspecting website owners and businesses alike.

In any case, if you remove the example.html from the genericons directory, you should be okay for now.

Google Announces Cancellation of Its PageSpeed Service

If you currently are using Google’s free PageSpeed Service to speed up your web pages, you should probably start looking for another service now.

That’s because Google recently announced that it is cancelling its PageSpeed service, effective in August.

Google’s PageSpeed Service, which was first launched in 2010, uses tools to analyze and optimize websites in order to implement the best web performance practices. Fast and optimized pages lead to better visitor engagement, retention and conversions.

But Google is pulling plug on the service, although the free tools it offers will still be available on other open source platforms.

Google’s official announcement came May 5, although rumors of PageSpeed’s demise have been flying around tech message boards and have been hinted at in numerous tech blogs for the past several weeks.

August 3 Deadline

Web page owners using Google’s PageSpeed Service have until August 3 to make the necessary DNS changes to remove sites safely.

Google recommended that webmasters using the service login to the PageSpeed console and look at the list of their domains. Any domains that are labeled “Enabled” will be affected once the service shuts down for good.

If a web page’s DNS is not changed prior to the shutdown of PageSpeed, it will be completely unavailable. The console will offer advice if a webmaster tries to delete a live domain. If this change is not made by August 3, the site will break, Google warned.

On May 5, big pink banners began appearing on PageSpeed pages stating, “PageSpeed Service has been deprecated and will be turned down on 3rd August.” A link is provided that directs visitors to Google’s official announcement.

Options to PageSpeed

Google offered PageSpeed several options, some free and some paid — that they can switch to prior to the service’s being shut down.

Web masters are advised to check with their service provider to see if they offer provider hosted PageSpeed. In some instances, switching to this version could be as simple as checking a box in the provider’s control panel.

There also are PageSpeed modules available for many of the most common web servers. So web page owners who run their sites of their own server are advised to install one of these.

Google also has developed the open-source Apache module mod_pagespeed.

There are currently two pre-built binary modules available: Apache 2.2 and Apache 2.4.

There’s also a plugin for Nginx that Google has developed. But this must be compiled from the source.

Other options include:

– IIS, WeAmp has a commercial port of PageSpeed to Microsoft IIS.

– Apache Traffic Server, WeAmp also has ported PageSpeed to the Apache Traffic server.

– OpenLite Speed, This platform supports a PageSpeed module that can be compiled and loaded into a webserver.

– Cloud-Based Alternatives, If webmasters prefer to use a cloud-based product, EdgeCast EdgeOptimizer integrates Google PageSpeed with its CDN offering. Or, many CNDS offer similar functionality that don’t use PageSpeed technology.

Why PageSpeed Mattered

PageSpeed was designed to allow web pages to load faster for users. It features a quick and easy setup and allowed users to keep up with the latest optimization technologies without having to constantly search for them online.

One of the biggest benefits was that it used Google’s existing fast and secure infrastructure, which won’t be available for web masters who switch to open source server modules. It was widely praised for creating happier users and better conversions.

While Google doesn’t explicitly explain why it has pulled the plug on this popular, helpful service, some tech bloggers speculate that CloudFare captured this market and Google may have decided to stop.

5 Quick and Easy Ways to Ruin Your Blog’s Credibility

Blogs are becoming one of the fastest-growing ways for people with common interests to share information, ask questions, and dig deeper into their passion subjects. They also are increasingly being used by companies to build stronger relationships with their customers.

But whether you are publishing your own special interest blog or writing a blog for your corporate masters, your objective needs to be to attract and hold onto the largest possible reader base.

Sounds simple enough, right? Yet thousands of bloggers routinely shoot themselves in the foot by making stupid mistakes that could easily be avoided.

Here are the top five ways many bloggers inadvertently ruin their
credibility and turn off readers so they never return:

1. Talking Too Much about Yourself

This is more of a problem with company-sponsored blogs than with individual bloggers. But the purpose of both types of blogs should be to provide readers with content that consistently informs and educates readers on new and interesting topics.

Blogs should be commercials for products or companies. When you only write about what your company is doing (or about yourself), you are going to turn off a lot of readers, especially if you keep doing it blog after blog.

A better plan is to establish yourself as an industry thought leader and give you readers high-value content. When you do this, you can increase loyalty bonds and keep them coming back for more.

2. Shamelessly Hawking Your Products

Unless you are Amazon.com, most people don’t visit your blogs to buy products.

While it’s generally acceptable to include links to affiliate products or to promote products you endorse (and hopefully get a commission from), you can’t be obvious about it. Don’t hit readers over the head with your sales pitch. Educate first and sell subtly.

3. Not Selling Enough

Sure, this sounds like it runs counter to the last item, but it actually doesn’t. While you want to provide your readers with high-value content and avoid bludgeoning them with your sales pitch, you also should remember that your blog is there for a reason: To increase interest in your company or subject.

Tie your valuable content back to your brand and include a soft sell to get the message across to your blog’s readers.

4. Turning Off the Comments Section

Some companies are so concerned about their online reputation that they try to manage the way they are portrayed on their own blog by not allowing comments. Big mistake.

Not allowing comments doesn’t encourage readers to engage with your content. It sends the message that you don’t care what they have to say, that you don’t value their opinions.

While there may be some (minimal) risk that somebody is going to post something critical and that it will be read by other readers before you can get rid of it, if you properly maintain your comments section on a regular basis you can address any negativity quickly and effectively. In many instances, your best customers are those that had a bad experience that you addressed to their complete satisfaction.

5. Being Too Long-Winded

People aren’t clicking on to your blog because they want to read “War and Peace”. Keep your blogs short and information-dense. Providing too much information can make reader weary and wary of future blogs posts.

Remember the old show business adage: Always leave them wanting more!

These five common land mines can destroy the credibility of any blog. Avoid these and you can improve your chances of attracting many new followers, and holding on to your existing ones longer.

5 Ways to Increase Click-Through Rates with Killer Meta Descriptions

You can increase traffic to your website in one of two ways. The first is to improve your page rankings on the search engine results for your keywords. The second is to improve your click-through-rate (CTR).

Most Internet marketers focus on the first approach. But improving CTR can provide you with huge results, especially since it’s so easy to do.

Over the years, I’ve discovered dozens of effective ways to increase CTR, some of which yield better results than others. Here are the seven that are easy and provide huge results very quickly:

1. Copy Off Other People

While this technique may have been frowned upon in high school, it should be standard operating procedure for successful internet marketers.

A lot of online marketers are allergic to the idea of paying for traffic. But that doesn’t mean that you don’t have anything to learn from the people who do buy paid ads.

The truth is that people who pay for traffic spend a lot of time and money testing their ads to make sure they get the optimal results. The result is ads that already are fully optimized.

All you need to do is swoop in and steal their optimized copy and use it as your own.

In fact, because Google Ads are limited to the number of characters they can contain, it’s a safe bet that the keywords paid marketers include are the ones that perform best and get the most conversions.

2. Copy from Non-Paying Competitors

As long as you are stealing your competitors’ best ideas, why stop there? You also can take the copy from the most successful competitors who use organic SEO strategies.

Look to see which keywords and phrases they are using. What benefits or features do they highlight? Then take them for your own and use them within your copy.

This isn’t stealing. It’s known as “not reinventing the wheel”.

3. Tickle Your Customer’s Curiosity

Curiosity may have killed the cat, but it also caused billions of web users to click through on links because they were dying to find out what happened next.

In fact, this is a strategy you see all the time on social media sites such as Facebook. Marketers will post something like, “A Woman in Texas Stopped to Give a Dollar to a Homeless Man on the Street. You’ll Never Guess What Happened Next, Wow!”

This may be an overused trope, but it’s overused because it works like magic. Try other clickbait phrases in your meta descriptions like this to exploit people natural curiosity. Other phrases include:

– “Find Out How ”

– “What You Do If ”

– “Discover the Amazing Way ”

– “Have You Ever Wondered What Would Happen If ”

4. ‘Features Tell, but Benefits Sell ‘

This is a phrase that is as old as advertising itself. People aren’t interested in the facts and statistics about what they are buying. What they really want to know is what it can do to make their life better.

Explain that and you can sell practically anything to anybody.

Start your ads with benefits. Features like how much something weighs, how big it is, how long it lasts, and so on, should only be included if they drive the story you are trying to tell. If they don’t, leave them out.

In your meta descriptions, include benefits phrases like “Make More Money by ” or “Lose Weight and Feel Great with ”

5. People Love Numbers

Getting clicks is easier when you use numbers in your meta descriptions. That’s because people believe something is more factual if you qualify it with real number.

For example, which would you be more likely to click on?:

– Learn How to Improve Your Click-Through Rate

– 5 Ways to Increase Click-Through Rates with Killer Meta Descriptions

Considering you already are reading this, I think you just answered the question!

Give Before You Take – A Brief Exploration of Value in Internet Marketing

Most anyone reading this is going to be familiar, at least in some abstract way, with the concept of “value.” The concept of value, or utility derived from content, products, or other offerings, is not unique to IM, however, and those working across a variety of markets, both online and offline, have to be keenly aware of the ways in which their value is perceived by customers. In this post, we’re going to go over the importance of balancing your ‘give’ with your ‘take’, and a few ways in which you can maintain that balance when working with IM clients.

The Why

Basic economics courses teach students that most people make their purchasing decisions based on a concept called ‘utility cost’; whenever someone is deciding whether or not to purchase an item or make a trade, they weigh whether the utility of what they will receive is greater than the utility of what they already have. Most commonly, this is the often quick and (nearly) subconscious assessment you would make as to whether an item is “too expensive” or seems like a “good deal.”

In online marketing, your customers make these decisions several times throughout your sales funnel:

– Is the freebie being offered worth more to me than the potential privacy giveaway and possible unwanted messages that entering my email could incur?

– Is the information this person posts on their site helpful enough to me that it’s worth taking ten minutes out of my day to read?

– Do I trust this person enough to take their recommendation that what they’re offering is worth my hard-earned money?

For many marketers, the second and third bullet points are where they lose people.

The Mindset Swap

Even though your end goal may be to make as much money as possible, your customer always wants to feel like they’ve “won.” In most IM-related instances, this means feeling like they’ve gotten the promise of greater future value from a product, tool, or training/coaching course than what they paid for it. However, there is another crucial evaluation that happens long before they’ll ever get close to purchasing, and that’s value-based-trust.

I recommend marketers practice a mindset swap, which involves taking the focus off of their bottom line and simply becoming a customer. Read every offer you’ve got, every promotional email, every review, and ask yourself, does this feel valuable? You are not smarter than your customers; if you know deep down that something you’re offering feels like a half-solution or copout, they’ll pick up on it too.

Most marketers, both experienced and novice, have a sales funnel riddled with these holes where offers feel like they’re doing more for the seller than the (potential) buyer. Remember, when perceived utility of an offer is viewed as a loss, people aren’t going to bite.

Actually Over-Deliver

Many of these low-value gaps occur because marketers are afraid of giving away ‘the whole solution’, system, or secret. Why then, you might ask, would someone make a purchase if they feel they’ve already been given the solution to their problems? It is a tricky balance, but too many err on the wrong side of the scale and come across as withholding value from their customers.

It shouldn’t be surprising that customers are often more likely to purchase after they have already had success with your methods and recommendations, and you offer them up a paid product that complements that success, rather than offering them a tiny piece of the puzzle with what they need to see any positive results locked behind a paywall.

Which scenario do you think is more likely to foster an ongoing, positive relationship with a new customer? An opt-in freebie that gives visitors a complete system to make $1,000 per month, which you then upsell to a different version with larger earning potential later on, or just offering them the first page of the main system right off the bat, which essentially renders it useless to them and gives them nothing they can act on immediately?

The former has a high chance of resulting in a lifelong customer, the latter might just tick someone off and see them opting out of your email list as fast as possible.

The point? Give before you ever ask to take, work from the customer’s shoes, and always over-deliver.