We were recently dealing with what should be a fairly standard piece of work for us, transferring a website to a new VPS. That turned out to be a lot more complicated by a change made recently at the web host Bluehost. They replaced their long used account management interface. This causes a couple of problems we wanted to share in case others run in to problems as well and are wondering if they are alone in that.
First, we found that some of their support documents still are written for the old interface. One of those has instructions for something that isn’t even possible with the new interface. Our client contacted their support team about that and was told that it was no longer relevant, but the document is still up over a week later.
Second, we found that the interface seems rather broken. We found features that only worked some of the time. When we were trying to make a simple change, we found that the interface wasn’t showing information that it should have been showing. It isn’t a good situation.
Update 9/3/24: Over at our Plugin Vulnerabilities service we did a security review of Neznam Atproto Share and found multiple security issues with the plugin. The developer so far has not addressed those.
Last week, the Twitter alternative Bluesky became publicly joinable after having previously required an invite code to join. Alongside that, there has been increased interest in automatically posting new WordPress post to Bluesky. There is a plugin to do that, though the name wouldn’t exactly suggest that. The plugin is named Neznam Atproto Share. The AT Protocol is networking technology that underlies Bluesky.
Setup is easy. On the Writing admin page in WordPress, you enter server information, including an App Password, which can be generated on the Bluesky website.
The plugin does have a major restriction we should note. It requires at least PHP version 8.0 to install it. A lot of websites are not using that version of PHP. You can get around that by manually adding the plugin in to WordPress and at least in our testing, it still seemed to work with an older version of PHP.
We have seen some complaints about problems with posting when it shouldn’t, so you should test out to make sure it works appropriately for your use case.
We recently had someone contact us looking to move their website to Squarespace. They believed that doing that is like migrating a website to a new web host, but it is very different.
Squarespace is not a web host, but a website builder. With a web host, you would create a website based on software you install in the hosting account. You can then move that to another web host as long as their hosting system is compatible with the software. With Squarespace, your website is created in their own software. So you can’t transfer an existing website to them and you can’t transfer a Squarespace built website to another web host.
When moving your website to Squarespace, you are largely starting over. Depending on what you are moving from, you can automatically move some content over to it, but otherwise everything needs to be redone.
When it comes to figuring out how websites have been infected with malware or otherwise hacked, people often assume something that happened around the same time as they became aware of the hack caused it. There are a couple of big problems with that. First, as the saying goes, correlation isn’t causation. Second, the start of the hacking can have been well before it is noticed.
Another problem that comes up is that people can come up with fairly improbable possible causes. We recently interacted with someone suggesting that an update to WordPress introduced malware on to their website. If that were something that was occurring, it would be big news. In their case, there wasn’t even a correlation, as they knew about the malware and were having cleaned six days before the update.
We recently ran across someone who was remaining on an unsupported version of PHP because their WordPress theme wasn’t compatible with a newer version of PHP. They didn’t have to do that. WordPress themes can be updated to support newer versions of PHP. If the theme is still supported by the developer, they should be releasing updates to address that. If you are using a theme that isn’t supported by the developer anymore, someone else should be able to handle addressing incompatibilities with newer versions of PHP.
How easy or difficult it is to make the theme compatible will depend on if the theme is extensively using PHP functionality that has been removed in a newer version of PHP. You usually have plenty of warning of that situation, as the functionality will be depreciated before it is removed, so addressing any depreciation warnings will avoid having the theme break later on.
If you are unable to handle making a WordPress theme compatible with newer versions of PHP yourself, we can help you with that.
We were recently contacted by someone looking to migrate a WordPress website to Squarespace. Based on that interaction, it seems that not everyone is familiar with the implications of trying to make such a move. Put simply, those two systems are not compatible. You are largely starting over if you make that move. You can move various content, but everything else has to be done again.
You can import the following content from WordPress:
Attachments
Blog pages, blog posts, and authors
Categories
Comments
Individual images
Site pages
Tags
You can’t import:
Content from plugins
Gallery images
Image captions
Images saved in your Media Library, but not attached to any posts or pages, won’t import. We recommend downloading all images in your Media Library so you have them as a backup.
Style or CSS. To customize your Squarespace site’s design, use the Site styles panel.
The last item mentioned that you can’t import, is really important to note. All the styling will need to be redone. Depending on how advanced the design of the website is, that might not matter much (if you, say, only have text pages), but it also might dramatically undo the look of the content.
How you manage the website can also be dramatically different.
If you are simply having some trouble with your WordPress website, as the person we were contacted by was, it would be better to see if that can be addressed instead of making a huge change, like switching to Squarespace. We can help you with that.
We were recently contacted by someone looking to move their website off of WordPress because of downtime the website was experiencing. WordPress websites shouldn’t have problems with downtime unless something is going wrong with the website or the web hosting it is on. The solution to that wouldn’t be to move off of WordPress, but to address the problem. So what was going on?
When we went to view the website, we found that either it was slowly loading or not loading at all. Pulling up a cached copy of the website’s homepage through the Bing search engine, we were redirected to a malicious website. Viewing the source code of the cached copy of the homepage, we found that it contained obfuscated malicious code (the same code existed on the live website). So the problem here was that the website had been hacked. The solution to that is to clean up the hack, not switch to other software that could also be hacked.
If you are having a problem with your website, get in touch with someone who can assess what is going wrong. We can help you with that. If you need a hacked WordPress website cleaned up, we can also help with that.
Earlier in the week, we were mentioning that many hack cleanup providers don’t do the essential work of trying to figure out how websites were hacked. If you hire one of them, you might get lucky, and that doesn’t matter because the hacker hit the website once and moved on, but with more persistent hackers, that isn’t going to work out. Here is a fresh example of that involving two of those providers, Sucuri and MalCare:
A WordPress site I work for hosted on WPEngine has suffered from a malware attack. The attack was noticed when a consent management pop up started appearing on the home page. WPEngine’s security team from Sucuri hasn’t been much help as they’ve scanned and “removed” the problem 5 times now. I’ve also used a premium service from MalCare which did basically what Sucuri did, scanned said “it’s fixed” and then it came back.
That person tried a lot of things to deal with this:
I have enabled a number of security features including disabling enumeration, 2FA, custom wp login url, automatic password lockout after 2 tries, changing file permissions on certain files, enabled automatic alerts on file changing or file addition, deleted non essential users, changed passwords to all current users multiple times…
What they really need is to bring someone in who will work through trying to figure out how the hacking is continuing, addressing that, and trying to figure out how it started.
If you are in need of someone who will actually do that work, we do that for WordPress websites and other types of website.
We recently tested advertising on the question-and-answer website Quora to try to show ads on relevant content there. We wanted to share our results for anyone considering whether they should give it a try.
Who Knows What is Going on With Targeting
If you want to show ads on certain content on Quora, they have several options for that. Though, their own data suggests something is very amiss. Let’s look at an example of that.
One option is to target keywords, which “Show ads near questions containing or excluding keywords.” If you set it so that ads would show up for the keyword “drupal” in the United States, their system told us that there were 1,000–2,000 p:
So a decent number of potential times to show ads.
Another option is topics, which “Show ads relevant to specific Quora topics.” When searching for topics related to Drupal, the first one listed is “Drupal (Operating System)”. Drupal is a content management system, not an operating system:
Selecting to show for that in the United States, their system told us there were <100 p
If you instead select “Drupal 8 CMS,” the number increases to 20,000–25,000 p
That doesn’t seem to make any sense, as that shouldn’t be significantly higher than when showing ads with the “drupal” keyword, as anything relevant to that topic should use that keyword.
If you instead select “Drupal 7” the number increases to 30,000–35,000 p
Again, that doesn’t make any sense.
Quora doesn’t provide any addtional information on what these topics entail to try to better understand what is going on there.
Poor Results for Keyword Targeting
We decided to go with keyword targeting, because that seems less likely to show up for a lot of irrelevant content. We started with low bids. We didn’t see many impressions or any clicks. We started raising bids. The number of impressions didn’t increase much, but we started getting a lot of recorded clicks for the limited amount of impressions.
We didn’t have many of those clicks show up in our analytics. Most of them that were showing were coming from VPN services. These VPN visitors frequently clicked on ads multiple times in short periods of time. In one case, there were five clicks from one VPN user in less than a minute and a half. Considering that we were only targeting certain geographic areas, we would want to exclude VPN users because we have no idea if they are in an area we could reasonably serve customers. Considering the likelihood of fraudulent clicks through those, we would want to exclude them anyway, but Quora doesn’t have an option for that.
There is also a lack of visibility as to what you are even showing up on. The number of impressions we got with different keywords made it seem like they might be showing up on a lot of things they shouldn’t, but we have no way of knowing.
Overall, we didn’t get even close to getting any business.
Almost No Impressions With Question Targeting
Another option we are trying is targeting specific questions relevant to what we were advertising. The interface for selecting those isn’t great. But the larger problem is that with this option, we found we had only single digit impressions in a month. So ther was very little chance of that drawing in business.
Your Result May Be Different
It might be that what we are targeting is an area where Quora produces bad results and other areas produce better results. It also might be that other options they have for targeting their audience produce better results for you.
But we would say that if you do decide to try it you should go in to it knowing that results might be bad and might be wasting your time/money.
If anyone else has experience with advertising with them, good or bad, leave a comment on your results below.
Your website has been hacked. A fairly obvious question is how was it hacked. Can you determine that? The short answer is maybe.
Another short answer is that many people you might bring in to deal with that won’t try to do that. They should. So why don’t they? A lot of them are using automated tools to do cleanups and they don’t have the expertise to try to figure out how it was hacked. Doing a (possibly poor quality) automated hack cleanup is cheap, having employees who do the work to try to determine how it got hacked, isn’t so cheap. There are further reasons they don’t do this. Many security providers’ businesses are built around security remaining poor, so finding and fixing new vulnerabilities isn’t a great for them. There is also the issue that many providers are partnered with sources of insecurity. One provider, Sucuri, is owned by GoDaddy, who admitted, belatedly, that their own insecurity got lots of customers’ websites hacked. Unsurprisingly, Sucuri doesn’t really try to figure out how websites are hacked.
Your best chance of figuring out how a website is hacked is bringing in someone who has experience trying to determine that as soon as possible. The longer you wait, the more likely that evidence, particularly logging, will be gone. If you bring in someone after a cleanup has been done, that will further limit the evidence available.
We wouldn’t recommend trying to figure this out yourself. We often deal with people that have to varying degrees tried that. We often find that they are suggesting possible sources of the hack that are not really possible or would be highly unlikely.
Even if you bring in someone who has a lot of experience doing this, they may not be able to determine the source of the hack, not because of a fault on their part. The fault is that there isn’t the evidence needed to determine this. For example, if a web host is getting hacked, most of the evidence of that would only be available to the web host. So someone else would only have circumstantial evidence to work with.
Even if the source can’t be determined, it is important to try to determine the source of the hack. A large reason for that we have found is that it helps to make sure the hack is fully cleaned up. We are often brought in to re-clean websites where there wasn’t attempt to determine that and when we do that we find parts of the hacked that were missed before.
