Category Archives: Latest Trends

Essential Phone gets a $200 price drop, existing customers get credit

Essential has an offer that’s honestly very hard to refuse: The price of the Essential Phone (PH-1, going by technical model number), is now $200 cheaper, so $499 off-contract and unlocked. That’s an amazing price for their debut smartphone, which remains my favorite in terms of straight up industrial design (and it has one of the best color-tuned displays in devices right now in my opinion).

The Essential Phone went on sale just a few months ago, but the company believes that as a young startup just getting out therein a market where incumbents like Apple and Samsung basically take up all the available space, there’s a lot of value in word of mouth and perceived value. That’s why it’s making this price change, Essential tells me – though you have to also wonder whether the company’s not seeing the numbers it was hoping for in terms of initial sales, which is what some early third-party sales estimates have suggested.

Regardless of the reason, the price drop makes Essential arguably the best value smartphone on the market, and definitely the best Android device in that range. It’s one major failing has been its camera, which launched as a slow and buggy feature compared to most out there, but the subsequent camera software updates have improved its speed and reliability a lot, and more updates are promised in the future, too.

Lest Essential’s earliest customers feel slighted, it has a deal for early buyers, too – they’ll receive a $200 ‘friends and family’ credit they can use to further discount (valid through December 15, 2017) a device for a loved one (or another for themselves, if they maybe also want the just-released white Essential Phone, for instance), or to buy the 360-camera attachment. Customers will be able to sign up to redeem the $200 credit on the Essential page, using their phone’s IMEI and serial numbers, along with the email address they used to purchase.

In a time when the price of flagship smartphones in both iOS and Android worlds are ballooning, this is a very welcome nod to affordability. Without question, if you want an amazing phone at a killer price, the now $499 Essential Phone is the one to get.

Also, this is U.S. only for now – details on a program for Canadian device followers will follow, per Essential.

Source: https://techcrunch.com/2017/10/22/essential-phone-gets-a-200-price-drop-existing-customers-get-credit/

WhatsApp Group Voice, Video Calls Coming Soon, Suggests iPhone Beta Code: Report

WhatsApp group calling is on its way, going by the code spotted in the latest beta version for the iPhone app. While group voice calling for WhatsApp is pretty much confirmed due to multiple references, there is only a single mention of group video calls for the platform. Nonetheless, it will be a worthwhile addition to the app, which has been adding loads of features this year for its more than 1 billion users. However, it is not yet clear when WhatsApp would roll the features.

According to WABetaInfo, which reports on upcoming features of WhatsApp, the WhatsApp v2.17.70 beta for iPhone update has code references to group calls. “The 2.17.70 iOS update has very hidden references to group calls! Before it was an internal news, now it’s all confirmed,” WABetaInfo tweeted on Sunday, adding, “There are a lot of hidden references about group voice calls, but there is only one reference about group video calls. So group video calls are partially confirmed at the moment.”

It was earlier reported that the Facebook-owned messaging app was working on a group voice calls and could release the feature next year. Facebook already has a similar feature on Messenger.

“WhatsApp 2.17.70 sends a request to the server to ask if the user you are calling is in another group call!” WaBetaInfo tweeted.

“Note that these references we found are very strong (but they aren’t visible for you at present) and they have allowed us to understand what WhatsApp is going to add in the application, as we did for WhatsApp for iPad,” it added. The WhatsApp watcher also reported that the iPhone app will soon give group administrators more power, with the ability to remove a greater number of participants from a group at once.

Separately, the WhatsApp v2.17.387 beta for Android brings new administrator features for groups, including the ability to choose whether participants can modify the subject of the group, its icon, and its description. There is also an option to prevent the group creator to be deleted from the group by other administrators.

According to WABetaInfo, the messaging app is also testing the Unsend and Delete for Everyone features.

Written with inputs from IANS

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and subscribe to our YouTube channel.

Source: http://gadgets.ndtv.com/apps/news/whatsapp-to-get-group-voice-video-calls-soon-references-in-iphone-beta-hint-report-1765772

How to Improve Your Website’s Google Ranking

by

Marziah Karch

Updated August 09, 2017

Google’s search engine uses a variety of methods to determine which pages are displayed first in the results. Their exact formula is a secret, but there are always a few things you can do to improve your rank in Google search results. The term for this is Search Engine Optimization or SEO.

There are no guarantees and no quick schemes. If someone promises you quick results, it’s probably a scam. No matter what you do, make sure you make a site that you want to visit and written the way humans would want to read it.

If you’re gaming the system, sooner or later Google will figure it out and change their formula. You’ll end up plummeting in the search results and wonder why.

Google Rank Tip #1 – Keyword Phrases (aka Give Your Page a Subject)

A keyword phrase is the words you think someone is most likely to put into a search engine to find your content – basically what you think the subject of your page would be according to Google. You could put a lot of energy into keyword phrases alone and improve your site ranking. Your keyword phrase should obviously appear somewhere in your content, preferably in the first paragraph or so. “This is an article about X, Y, or Z.” Don’t overdo it, and don’t make it look unnatural. If it looks spammy, it probably is.

Again, the point here is to speak like a human and just use the words that humans are most likely to use when searching for a page about your topic. Telling people what they’re about to read is helpful.

Making a word salad to cram in keyword phrases is not.

If you were searching for your own website, what keyword phrase would you type into Google for each page? Would you look for super fast widgets? Would you look for cooking with widgets? Try searching Google for that phrase. Did you get a lot of results?

Was the content what you expected to find? It may be helpful to get a different perspective. Ask someone else to read your page and suggest what they think your keyword phrase might be. You can also check Google Trends to see if one phrase is starting to gain popularity.

Try to stick to one key subject per page. That doesn’t mean you should write stilted text or use odd phrases to keep your subject narrow. Your subject can be broad. Just don’t put a bunch of random and unrelated content together. Clear writing is both easier to search and easier to read. Don’t be afraid to be really long and detailed with that subject, so long as you start with the big ideas first and get into the weeds further down the page. In journalism, they call this the “inverted pyramid” style.

Google Rank Tip #2 – Keyword Density

One of the things Google looks for when it catalogs pages is the density of the keyword usage. In other words, how often the keyword occurs. Use natural phrasing. Don’t try to trick the search engine by repeating the same word over and over or making text “invisible.” It doesn’t work. In fact, some of that behavior even get your website banned.

Give a strong opening paragraph that says what your page is actually about.

This is just good practice, but it may help search engines find your page, too.

Google Rank Tip #3 Name Your Pages

Give your pages a descriptive name with the

attribute. This is vital. Google often displays search results as a link using the Web page’s title, so write it like you want it to be read. A link called ‘untitled’ isn’t enticing, and nobody is going to click on it. When appropriate, use the page’s keyword phrase in the title. If your article is about penguins, your title should have penguins in it, right?

Google Rank Tip #4 Pay Attention to Links

One of the biggest factors Google looks at is the hyperlink.

Google looks at both links to and from your website.

Google looks at the words you use in links to help determine the content of your page. Use links within web pages as a way to emphasize keywords. Rather than saying, “click here to learn more about SEO” you should say: Read more about SEO (Search Engine Optimization).

Links from other websites to your website are used to determine PageRank.

You can improve your PageRank by exchanging text links with other relevant websites. Linking to your own website is fine. Be a good citizen and link to places other than your own website – but only when relevant. Banner exchanges are not effective, and pages that want to charge you for this service are often known spammers that can hurt your rank.

There’s some debate about just how many links you should have per page. This is one of those rules that’s likely to bite you if you abuse it, so the key, again, should be to be helpful and natural with the rate and quantity of links you offer. Scripts that link your content to other pages or ads within your site may end up damaging your site in the long run.

Google Rank Tip #5 Social Networking

Social networking sites can be a good way to promote a site, but it is unclear how much it will affect your rank directly. That said, you may find that a great deal of your traffic comes from social networks, so be sure to make your content “social friendly.” Add images and give your content engaging titles.

Google Rank Tip #6 Make Your Graphics Search Friendly

Give your images attributes. Not only does it make your website more accessible to the visually impaired, it also gives you another chance to place your relevant keywords where Google can see them. Just don’t stuff keywords that don’t belong.

Google Rank Tip #7 Make Website Mobile Friendly​

An increasing number of people are using their phones to search for content. You want to make your content mobile-friendly for the sake of good user experience, but you also want to do it for the sake of search. There’s no guessing on this one. Google has indicated that mobile-friendliness is a Google ranking signal. ​Follow some tips from Google on setting up your site for mobile.

Google Rank Tip #8 Good Design Is Popular Design

In the end, strong, well-organized pages are pages that Google tends to rank higher. They’re also pages that tend to become more popular, which means Google will rank them even higher. Keep good design in mind as you go, and much of the SEO will design itself.

Source: https://www.lifewire.com/improve-website-google-ranking-1616799

10 Ways to Speed Up Your Website – and Improve Conversion by 7%

Think the speed of your website doesn’t matter?
Think again.
A 1-second delay in page load time yields:

  • 11% fewer page views
  • 16% decrease in customer satisfaction
  • 7% loss in conversions (source: Aberdeen Group)

Amazon found this to be true, reporting increased revenue of 1% for every 100 milliseconds improvement to their site speed. (source: Amazon)
So did Walmart, who found a 2% increase in conversions for every 1 second of improvement.
That’s not all. A study by Akamai found that:

  • 47% of people expect a web page to load in two seconds or less.
  • 40% will abandon a web page if it takes more than three seconds to load.
  • 52% of online shoppers say quick page loads are important for their loyalty to a site.

But the average website load speed has increased 22% this year, according to a report by Radware.
It now takes 7.72 seconds to load—a far cry from the two-second limit of your average user.
Clearly, speeding up your website is critical—not just to ranking well with Google, but to keep your bottom-line profits high. So today, I’m going in-depth, sharing 10 things you can do to shave seconds off your site speed and enjoy higher profits to boot.

Increase Your Website Revenues or Conversion Rate within the Next 30 Days

10 things you can do to speed up your site

1. Minimize HTTP Requests

According to Yahoo, 80% of a Web page’s load time is spent downloading the different pieces-parts of the page: images, stylesheets, scripts, Flash, etc. An HTTP request is made for each one of these elements, so the more on-page components, the longer it takes for the page to render.
That being the case, the quickest way to improve site speed is to simplify your design.

  • Streamline the number of elements on your page.
  • Use CSS instead of images whenever possible.
  • Combine multiple style sheets into one.
  • Reduce scripts and put them at the bottom of the page.

Always remember, when it comes to your website, leaner is better.
Pro Tip: Start a campaign to reduce the number of components on each page. By doing this, you reduce the number of HTTP requests needed to make the page render—and you’ll significantly improve site performance.

2. Reduce server response time

Your target is a server response time of less than 200ms (milliseconds). And if you follow the tips in this article, you’re well on your way to achieving this.
Google recommends using a web application monitoring solution and checking for bottlenecks in performance.
Pro Tip: Read this report by Singlehop, Critical Ecommerce Infrastructure Needs, to learn nine things you need to focus on to keep your site performing well.
Then tap into these resources:

  • Yslow – to evaluate your site’s speed and get tips on how to improve performance.
  • Google’s PageSpeed Tools – to learn more about performance best-practice and automate the process.

3. Enable compression

Large pages (which is what you could have if you’re creating high-quality content) are often 100kb and more. As a result, they’re bulky and slow to download. The best way to speed their load time is to zip them—a technique called compression.
Compression reduces the bandwidth of your pages, thereby reducing HTTP response. You do this with a tool called Gzip.
Most web servers can compress files in Gzip format before sending them for download, either by calling a third-party module or using built-in routines. According to Yahoo, this can reduce download time by about 70%.
And since 90% of today’s Internet traffic travels through browsers that support Gzip, it’s a great option for speeding up your site.
Pro Tip: Read this article for more details on Gzip compression. Then set up your server to enable compression:

  • Apache: Use mod_deflate
  • Nginx: Use HttpGzipModule
  • IIS: Configure HTTP Compression

4. Enable browser caching

When you visit a website, the elements on the page you visit are stored on your hard drive in a cache, or temporary storage, so the next time you visit the site, your browser can load the page without having to send another HTTP request to the server.
Here’s how Tenni Theurer, formerly of Yahoo, explains it…
The first time someone comes to your website, they have to download the HTML document, stylesheets, javascript files and images before being able to use your page. That may be as many as 30 components and 2.4 seconds.
Once the page has been loaded and the different components stored in the user’s cache, only a few components needs to be downloaded for subsequent visits.
In Theurer’s test, that was just three components and .9 seconds, which shaved nearly 2 seconds off the load time.
Theurer says that 40-60% of daily visitors to your site come in with an empty cache, so it’s critical that you make your page fast for these first-time visitors. But you also need to enable caching to shave time off subsequent visits.
Pro Tip: Read this article to learn four methods for enabling caching.
Static resources should have a cache lifetime of at least a week. For third-party resources like ads or widgets, they should have a cache lifetime of at least one day.
For all cacheable resources (JS and CSS files, image files, media files, PDFs, etc.), set Expires to a minimum of one week, and preferably up to one year in the future. Don’t set it to more than one year in the future because that violates the RFC guidelines.

5. Minify Resources

WYSIWYG resources make it easy to build a Web page, but they sometimes create messy code—and that can slow your website considerably.
Since every unnecessary piece of code adds to the size of your page, it’s important that you eliminate extra spaces, line breaks, and indentation in your code so your pages are as lean as possible.
It also helps to minify your code. Here’s Google’s recommendation:

  • To minify HTML, you can use PageSpeed Insights Chrome Extension to generate an optimized version of your HTML code. Run the analysis against your HTML page and browse to the ‘Minify HTML’ rule. Click on ‘See optimized content’ to get the optimized HTML code.
  • To minify CSS, you can try YUI Compressor and cssmin.js.
  • To minify JavaScript, try the Closure Compiler, JSMin or the YUI Compressor. You can create a build process that uses these tools to minify and rename the development files and save them to a production directory.

6. Optimize images

With images, you need to focus on three things: size, format and the src attribute.
Image size
Oversized images take longer to load, so it’s important that you keep your images as small as possible. Use image editing tools to:

  • Crop your images to the correct size. For instance, if your page is 570px wide, resize the image to that width. Don’t just upload a 2000px-wide image and set the width parameter (width=”570”). This slows your page load time and creates a bad user experience.
  • Reduce color depth to the lowest acceptable level.
  • Remove image comments.

Image format

  • JPEG is your best option.
  • PNG is also good, though older browsers may not fully support it.
  • GIFs should only be used for small or simple graphics (less than 10×10 pixels, or a color palette of 3 or fewer colors) and for animated images.
  • Do not use BMPs or TIFFs.

Src attribute

Once you’ve got the size and format right, make sure the code is right too. In particular, avoid empty image src codes.
In HTML, the code for an image includes this:

When there’s no source in the quotation marks, the browser makes a request to the directory of the page or to the actual page itself. This can add unnecessary traffic to your servers and even corrupt user data.
Pro Tip: Take time to re-size your images before uploading them. And always include the src attribute with a valid URL.
To ensure your images load quickly, consider adding the WP Smush.it plugin to your website.

7. Optimize CSS Delivery

CSS holds the style requirements for your page. Generally, your website accesses this information in one of two ways: in an external file, which loads before your page renders, and inline, which is inserted in the HTML document itself.
The external CSS is loaded in the head of your HTML with code that looks something like this:
In general, an external style sheet is preferable, because it reduces the size of your code and creates fewer code duplications.
Pro Tip: When setting up your styles, only use one external CSS stylesheet since additional stylesheets increase HTTP requests. Here are a two resources that can help:

  • CSS Delivery Tool – Tells you how many external stylesheets your website is using.
  • Instructions for combining external CSS files.

Avoid including CSS in HTML code, such as divs or your headings (like the inline CSS pictured above). You get cleaner coding if you put all CSS in your external stylesheet.

8. Prioritize above-the-fold content

Having just recommended that you use only one CSS stylesheet and no inline CSS, there is one caveat you need to consider. You can improve user experience by having your above-the-fold (top of the page) load faster—even if the rest of the page takes a few seconds to load.
Pro Tip: Consider splitting your CSS into two parts: a short inline part that styles above-the-fold elements, and an external part that can be deferred.

9. Reduce the number of plugins you use on your site

Too many plugins slow your site, create security issues, and often cause crashes and other technical difficulties.
Pro Tip: Deactivate and delete any unnecessary plugins. Then weed out any plugins that slow your site speed.
Try selectively disabling plugins, then measuring server performance. This way you can identify any plugins that harm your site speed.

10. Reduce redirects

Redirects create additional HTTP requests and increase load time. So you want to keep them to a minimum.
If you’ve created a responsive website, more than likely, you have redirects in place to take mobile users from your main website to the responsive version.
Pro Tip: Google recommends these two actions to make sure a responsive redirect doesn’t slow your site:

  • Use a HTTP redirect to send users with mobile user agents directly to the mobile equivalent URL without any intermediate redirects, and
  • Include the markup in your desktop pages to identify the mobile equivalent URL so Googlebot can discover your mobile pages.

Sound too technical? Don’t worry. This post by VerveSearch helps you navigate your switch to a mobile-friendly website without compromising speed.

Source: https://www.crazyegg.com/blog/speed-up-your-website/

9 security tips to protect your website from hackers

You may not think your site has anything worth being hacked for, but websites are compromised all the time. The majority of website security breaches are not to steal your data or deface your website, but instead attempts to use your server as an email relay for spam, or to setup a temporary web server, normally to serve files of an illegal nature. Other very common ways to abuse compromised machines include using your servers as part of a botnet, or to mine for Bitcoins. You could even be hit by ransomware.

Hacking is regularly performed by automated scripts written to scour the Internet in an attempt to exploit known website security issues in software. Here are our top 10 tips to help keep you and your site safe online.

01. Keep software up to date

It may seem obvious, but ensuring you keep all software up to date is vital in keeping your site secure. This applies to both the server operating system and any software you may be running on your website such as a CMS or forum. When website security holes are found in software, hackers are quick to attempt to abuse them.

If you are using a managed hosting solution then you don’t need to worry so much about applying security updates for the operating system as the hosting company should take care of this.

If you are using third-party software on your website such as a CMS or forum, you should ensure you are quick to apply any security patches. Most vendors have a mailing list or RSS feed detailing any website security issues. WordPress, Umbraco and many other CMSes notify you of available system updates when you log in.

Many developers use tools like Composer, npm, or RubyGems to manage their software dependencies, and security vulnerabilities appearing in a package you depend but aren’t paying any attention to on is one of the easiest ways to get caught out. Ensure you keep your dependencies up to date, and use tools like Gemnasium to get automatic notifications when a vulnerability is announced in one of your components.

02. SQL injection

SQL injection attacks are when an attacker uses a web form field or URL parameter to gain access to or manipulate your database. When you use standard Transact SQL it is easy to unknowingly insert rogue code into your query that could be used to change tables, get information and delete data. You can easily prevent this by always using parameterised queries, most web languages have this feature and it is easy to implement.

03. XSS

Cross-site scripting (XSS) attacks inject malicious JavaScript into your pages, which then runs in the browsers of your users, and can change page content, or steal information to send back to the attacker. For example, if you show comments on a page without validation, then an attacker might submit comments containing script tags and JavaScript, which could run in every other user’s browser and steal their login cookie, allowing the attack to take control of the account of every user who viewed the comment. You need to ensure that users cannot inject active JavaScript content into your pages.

This is a particular concern in modern web applications, where pages are now built primarily from user content, and which in many cases generate HTML that’s then also interpreted by front-end frameworks like Angular and Ember. These frameworks provide many XSS protections, but mixing server and client rendering creates new and more complicated attack avenues too: not only is injecting JavaScript into the HTML effective, but you can also inject content that will run code by inserting Angular directives, or using Ember helpers.

The key here is to focus on how your user-generated content could escape the bounds you expect and be interpreted by the browser as something other that what you intended. This is similar to defending against SQL injection. When dynamically generating HTML, use functions which explicitly make the changes you’re looking for (e.g. use element.setAttribute and element.textContent, which will be automatically escaped by the browser, rather than setting element.innerHTML by hand), or use functions in your templating tool that automatically do appropriate escaping, rather than concatenating strings or setting raw HTML content.

Another powerful tool in the XSS defender’s toolbox is Content Security Policy (CSP). CSP is a header your server can return which tells the browser to limit how and what JavaScript is executed in the page, for example to disallow running of any scripts not hosted on your domain, disallow inline JavaScript, or disable eval(). Mozilla have an excellent guide with some example configurations. This makes it harder for an attacker’s scripts to work, even if they can get them into your page.

04. Error messages

Be careful with how much information you give away in your error messages. Provide only minimal errors to your users, to ensure they don’t leak secrets present on your server (e.g. API keys or database passwords). Don’t provide full exception details either, as these can make complex attacks like SQL injection far easier. Keep detailed errors in your server logs, and show users only the information they need.

05. Server side validation/form validation

Validation should always be done both on the browser and server side. The browser can catch simple failures like mandatory fields that are empty and when you enter text into a numbers only field. These can however be bypassed, and you should make sure you check for these validation and deeper validation server side as failing to do so could lead to malicious code or scripting code being inserted into the database or could cause undesirable results in your website.

06. Passwords

Everyone knows they should use complex passwords, but that doesn’t mean they always do. It is crucial to use strong passwords to your server and website admin area, but equally also important to insist on good password practices for your users to protect the security of their accounts.

As much as users may not like it, enforcing password requirements such as a minimum of around eight characters, including an uppercase letter and number will help to protect their information in the long run.

Passwords should always be stored as encrypted values, preferably using a one way hashing algorithm such as SHA. Using this method means when you are authenticating users you are only ever comparing encrypted values. For extra website security it is a good idea to salt the passwords, using a new salt per password.

In the event of someone hacking in and stealing your passwords, using hashed passwords could help damage limitation, as decrypting them is not possible. The best someone can do is a dictionary attack or brute force attack, essentially guessing every combination until it finds a match. When using salted passwords the process of cracking a large number of passwords is even slower as every guess has to be hashed separately for every salt + password which is computationally very expensive.

Thankfully, many CMSes provide user management out of the box with a lot of these website security features built in, although some configuration or extra modules might be required to use salted passwords (pre Drupal 7) or to set the minimum password strength. If you are using .NET then it’s worth using membership providers as they are very configurable, provide inbuilt website security and include readymade controls for login and password reset.

07. File uploads

Allowing users to upload files to your website can be a big website security risk, even if it’s simply to change their avatar. The risk is that any file uploaded however innocent it may look, could contain a script that when executed on your server completely opens up your website.

If you have a file upload form then you need to treat all files with great suspicion. If you are allowing users to upload images, you cannot rely on the file extension or the mime type to verify that the file is an image as these can easily be faked. Even opening the file and reading the header, or using functions to check the image size are not full proof. Most images formats allow storing a comment section which could contain PHP code that could be executed by the server.

So what can you do to prevent this? Ultimately you want to stop users from being able to execute any file they upload. By default web servers won’t attempt to execute files with image extensions, but it isn’t recommended to rely solely on checking the file extension as a file with the name image.jpg.php has been known to get through.

Some options are to rename the file on upload to ensure the correct file extension, or to change the file permissions, for example, chmod 0666 so it can’t be executed. If using *nix you could create a .htaccess file (see below) that will only allow access to set files preventing the double extension attack mentioned earlier.
Ultimately, the recommended solution is to prevent direct access to uploaded files all together. This way, any files uploaded to your website are stored in a folder outside of the webroot or in the database as a blob. If your files are not directly accessible you will need to create a script to fetch the files from the private folder (or an HTTP handler in .NET) and deliver them to the browser. Image tags support an src attribute that is not a direct URL to an image, so your src attribute can point to your file delivery script providing you set the correct content type in the HTTP header. For example:
Most hosting providers deal with the server configuration for you, but if you are hosting your website on your own server then there are few things you will want to check.

Ensure you have a firewall setup, and are blocking all non essential ports. If possible setting up a DMZ (Demilitarised Zone) only allowing access to port 80 and 443 from the outside world. Although this might not be possible if you don’t have access to your server from an internal network as you would need to open up ports to allow uploading files and to remotely log in to your server over SSH or RDP.

If you are allowing files to be uploaded from the Internet only use secure transport methods to your server such as SFTP or SSH.

If possible have your database running on a different server to that of your web server. Doing this means the database server cannot be accessed directly from the outside world, only your web server can access it, minimising the risk of your data being exposed.

Finally, don’t forget about restricting physical access to your server.

08. HTTPS

HTTPS is a protocol used to provide security over the Internet. HTTPS guarantees to users that they’re talking to the server they expect, and that nobody else can intercept or change the content they’re seeing in transit.

If you have anything that your users might want private, it’s highly advisable to use only HTTPS to deliver it. That of course means credit card and login pages (and the URLs they submit to) but typically far more of your site too. A login form will often set a cookie for example, which is sent with every other request to your site that a logged in user makes, and is used to authenticate those requests. An attacker stealing this would be able to perfectly imitate a user and take over their login session. To defeat these kind of attacks, you almost always want to use HTTPS for your entire site.

That’s no longer as tricky or expensive as it once was though. Let’s Encrypt provides totally free and automated certificates, which you’ll need to enable HTTPS, and there are existing community tools available for a wide range of common platforms and frameworks to automatically set this up for you.

Notably Google have announced that they will boost you up in the search rankings if you use HTTPS, giving this an SEO benefit too. There’s a stick to go with that carrot though: Chrome and other browsers are planning to put bigger and bigger warnings on every site that doesn’t do this, starting from January 2017. Insecure HTTP is on its way out, and now’s the time to upgrade.

Already using HTTPS everywhere? Go further and look at setting up HTTP Strict Transport Security (HSTS), an easy header you can add to your server responses to disallow insecure HTTP for your entire domain.

09. Website security tools

Once you think you have done all you can then it’s time to test your website security. The most effective way of doing this is via the use of some website security tools, often referred to as penetration testing or pen testing for short.

There are many commercial and free products to assist you with this. They work on a similar basis to scripts hackers will use in that they test all know exploits and attempt to compromise your site using some of the previous mentioned methods such as SQL injection.

Some free tools that are worth looking at:

  • Netsparker (Free community edition and trial version available). Good for testing SQL injection and XSS.
  • OpenVAS. Claims to be the most advanced open source security scanner. Good for testing known vulnerabilities, currently scans over 25,000. But it can be difficult to setup and requires a OpenVAS server to be installed which only runs on *nix. OpenVAS is fork of a Nessus before it became a closed-source commercial product.
  • SecurityHeaders.io (free online check). A tool to quickly report which security headers mentioned above (such as CSP and HSTS) a domain has enabled and correctly configured.
  • Xenotix XSS Exploit Framework A tool from OWASP (Open Web Application Security Project) that includes a huge selection of XSS attack examples, which you can run to quickly confirm whether your site’s inputs are vulnerable in Chrome, Firefox and IE.

The results from automated tests can be daunting, as they present a wealth of potential issues. The important thing is to focus on the critical issues first. Each issue reported normally comes with a good explanation of the potential vulnerability. You will probably find that some of the medium/low issues aren’t a concern for your site.

If you wish to take things a step further then there are some further steps you can take to manually try to compromise your site by altering POST/GET values. A debugging proxy can assist you here as it allows you to intercept the values of an HTTP request between your browser and the server. A popular freeware application called Fiddler is a good starting point.

So what should you be trying to alter on the request? If you have pages which should only be visible to a logged in user then I would try changing URL parameters such as user id, or cookie values in an attempt to view details of another user. Another area worth testing are forms, changing the POST values to attempt to submit code to perform XSS or to upload a server side script.

Hopefully these tips will help keep your site and information safe. Thankfully most CMSes have a lot of inbuilt website security features, but it is a still a good idea to have knowledge of the most common security exploits so you can ensure you are covered.

There are also some helpful modules available for CMSes to check your installation for common security flaws such as Security Review for Drupal and WP Security Scan for WordPress.

Related articles:

  • 10 best new web design tools for January
  • 18 great examples of WordPress websites
  • The 10 best HTML5 template designs

    Source: http://www.creativebloq.com/web-design/website-security-tips-protect-your-site-7122853

Why SSL? The Purpose of using SSL Certificates

SSL is the backbone of our secure Internet and it protects your sensitive information as it travels across the world’s computer networks. SSL is essential for protecting your website, even if it doesn’t handle sensitive information like credit cards. It provides privacy, critical security and data integrity for both your websites and your users’ personal information.

SSL Encrypts Sensitive Information

The primary reason why SSL is used is to keep sensitive information sent across the Internet encrypted so that only the intended recipient can understand it. This is important because the information you send on the Internet is passed from computer to computer to get to the destination server. Any computer in between you and the server can see your credit card numbers, usernames and passwords, and other sensitive information if it is not encrypted with an SSL certificate. When an SSL certificate is used, the information becomes unreadable to everyone except for the server you are sending the information to. This protects it from hackers and identity thieves.

SSL Provides Authentication

In addition to encryption, a proper SSL certificate also provides authentication. This means you can be sure that you are sending information to the right server and not to an imposter trying to steal your information. Why is this important? The nature of the Internet means that your customers will often be sending information through several computers. Any of these computers could pretend to be your website and trick your users into sending them personal information. It is only possible to avoid this by using a proper Public Key Infrastructure (PKI), and getting an SSL Certificate from a trusted SSL provider.
Why are SSL providers important? Trusted SSL providers will only issue an SSL certificate to a verified company that has gone through several identity checks. Certain types of SSL certificates, like EV SSL Certificates, require more validation than others. How do you know if an SSL provider is trusted? You can use our SSL Wizard to compare SSL providers that are included in most web browsers. Web browser manufactures verify that SSL providers are following specific practices and have been audited by a third-party using a standard such as WebTrust.

SSL Provides Trust

Web browsers give visual cues, such as a lock icon or a green bar, to make sure visitors know when their connection is secured. This means that they will trust your website more when they see these cues and will be more likely to buy from you. SSL providers will also give you a trust seal that instills more trust in your customers.
HTTPS also protects against phishing attacks. A phishing email is an email sent by a criminal who tries to impersonate your website. The email usually includes a link to their own website or uses a man-in-the-middle attack to use your own domain name. Because it is very difficult for these criminals to receive a proper SSL certificate, they won’t be able to perfectly impersonate your site. This means that your users will be far less likely to fall for a phishing attack because they will be looking for the trust indicators in their browser, such as a green address bar, and they won’t see it.

SSL is required for PCI Compliance

In order to accept credit card information on your website, you must pass certain audits that show that you are complying with the Payment Card Industry (PCI) standards. One of the requirements is properly using an SSL Certificate.

Disadvantages of SSL

With so many advantages, why would anyone not use SSL? Are there any disadvantages to using SSL certificates? Cost is an obvious disadvantage. SSL providers need to set up a trusted infrastructure and validate your identity so there is a cost involved. This has been alleviated by increased competition in the industry and the introduction of providers like Let’s Encrypt. Performance is another disadvantage to SSL. Because the information that you send has to be encrypted by the server, it takes more server resources than if the information weren’t encrypted. The performance difference is only noticeable for web sites with very large numbers of visitors and can be minimized with special hardware in such cases.
Overall, the disadvantages of using SSL are few and the advantages far outweigh them. It is critical that you properly use SSL on all websites. Proper use of SSL certificates will help protect your customers, help protect you, and help you to gain your customers trust and sell more.

Source: https://www.sslshopper.com/why-ssl-the-purpose-of-using-ssl-certificates.html