Is email secure?

I met with an IT friend of mine and we had a discussion about security and email. I have been recommending that everyone uses SSL or TLS to connect to their server when they are reading or writing emails. 

Using SSL or TLS secures your connection to your server and ensures that your login details cannot be compromised by a third party. Email programs that do not use SSL or TLS send the login details in plain text. If this was intercepted by a third party, then the password details could be read, and a potential spammer could use your SMTP (sending email server) to send out lots of spam messages. Or read your mail and access your account. 

Once your email has reached your sending server, it may then be handled in plain text across the internet over multiple hops (Mail Relays) to the destination server, because that connection is generally not encrypted.

There are several systems out there, and they all need to play nicely together, but the bottom line is we should consider at the worse case all email to be insecure. Even though we may be applying best practices at the send and receive server end of the system. 

Continue reading Is email secure?Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Have I been Pwned?

No that was not a typo. There is a website that has access to data breach information. It is not clear whether it lists all data breaches in the public domain, or a select few of them. The website asks you to enter an email address into the site, it will check through the information it holds and will respond if a match is found. 

I tried one of mine and it returned several results indicating that my email address and an associated password to access an online account is in public circulation. It also shows if your email address is in spam lists as well. 

I have seen two sets of results on data breaches, one indicated your email address exists in a list somewhere that is in circulation, (typically a junk mailing list). You cannot do anything about this. The other case tells you the website and your email AND a password is in circulation. In the latter case you should be concerned about it if you were previously unaware. 

Continue reading Have I been Pwned?Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Password Protected Pages in Divi

On many Home-Start sites, and some of the regional charity websites I have included one or more password based pages. You can add these yourself, it is controlled in the editing view of the page or post on the right handside where it refers to Visibility. You have the following available:

  • Public
  • Public (and stick to the front page)
  • Password Protected 
  • Private

Items are normally set up as Public. If you use Public and stick to the front page, check what it does first. It may not work as you expect it to work because it relates to the template. 

Password protected pages in Divi

There is an annoying problem with password protected pages in Divi, if you try to enter one the first time you will see small writing on the left and a button on the right. On a wide screen these look totally disconnected, and not obvious. If you have a non Divi based website, you are unaffected. 

Continue reading Password Protected Pages in DiviFacebooktwittergoogle_plusredditpinterestlinkedintumblrmail

GDPR

Following my offer to review and upgrade sites to provide improved security for GDPR (see this item) and the inclusion of a Privacy Statement or Policy from the organisation I have modified 17 sites out of 130 sites.

Many organisations do not appear to have done anything, and one could argue after the GDPR deadline, not much has happened. If you have not taken any action, I would encourage you to do so. Most of GDPR applies to what you do behind the scenes in your internal operations. I cannot help you there. But there are parts that can affect your website which I can help you with.

Contact me for more help.Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Google Recaptcha version 2

Personally I use Chrome for most of the work I do from a computer. I may use MS Edge (rarely) or Firefox to test outside of the Google Chrome environment. While doing some of that testing I was surprised to see that it can be difficult to enter some information to get past this Google Recaptcha 2 screen below.

Sometimes I have had to go through 3 iterations to get through. I have noted in Continue reading Google Recaptcha version 2Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Check your contact forms

Some time ago I mentioned that my preferred form manager of choice had been withdrawn from the WordPress plugin library. This plugin was called FS Contact Form. At the time I had not found a suitable replacement that did everything that the FS Contact Form manager did. I have resolved that now. If you have it in your installation you can check in the plugins page, or check under Settings. If you can see FS Contact Form you have it on your website.  If you can see Contact Manager in your plugins list that is even older. Also should be replaced.

There has been one instance where the FS Contact Manager plugin had stopped working. I am not sure why, it could have been related to another plugin conflicting with it. I want to encourage all of you to test your forms once per month by sending a message to yourself.  That way you can be sure it is working. Continue reading Check your contact formsFacebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Securing mail from your website to a mailbox

By default a wordpress installation uses a method of sending mail that does not use a mailbox to send the message and does not encrypt the message. Email cannot be confirmed to be end to end secure unless you know the receiving or sending person is using encryption and is set up correctly; you can encrypt mail in the places where you control email so that it is encrypted from the website to the mailbox. If it is your mailbox, and you know that your mail client is set up correctly with encryption, then you have end to end security. If the website is running over SSL and the address starts with https:// (98% of them are now), then a user entering information into a form is also encrypted. So the path from the users browser, through your contact form, from the website to your receiving mailbox is encrypted and cannot be intercepted as plain text.

How do I make the changes

Log into your website and go to Plugins.
Seatch for WP Mail SMTP, locate it and install it. Continue reading Securing mail from your website to a mailboxFacebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Do You Send Newsletters?

New recommendations for Newsletters

Some of you are using Mailpoet on your websites to generate newsletters. I have run into a lot of problems sending out my newsletter this month, I have had to send it three times. I checked through my logs and found that a very small number came out last month as well. I have been investigating what has happened.  The top two entries in the image below show there is a problem because rather than a 65%+  opening rate, there is a 4% opening rate.

Continue reading Do You Send Newsletters?Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail

More on GDPR and your hosting

Updated for May 2018

Somebody shared with me a PDF offer from their hosting company offering to check and lock down their website for a single payment of £497, and proposed that this would be suitable evidence to the ICO office if they ran into problems later that they had tried to meet the requirements of GDPR. I have seen quite a few examples of people trying to make money out of it, some are pretty outrageous, but it comes with the territory.

For my client base I have looked critically at the website and email side of things and there are some things that are worth doing to firm up on security. This is my list, if you want me to work through this list (I mention why in most of the items below) it is a one off charge of £50. In some cases I have already actioned some of these things below on some sites such as turning on SSL for most people and setting up offsite backups. This past two months, more and more of my time is being taken up doing things for free. Unfortunately, I still have expenses to cover, so I cannot do everything for free.

Am I covered for GDPR if I do all of these things?

The short answer is no. The actions listed below cover and protect one part of the information gathering systems. But GDPR is more about what you do internally in your office, how you deal with the data and protect it. You still need to do that work. It starts with a Data Protection Impact Assessment (link to ICO website). Please make sure you have read and understood what GDPR is all about. Your website and email systems are a small part of it.  Continue reading More on GDPR and your hostingFacebooktwittergoogle_plusredditpinterestlinkedintumblrmail

What you don’t know can’t kill you

For many charities they may independently buy hosting and build a website, or someone else builds it for them and they don’t take any more action. There is a flaw in this, not all website hosting works as smoothly as you may think it does, and as you will see in this article, sometimes things happen which will substantially break a site, ….. and you are unaware of it.

Over the past two weeks I have raised around 10 support cases with the hosting provider we are using. They have been brilliant over the past year, I don’t have any regrets moving to them, the sites are generally trouble free. Since we moved to them last year, I have raised 178 support cases on your behalf, you never knew that did you? Continue reading What you don’t know can’t kill youFacebooktwittergoogle_plusredditpinterestlinkedintumblrmail