Securing mail from your website to a mailbox

By default a wordpress installation uses a method of sending mail that does not use a mailbox to send the message and does not encrypt the message. Email cannot be confirmed to be end to end secure unless you know the receiving or sending person is using encryption and is set up correctly; you can encrypt mail in the places where you control email so that it is encrypted from the website to the mailbox. If it is your mailbox, and you know that your mail client is set up correctly with encryption, then you have end to end security. If the website is running over SSL and the address starts with https:// (98% of them are now), then a user entering information into a form is also encrypted. So the path from the users browser, through your contact form, from the website to your receiving mailbox is encrypted and cannot be intercepted as plain text.

How do I make the changes

Log into your website and go to Plugins.
Seatch for WP Mail SMTP, locate it and install it. Continue reading Securing mail from your website to a mailbox


Do You Send Newsletters?

New recommendations for Newsletters

Some of you are using Mailpoet on your websites to generate newsletters. I have run into a lot of problems sending out my newsletter this month, I have had to send it three times. I checked through my logs and found that a very small number came out last month as well. I have been investigating what has happened.  The top two entries in the image below show there is a problem because rather than a 65%+  opening rate, there is a 4% opening rate.

Continue reading Do You Send Newsletters?


More on GDPR and your hosting

Updated for May 2018

Somebody shared with me a PDF offer from their hosting company offering to check and lock down their website for a single payment of £497, and proposed that this would be suitable evidence to the ICO office if they ran into problems later that they had tried to meet the requirements of GDPR. I have seen quite a few examples of people trying to make money out of it, some are pretty outrageous, but it comes with the territory.

For my client base I have looked critically at the website and email side of things and there are some things that are worth doing to firm up on security. This is my list, if you want me to work through this list (I mention why in most of the items below) it is a one off charge of £50. In some cases I have already actioned some of these things below on some sites such as turning on SSL for most people and setting up offsite backups. This past two months, more and more of my time is being taken up doing things for free. Unfortunately, I still have expenses to cover, so I cannot do everything for free.

Am I covered for GDPR if I do all of these things?

The short answer is no. The actions listed below cover and protect one part of the information gathering systems. But GDPR is more about what you do internally in your office, how you deal with the data and protect it. You still need to do that work. It starts with a Data Protection Impact Assessment (link to ICO website). Please make sure you have read and understood what GDPR is all about. Your website and email systems are a small part of it.  Continue reading More on GDPR and your hosting


What you don’t know can’t kill you

For many charities they may independently buy hosting and build a website, or someone else builds it for them and they don’t take any more action. There is a flaw in this, not all website hosting works as smoothly as you may think it does, and as you will see in this article, sometimes things happen which will substantially break a site, ….. and you are unaware of it.

Over the past two weeks I have raised around 10 support cases with the hosting provider we are using. They have been brilliant over the past year, I don’t have any regrets moving to them, the sites are generally trouble free. Since we moved to them last year, I have raised 178 support cases on your behalf, you never knew that did you? Continue reading What you don’t know can’t kill you


Changes to incorporate SSL

With GDPR coming along shortly, I am working my way around the hosting accounts and where it is possible, I am enabling a security certificate for each domain.

Unlike the previous hosting we were in, this one offers free security certificates, they normally cost around £75 per year. They are free to me, so they are free to you.

What does this mean?

It means that when a visitor comes to your website they do not go to http:// they go to https:// the “s” is important because it means the data going to and from the website is generally* encrypted. I will explain why I have said “generally” in a moment”.  SSL means Secure Socket Layer.

What is particularly important is anything entered into a form is encrypted between the user and the website, and therefore nobody can intercept it on the wire. When your site was first built we were not able to use SSL certificates, and all requests and data entered between a client and the server were in plain text. If they could be intercepted then they could be read.  Continue reading Changes to incorporate SSL


GDPR Resources

The following is a list of sites referring to GDPR

Some of these may be touting for business. If they are, that is not why they were chosen to be included in this list. You may find some useful guidance here that relates to your organisation and what you need to do.

I am aware that some of the parent organisations of the charities I support are running training on GDPR and as such you are probably adequately covered for your operations. Others though have no centralised guidance, so are being left to their own devices. Hopefully these links will help, along with other things I have published on this site.

Information Commissioner Site

Start here:

Probably answers most questions and is a comprehensive plain language guide.

General Resources

Commercial site offering guidance

What is personal information?

Is an IP address Personal Information?


GDPR Privacy Notice

GDPR (General Data Protection Regulation) is due to come into force from the 25th of May. Everyone processing data in any form will be subject to the requirements of this new regulation. 

I  have been researching the implications of the regulation with regards to your website, and have attempted to put an example notice together which will help to cover the regulation. First though some caveats. Continue reading GDPR Privacy Notice


Emerging GDPR

Chances are this affects your organisation

GDPR stands for General Data Protection Regulation, which will become law in May of this year. It tightens up on existing Data Protectionregulations. It does have implications for everyone on the web, but it also extends to your back office systems (so beyond your website and email systems and our relationship) where you have recorded in any form; personal information.

Right now I have not read it all. I will return with some recommendations or things to think about in late Feb or early March. In terms of your websites, there may be things you need to do. For any CRM (Customer Relationship Management System) or any database or method for recording personal information, you will be affected. So do not ignore it.

Information Commisioner Office

You can start by going to this link and reading the material there: ICO GDPR.

Online learning course

A colleague has also pointed out that there is a self guided course available for free which takes around 3hrs. I have not looked at this yet, but do check it out. Go to Future Learn.   I have not validated either of these yet. Do not pay anyone any money just in case there is a solicitation for money (unless you wish to). Guidance on the regulations should be available from multiple sources for free. I suspect that there will be a lot of FUD as well (Fear Uncertainty and Doubt) peddled by some consultants seeking to help you for a fee. So do take care. Continue reading Emerging GDPR


Fast Secure Contact Form

Some of the websites I have built use a plugin called Fast Secure Contact Form. It was a very popular form handler highly regarded by users written by Mike Challis.  The plugin was sold to a third party in June of this year and the new owner attempted to manipulate the code in the plugin to set up adverts.

Please check ASAP whether the version that is currently in use on your website is version 4.0.56. You can do that by logging in, and going to the Plugins page and look down the list. You will see an entry similar to the one below which includes the version number.

If you have version 4.0.56 you are OK! Don’t panic. 

If your site is at an earlier version contact me immediately and I will sort out updating it. 

(update: 6:00am 27/9/17 Nobody has reported a problem so far, all sites have upgraded automatically. That was to be expected. If you cannot find Fast Secure Contact form another method is used for forms on your website. Probably Form Manager. You are not affected by this notice.)

Why is this important?

Continue reading Fast Secure Contact Form