It's a wild world (wide web)

Maybe showing my age here, by using a bit of Cat Steven's lyrics, but it's true, the world wide web is a wild and dangerous place. Just as a "user" you are subjected to emails, the least harmful of which want you to buy viagra, others try to trick you into divulging sensitive information, or worse, infect your
computer with a trojan virus to later do the villains dirty work.

If you are reading this, you are a user and have no doubt encountered some or all of these types of dangers.

It's even worse if you run a website because not only is your own computer a potential victim, but now your web server will be preyed upon, continually poked and prodded in an effort to find a weak link in your security chain.

Over the past 2 years I've cleaned up about 20 infected web servers. In almost every case I find the weak link that allowed the server to be compromised in the first place. All too often, the weak link was the site owner, who for whatever reason didn't take their web server's "security" seriously.

So why, oh why does one go to all the trouble to create a spiffy website only to leave it unprotected ?

In my experience, the website owners consider themselves "little fish" and assume that an actual hacker won't target them, the classic "what could they possibly want with my little corner of the internet?"

What they are after differs, but it all starts the same way, by compromising your web server. then they may simply use it to attempt to hack bigger fish, except now those attacks come from your web server.

Maybe they are after the email addresses in your site's database, or if you run an e-commerce site, they may be looking for retrievable credit card info. Basically, what they are after is irrelevant. If they get in, they'll find some way of leveraging that access to their advantage and likely to your demise.

If you are a website owner, there are of course concerns about the code that makes your website go. Is it subceptable to SQL injection or XSS attacks, but.. again, and granted only in my experience.. the weakest link is you.

Do you use FTP ?
FTP is just plain bad in many respects, most notably due to the fact that user names
and passwords are sent unencrypted. Their are trojan viruses that look for the tell tale signs of an FTP login and convey that info to the bad guys, since it's not encrypted, they can be in your web server running amok within seconds after you log in.

Look into disabling FTP and enabling SSH. With SSH enabled you can use the SCP protocol to upload files. Since SCP rides on an SSH connection, everything is encrypted. I use a program called WinSCP, which is very intuitive if you've used an FTP program before. It also has some pretty nifty features I've never seen in an FTP program.

Is your password good ?
This likely seems obvious, but I'm continually amazed at how many web site owners have their passwords set to something that a brute force attack would easily plow through. Be sure to use a mixture of upper & lowercase letters and numbers.

mysite BAD
MySite Better
MyS1t3 PDG (pretty damn good)

Do you use a commonly exploited email program ? (Outlook anyone)
I try to keep my Micro$oft bashing under wraps, but in this case, for your safety.. if you must use Outlook (or Outlook Express) be aware that it is the primary program used to convey viruses to your computer. Even with up to date anti-virus software running you are still vulnerable. Consider using a web based
email client which can greatly reduce the likely hood of a virus reaching your own computer.

Do you use up to date anti-virus software ? .. is it reputable, effective ?
If I had a nickel for every time I heard, "I can't be infected, I'm running XYZ anti virus!" where XYZ is either reputable, but known to be easily circumvented (sorry Norton) or some fly by night coder in a basement somewhere that has no intentions of updating viruses definitions.

One word.. AVAST
Reputable, effective, and free, although it is certainly worth the nominal price they ask for their commercial version.

So there you have it. The weakest link in your web server's security chain is likely you, and the computer you are using right now.

Top on site SEO blunders

You may not know it from looking at this blog, but I've been delving into on-site SEO since about 2003. In that time, I've discovered SEO is not so much about knowing what to do, it's primarily about knowing what not to do.

In fact, roughly 50% of my SEO related work has been un-doing what some other SEO "expert" did. Nothing ruins a web based project like getting penalties or banned from Google. And Google has a fleet of some pretty smart folks whose sole reason for being is finding attempts to artificially influence their search results and then penalizing or banning the offending sites.

I only do "on-site" SEO work because I think I'd rather wash dishes or dig ditches for a living than link build, never the less, link building is a crucial step, but wasted if the on-site elements squander it away. So before
you start with off-site SEO, probably best to work on the on-site stuff first.

Of course you'll want to ensure your pages display correctly, are readable, informative or at least entertaining. That they use valid HTML, CSS etc. After all what's the point in getting people to your pages if they don't look right. Instead, I'll try to focus on the things you just might not think of.

So, here we go. Ask yourself these questions ...

• Do all your pages have unique title, meta keyword and meta description tags?
  Likely your site has more than one page and while you'll probably want your site name in the title, I'd suggest that each page have something unique in the title as well as the meta tags.
  
• Navigating your site, do you ever reach "dead-ends" AKA orphaned pages ?
  Just like people, search engine spiders like Googlebot need to be able to get from one page to another, so ensure every page includes at least a link back to your home page. Creating a HTML site map page and including a link to it on every page is also a good idea.
  
• Viewing the source of your pages, do you have to scroll down through dozens of lines of javascript and inline styling to get to the legible content?
  With all the nifty pointy clicky WYSIWYG web editors out there it is far too easy to create a page where the actual content is so far down in the HTML code that search engines don't give it the value it deserves. Using external stylesheets, and combining multiple javascript snippets into one or two external files will certainly help. Basically you want your textual content to appear as close to the opening BODY tag as possible. Using CSS positioning, you could create a div right after the opening body tag filled with your unique and quality content, and positioned to display after your site header, navigation and other non-unique page elements.
  
• Are your keywords "sprinkled" about ?
  I know I've harped about this one before, but keyword over stuffing is likely the biggest cause of site's being penalized by Google that I've encountered. There is no magic number, but there certainly is a limit to how often your keywords should appear. If you just focus on writing informative content, sprinkling your keywords so that the text reads as if you are speaking to your visitors, you should do well in avoiding over stuffing penalties. Still, it doesn't hurt to check your keyword density, and that of your competitors to ensure you are in the ball park.
  
• Is relevant content to your site's topic actually text?
  Try this little test. Open your website in a browser, use the edit menu to "select all", then "copy". Now open a text editor like notepad and paste your content in. Reading this as if you've never read it before, is it clear what the site is about? Are your keywords near the top of the page? If much of your site's content is conveyed with images, javascript and Flash widgets which aren't seen by search engine spiders, you are shooting yourself in the foot. This test is actually the first thing I do when looking to improve site's search engine performance. It is also how I usually discover sites using the decade old black hat technique called text cloaking, like white text on a white background. This is just plain bad. Google and likely most other search engines will see it for what it is, and if you are lucky, ignore it. Not so lucky? Banned.. next?
  
• Are you honest?
  Ok, I admit, that's a loaded question. What I mean is do you have overly self important elements in your pages? Like the Revisit meta tag, meta name="Revisit-After" content="1 Days" or perhaps in an XML sitemap with "changefreq" set to "daily" Do you actually update your site every day? Another common blunder in sitemap.xml files is having every URL with "priority" set to "1.0"
  Simply put, not all pages are created equally. Be honest and realistic. Incidentally, the Revisit-After meta tag is completely ignored by Google, but may be used by other search engines, so a realistic value there certainly won't hurt.
  

Some of the points above I touched on long ago here and here which might be worth reading.. maybe if you are so inclined.

There are also of course off site blunders which are either a waste of time & resources, or potentially damaging to your site, but I've rambled long enough. I'll try to point some of those out next time.