WordPress Brute Force Attack 2016

Date: Monday 28 March 2016
There’s currently a massive brute force attack taking place against WordPress websites. My site is currently being hit dozens of times a minute from IP addresses from all over the world – must be a bot-net.

Take precautions and lock-down your site from attempted logins until it’s over. Consider installing Wordfence, it has a very good free version.

How to speed up WordPress (and other websites)

21 ways to make your website faster

WordPress, like many other Content Management Systems (CMS) and websites, can suffer from being a little sluggish. There are a huge number of different things that affect the speed of your website. Some are easy to solve, while others can be more difficult or require additional expense. Ideally you want pages on your site to fully load within a couple of seconds. Why? Visitors are impatient and may leave your site if it’s too slow, and Search Engines (particularly Google) are increasingly using site speed as a ranking factor in search results.

Is my website slow? Test your website speed

First of all, you need to know what you’re up against, so you need to run a test on your website. Google has an excellent website speed testing tool that also provides information on how to fix issues. Pingdom.com also has a useful website speed checker that actually provides more in-depth results that Google’s website checker.

Once you’ve got your website speed it’s time to look at things in a little more depth.

Why is my website slow?

Quite simply the faster your website responds, the better. Using your site is faster for your visitors, meaning that can do what they’re there to do quicker, and therefore less likely to get frustrated and leave your site before they’ve done what they came to do.

There’s lots of reasons why a website could be slow, and the reasons are true across the board of websites and CMS, not just WordPress.

How to speed up your website?

Check your hosting provider

This is really the first thing you need to consider. The specification of the servers that your hosting provider uses will dictate a lot regarding the performance of your website. The cheapest hosting will typically share a server amongst lots of other websites, degrading the performance as a number of websites are trying to be served simultaneously.

Most small sites are fine on shared servers, but if it is causing you problems, shop around for a better service.

Keep everything up-to-date

Updates to your CMS, themes and plugins aren’t just improvements to security and functionality. Updates also often provide a faster and more streamlined version.

Choose a good theme

‘Good’ in this instance doesn’t mean something that looks nice, it means something that’s well-coded and fast. Bloated or poorly coded themes can really slow things down. The standard themes offered by WordPress are safe, though may not be as good-looking as you’d like.

Delete unused items

I, like many people, are guilty of keeping additional themes and plugins installed, even though I’m not using them. Clearing the clutter frees up space and reduces stress on your server. This also applies to your database, so keep it clean, and delete things such as post revisions you no longer need.

Identify demanding plugins

For WordPress you can use the P3 Profiler Plugin to identify which plugins are slowing down your site. If some are having a particularly detrimental impact, consider finding a better coded alternative, or doing without it.

Use code, rather than plugins

Plugins are great, extremely useful, and provide excellent functionality, though sometimes we can be a little lazy and use plugins where maybe they’re not strictly required. If you can code something yourself instead of using a bloated plugin, then do so.

Install Gzip

Gzip compresses all of your website files and sends them to the visitors browser where they are they uncompressed and displayed. There’s no real reason not to use Gzip. You can check whether Gzip is installed on your server here. If not, you can use a plugin to install it.

Use a CDN (Content Delivery Network)

In the most simple of terms, a CDN takes your static websites files (such as images and Javascript files) and enables visitors to your site to download them quicker by using faster servers and using servers which are closer to your visitor. The Jetpack plugin for WordPress includes a CDN. Some CDN’s are paid services.

Compress your images

Images are usually amongst the largest files which you have on your website. Photographs in particular can often be very large. Images can easily be several megabytes in size, especially as newer mobile phones and cameras take much larger photos than they did just a few years ago. You can either compress the images before you upload them, or use a plugin. ShortPixel is pretty good, though there are monthly usage caps unless you pay.

Disable Hotlinking

Hotlinking is also sometimes referred to as leeching. It’s where other websites link to your content directly in order to display or make available on another website. There are legitimate uses for this, but it can cause problems, especially if your website become very popular, and many sites are hotlinking your content. This is because other people’s websites are sending requests to your server which can degrade performance.

You can disable hotlinking by editing your .htaccess file on your server. Just add the code below. If you’re not comfortable with doing this, speak to your hosting provider.

disable hotlinking of images with forbidden or custom image option
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?sparringmind.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?feeds2.feedburner.com/sparringmind [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

Host video externally

This is actually just like hotlinking (mentioned above.) It’s a good idea to upload videos to another website that specifically hosts videos, such as YouTube or Vimeo. The reasoning being that their servers are going to be much more powerful than yours, and capable of streaming high definition video seamlessly, whereas your server would probably result in buffering and choppy playback.

Use browser caching

Browser caching is only really of use to return visitors and those who are browsing multiple pages of your website. The browser cache stores static files on the users computer so that they can be accessed again quickly rather than having to be downloaded from your computer each time. You can specify what files are stored and for how long by either editing the .htaccess file, or using a plugin. Example code is below, but once again, contact your hosting provider if you’re unsure.

#
# associate .js with “text/javascript” type (if not present in mime.conf)
#
AddType text/javascript .js

#
# configure mod_expires
#
# URL: http://httpd.apache.org/docs/2.2/mod/mod_expires.html
#

ExpiresActive On
ExpiresDefault “access plus 1 seconds”
ExpiresByType image/x-icon “access plus 2692000 seconds”
ExpiresByType image/jpeg “access plus 2692000 seconds”
ExpiresByType image/png “access plus 2692000 seconds”
ExpiresByType image/gif “access plus 2692000 seconds”
ExpiresByType application/x-shockwave-flash “access plus 2692000 seconds”
ExpiresByType text/css “access plus 2692000 seconds”
ExpiresByType text/javascript “access plus 2692000 seconds”
ExpiresByType application/x-javascript “access plus 2692000 seconds”
ExpiresByType text/html “access plus 600 seconds”
ExpiresByType application/xhtml+xml “access plus 600 seconds”

#
# configure mod_headers
#
# URL: http://httpd.apache.org/docs/2.2/mod/mod_headers.html
#

Header set Cache-Control “max-age=2692000, public”

Header set Cache-Control “max-age=600, private, must-revalidate”

Header unset ETag
Header unset Last-Modified

Minify CSS & JavaScript

As you begin to install themes, plugins and addons to your site, the number of individual CSS and JavaScript will increase, thereby increasing the amount of data which is transferred, and increasing the number of requests that are sent to your server.

Files should be optimised either manually or automatically to reduce the file size and consolidate them where possible.

There are plugins available, such as Better WordPress Minify, that automatically minify and consolidate your CCS and JavaScript files for you. Personally though, I’ve had little success in using plugins to minify files, as the process has frequently broken plugins. This is just my experience however, you may have better luck.

Use CSS instead of images

It wasn’t that long ago where achieving rather simple effects, such as drop-shadows or using uncommon fonts meant that you had to use images. Now however, with the advent of HTML5 and CSS3, these things, amongst many others, can now be achieve with just simple bits of code.

Replace PHP with HTML where possible

This might be difficult to achieve, and possibly beyond the skill set of some people who manage website content. PHP takes longer to render because instructions have to be sent to the server, processed, and then sent back to the browser. HTML however, is static.

Remove unnecessary widgets

In particular I’m referring to sharing widgets that allow people to share content on your site on social media channels. These can cause considerable slowdown, so it’s worth only keeping them on relevant pages. Also consider using the simplest version of the widgets you can.

Specify image dimensions

As a webpage loads it has to calculate the size of the elements in order to figure out where the content should be placed. If you specify the sizes of the elements for the browser, it means that it doesn’t need to spend time calculating it itself.

Enable ‘Keep Alive’

‘Keep Alive’ is an instruction that’s sent between the visitors computer and your server. The instruction grants permission to download files from your server without having to ask each time. This saves bandwidth and time.

This can be done by inserting a simple bit of code into your .htaccess file.

Header set Connection keep-alive

Use CSS sprites

A CSS sprite is a single large image that contains all the graphic elements you need for your site in one file. Having a single file means it will download quicker than lots of smaller ones. You need to be careful that your sprite isn’t too large as some web browsers may not be able to display them.

Limit the amount of content on a page

As your website grows you need to be mindful of the impact this may have on your website. Some pages, particularly those which list blog entries and news articles can become excessively long, taking a very long time to load, and in some extreme cases crashing web browsers. Keep the number of displayed posts manageable.

Turn off Trackbacks and Pingbacks

WordPress in its default state will attempt to notify your website each time someone mentions it or their site. Turning this feature off doesn’t break the links, it just stops the notifications and therefore the additional work that your server would have to do.

Conclusion

There’s a lot to can do to speed up a lagging website. Try some of the suggestions here, starting with the easiest to achieve, and soon you should notice am improvement.

Why Would Hackers Attack my Website?

Wordfence Blocked IPs

“Why would hackers attack my website?” is the question I asked myself when I saw a huge spike in malicious activity. My site is relatively small, and although I’d like to say I get hundreds of page views a day, I (at the time of writing) don’t. Much of the attacks are clearly automated, but occasionally there’s an attempt to breach my site that appears to be a manual attack. So what’s going on?

Why do hackers try to hack websites?

Although there are occasionally news headlines of a major website hack, such as the Talk Talk hack where customer data was stolen, there’s actually a number of reasons why hackers hack websites, and the reasons shed light on why even small sites can be targeted.

1. Just because they can

A number of hackers will simply try to hone their skills by attempting to access websites. These people probably aren’t after information, just bragging rights. They’ll probably deface your website, but these breaches could be costly to you as may lose website data and have to recreate part or all of your site.

2. To steal data and information

I’ll refer to the Talk Talk hack once more. The hackers took a wealth of customer data, and although they may or may not have used this information themselves, what they did do was make the information available for sale. Scammers then bought this data and used it scam people. Some Talk Talk customers reported receiving calls from people purporting to be from Talk Talk, who then tried to get those people to disclose credit card details.

3. Hosting objectionable or illegal content

Rather than paying for a hosting service which may leave the hacker easily traceable, they may want to use your site to host the content instead. That way they can’t be traced.

4. Search Engine Optimisation

Having other sites with links pointing back to your site is good for SEO, so hackers may attempt to inject links in order to fool search engines. Links often lead to sites that offer counterfeit goods, or illegal services. They could also point to malicious websites that download viruses onto the visitors computer.

5. Malware

Maybe instead of trying to get visitors to visit a malicious websites, hackers could insert malware into your site so that your site infects visitors’ computers. Needless to say, your website will soon be flagged up as malicious, doing your reputation harm.

6. Sending Spam

Servers which send out lots of spam are usually soon blacklisted, so in order to keep sending out spam, hackers can compromise your site and then use your server to email out their crap. This will get your site IP blacklisted, and if you use shared hosting, lots of other sites can be affected, meaning the site owners and your hosting provider will suffer.

7. Creating a botnet

If hackers gain access to your site, it can be used as part of a greater botnet that can then be used to carry out malicious actions against other sites, such as a distributed denial-of-service (DDoS) attack. Botnets make malicious activity harder to stop, and harder to trace.

8. Renting out our server

Rather than using your compromised site to carry out malicious activities, hackers may rent out your server to people who do want to use it for sending out spam etc.

Why do hackers target WordPress?

The short answer is because WordPress is very popular. It’s easy for hackers to create a bot which can then be used to target a large number of sites. Other content management systems (CMS) are also targeted, so it’s not just WordPress.

How do I protect my website?

It’s important to take steps to protect your website and server. Here are some important pointers.

Use strong passwords

Even now, many people fall victim to brute force attacks (where hackers will simply keep guessing passwords) because they use weak passwords, such as ‘123456’ or even ‘password’. Ideally passwords should be longer than 10 characters, user upper and lowercase letters, include numbers, and also special characters like exclamation marks. Some experts argue that passwords based on phrases or made up of multiple words, for example ‘railroad consolidation network’, are more secure than random strings of characters, as well as being easier for you to remember.

Keep your CMS, themes and plugins up-to-date

It’s not just aesthetic and functional changes applied during updates, security holes are also patched up, that’s why it’s important to keep everything up-to-date so that hackers can’t exploit them.

It’s equally important to keep unused item up-to-date, or better yet, remove them completely if you’re not using them. They can still prove to be a weakness if they’re installed.

Avoid default usernames

Hackers will try to exploit default information where possible, so if your username is ‘admin’ you’re leaving yourself wide open. Custom usernames can still be found by those who really want to, but simply changing the default username will stop some bot attacks.

Rename or move your login page

Some CMS (e.g Prestashop) demand that you create a unique URL for your login page, with WordPress, you’ll have to use a plugin. As with usernames, this isn’t the one thing that will protect your site, but it just makes things a little more difficult for hackers.

Stop brute force attacks

Some hosting providers already have systems in place to stop brute force attacks, but not all. When I was with my previous provider there was a brute force attack on their website and someone managed to access my email. The hackers sent a few spam emails before I caught on and changed my passwords. Fortunately no real damage was done. It’s an increase of brute force attacks on my website which prompted the writing on this article. Over the past few days I’ve had an increase of attempts to access my site made by people in Brazil, Russia, China, USA, Ukraine, Czech Republic and France. Some of these are obviously just bots, but some have been manual attacks.

I use Wordfence to protect my website, and recommend it to other WordPress users. The free version of the plugin is extremely good. It’s useful to stop all kinds of malicious activity.

Use verfication

Another useful way to stop against attacks is to use a system that stops automated submissions. Google’s Recaptcha is very good at this. Not only does it stop bots, it slows down manual hack attempts too.

Conclusion

It might surprise you that nearly everything on the internet is under attack pretty much all the time. (I’ve just checked the live traffic to my site this minute to see someone from Poland access my login page and attempt to gain access.)

Most attempts are just probing for weaknesses, or are pretty basic, but you should take website security very seriously. It’s better to protect against it rather than try and cleanup afterwards.

Buttons-for-website.com Referrer Spam

If you run a website and regularly keep an eye on your analytic data, chances are you’ve come across the referrer URL buttons-for-website.com. Unfortunately this isn’t legitimate website traffic, but is referrer spam.

Anyone Received Semalt Referrer Spam?

Chances are that you’ve also had Semalt.com appear in your referrer stats at some point. Buttons-for-website.com is doing the same thing.

Referrer spam appears in your analytic data, posing as a legitimate referrer. Intrigued, you click the referrer to see who it is who’s sending you traffic. However, the referrer isn’t a real person, but is simply a bot posing as a person. They want to visit their site, that’s all.

Referrer Spam Is More Than Just A Minor Annoyance

Referrer spam can be seen as just a minor annoyance, but the problem is that it messes up your analytics data and skews your results. It really plays havoc with your bounce rate, and the most pervasive referrer spam can cause other problems. When Semalt started their spam campaign, people reported that their sites were being hit hundreds of times a day, and in some cases, dozens of times a minute.

This was causing performance issues on the websites they were spamming, causing response times to drop, or in extreme cases, causing the site to be unavailable for legitimate website visitors.

How To Block Referrer Spam?

If you’re receiving referrer spam to your website, it’s in your best interest to block it. Fortunately this isn’t too difficult and can be done a number of ways.

Editing your .htaccess file

This method is only recommended for more advanced users. The ‘.htaccess’ is a small file which sits on your webs server and can be used for a number of purposes which I won’t go into here. If you’re not an advanced user, speak to the company who hosts your site and they’ll be able to help you.

A WordPress plugin

If your website has been built using WordPress, there’s a number of plugins that will block the spam. Personally I recommend Wordfence.

It’s free to use and extremely useful. To block referrer spam just go to the ‘Advanced Blocking’ options. Goodbye referrer spam.

Sharebutton.net Malware

Buttons-for-website.com redirects to sharebutton.net,a site which is highly suspicious; there’s no ‘about’ information or contact details. Just a single page site which asks you to add a piece of code to your website in order to add social media sharing buttons. This should really set alarm bells ringing.

buttons-for-website-spam-malware

If you were to add the code to your website, there’s no telling what you could be letting yourself in for. The code comes from an unknown server and can perform a number of malicious acts. It could easily compromise the safety of your site, of the safety of your visitors, with the possibility of your site becoming infected and then being blacklisted.

Sharebutton.net is best avoided.

#Mobilegeddon & The Google Mobile Friendly Update

#Mobilegeddon was the rather alarmist name given to Google’s update to their search algorithm which was launched on the 21st April (2015). The scary name was given to it as people were worried about the ramifications of the update.

The update was meant to favour websites which were designed to also function on mobile devices, such as Smart Phones and Tablets. More and more people use these devices, which typically have much smaller screens than desktops and laptops, and sites which are not mobile-friendly can be hard to view; text can appear too small or large, people may have to scroll left and right, and up and down, making navigation difficult. Images can take up too much space, and some technologies (e.g. Flash) are not always supported on mobile devices. These are just a few of the issues.

The update was not only meant to push mobile-friendly sites in search results when people search from mobile devices, but also generally favour mobile-friendly sites when searching from any device. The idea is that all sites should be mobile-friendly, it is 2015 after all.

The fear which many website owners had, is that their websites would disappear from search results. However, the effect has been much more subtle, though some say they have already seen a difference.

If your website isn’t mobile-friendly you should really make it so. As time goes on, if a site isn’t mobile-friendly, it’s safe to assume that it will be penalised more and more.

Making a site mobile ready doesn’t have to be a massive project. In fact it’s possible that your site is already set to go. If you want to check, try Google’s rather useful mobile-friendly testing tool.

What if your site isn’t ready? Your options for doing so are thus; firstly you can create a mobile-ready version of your site which users are redirected to when they visit using a mobile device. The second, and recommended option, is to use a responsive design on your site. Responsive sites automatically resize content and move it around depending on the size of the window the site is being viewed in. Using a responsive design will make things easier for you in the long-run.

See Your Website Here – (http://www.see-your-website-here.com/crawl.php?) – Crawler Spam

As if Semalt, with it’s botnet and crawler that skews people’s websites analytics results wasn’t enough, here in the UK another company has decided to borrow their tactics. You can read more about Semalt here if you’re not familiar with them.

Have You Been Visited By See-Your-Website-Here?

If you run or manage a website you may have noticed a referrer in your stats which looks like this – http://www.see-your-website-here.com/crawl.php?url=[your web address]. They operate a crawler which registers on your website as a genuine visitor, not a crawler. As with Semalt, the problem is that it messes up your website analytics with what are fakes hits, and it screws up other figures such as your bounce rate.

See Your Website Here (SYWH) are, at the time of writing, a newcomer as their web domain was registered in June 2014. They’ve obviously seen what Semalt have been doing and have decided that it’s a good way to get people to visit their website. There’s no telephone number on the SYWH website, just a contact form. However, the domain name has been registered by Vanilla Circus Ltd, a company in London, with the contact email of b.sykes@vanillacircus.co.uk and telephone number +44(0)2088793340.

I’d avoid using either the services of vanillacircus.co.uk or see-your-website-here.com as any company that uses such unscrupulous tactics to gain customers should be approached with caution. It doesn’t appear that they’ve stooped to Semalt’s levels of using malware to create a botnet that spams sites (just yet), but who knows what they’ll decide to do in the future?

They even admit to spamming sites to show up on people’s Google Analytics. They blatantly say that’s how they operate!

A screen grab from http://www.see-your-website-here.com/about.php taken on 11 August 2014.
A screen grab from http://www.see-your-website-here.com/about.php taken on 11 August 2014.

There are other worrying signs; their SYWH Twitter link is broken (at the time I’m writing), there’s no telephone number on the SYWH contact page and the website address has only been recently registered.

I’d have thought that after the amount of vitriol that Semalt experienced on their Facebook page no other company would use the same tactics, but it seems as though they would. SYWH doesn’t have a Facebook page, but their parent company does, though oddly it’s associated with a different web domain, www.seo-consultant-specialist.com, which is a company registered in Pakistan. So See Your Website Here is associated with Vanilla Circus and in turn, they’re associated with www.seo-consultant-specialist.com.

I’m going to dig a little deeper, but if anyone manages to untangle things further, let me know.

Microtransactions – In-App Purchases – Freemium – Subscriptions

If you’re thinking of developing your own App, you may have heard that they can be very profitable, and indeed they can. However, you need to carefully consider how you make money from it.

With the advent of the smart-phone, tablets and the App Stores that provide the downloadable applications they run, Microtransactions, In-App Purchases, the Freemium business model, and the subscription business model have exploded exponentially in growth. They’ve also creeped into the more ‘traditional’ software that you may be used to, and many people are not happy about it.

Forking over considerable amounts of money for ethereal goods, or just being allowed to rent software, these practices are, on the whole, having a negative effect and getting people riled up. What’s the future of these strategies? Will they divide us into the digital ‘haves’ and ‘have-nots’ or implode on themselves?

There are a number of buzz-words floating around, but they all amount to the same thing – parting you from your money. Microtransactions and In-App purchases are pretty much the same thing, but Microtransactions are, as you may expect, typically smaller amounts. Freemium is a combination of ‘Free’ and ‘Premium’, that is something that is free, but has premium elements which you can purchase. And subscriptions are just that, something for which you have to pay a recurring subscription fee.

Now let me stress that I’m not against these tactics per se, but rather how they’re generally used.

They’re Most Prevalent In Games

In gaming for instance there has been a huge surge in the emergence of games which have been dubbed Pay-to-Win, and Pay-or-Wait. These are just lazy attempts to make people part with their hard-earned cash.

Pay-to-Win games generally make it impossible to complete a game without paying, while Pay-or-Wait games will slow down gameplay to such an extent that they’re no longer games but exercises in tedium.

As you may expect, gamers are furious about this, and so they should. Geoffrey Tim from Lazygamer.net presented this amusing image to demonstrate how these tactics work, and how absurd they are by applying the idea to a well-known game. His example is extreme but you get the message.

hahahahno

This image however isn’t an amusing fake. It’s very real. Worryingly so. It’s from EA’s Dungeon Keeper.

nexusae0_DK2

The gems allow users to speed up aspects of the game. Otherwise they have to wait for up to 24 hours. You see the ‘best value’ package of gems for £69.99? I always thought “who would pay that?” Well it seems that a very small proportion of people are willing to pay it. How far will £70 get you? Not very far actually. The gems will soon run out.

It may seem crazy that people are paying these prices, but they are. The figures are startling. If you look at Apple’s App Store, you’ll see that the highest grossing Apps are usually these Free-to-Play (F2P) games which rely on (Not-so) Microtransactions. Generally, less than 0.15% of these games users account for over 50% of the games revenue. These high-spenders have been dubbed ‘Whales’ by the gaming community, and it increasingly seems that app developers set out to ‘harpoon themselves a whale.’

Where does that leave 99.85% of the apps users? It leaves them frustrated and bored.

It’s Not Just Games

Even business apps and other useful apps are subject to the same practices. Splashtop Pro 2 is an example of this. Put simply, the app lets you access your computer from your tablet or or smart phone. Very useful, right?

You have to pay to download the app, and that’s fine, but there’s a problem. The app doesn’t let you access your computer from a remote location. I’m not joking. If you’re using the same Local Area Network, e.g. your home WiFi network. You can freely access your computer as long as your on the same network that your computer is, so you can access your computer from the next room, or maybe the garden. If you’re away from the house, you can’t.

What if you want to access your computer from work? From a hotel? On the train? You have to pay a subscription through an In-App Purchase. This is another example of Microtransactions going bad.

Subscriptions

Subscriptions may be good for a company, but not so good for customers. Adobe have announced that they’ll be no longer be selling boxed software. You will have to download it, and even then you can’t actually buy it. You have to ‘rent’ it through a subscription service.

True, the cost each year is less than buying the software, but this argument isn’t really that valid. You don’t own the software anymore. Most people who used Adobe Creative Suite will skip different versions as the package is over well £1000 to purchase. So they will buy version 3 say, and then wait until version 5 or six before they upgrade again. So what if people fall on hard times and can’t afford the software? They can’t use it, and therefore can’t work. A horrible prospect. Adobe’s move has prompted many of those who use their software to seek alternatives. Again, this is giving the middle-finger to those who can afford it, and those who can’t.

Old School Tactics

Companies (Adobe included) have always offered demo version of their software or games in the hope that if you enjoy it, or find it useful, you’ll then go and purchase the full version. Companies which adopt the Freemium model claim that In-App Purchases stop software piracy, and that may be true to some extent, but people will always find ways around it if they’re that dedicated. The deme idea can be seen in some apps, but more often than not, it’s done in a very underhand way. That is, the user will be unaware that it’s just a demo until they hit the paywall (the pop-up message which stops the user from progressing unless they pay.) This infuriates users who may have invested a considerable bit of time into a piece of software, be it a game they’ve been playing, or some piece of software they’ve been learning to use. The moral of the story: be upfront about costs.

So You’re Thinking About Using IAPs?

In-App Purchases / Microtransactions / Paywalls – whatever you want to call them, are not necessarily a bad thing. They can be good for raising revenues, but they can also do that without alienating the majority of your users.

To do that, don’t go ‘Whale’ hunting. The Freemium business model can only exist in its current form with these ‘Whales’. And personally, I wish that these people would realise that they’re fuelling a hideous travesty, and that if they curbed their spending, app developers would be forced to reduce their prices or change strategy, benefitting all users of their software.

Things To Consider

Some of these may not relate to your particular app, depending on what sort of app it is.

  • Don’t Hunt ‘Whales’: If you’re focussing on that 0.15% you’re telling the other 99.85% of your customers that you couldn’t give a toss about them.
  • People Don’t Like playing To Save Time: This primarily refers to Freemium games where the player is forced to Pay-or-Wait. Games should be fun and engaging.
  • Be Upfront: If you’re just offering a demo, let people know upfront and be clear about it. You may not get as many downloads, but those that do will now what they’re getting into, and will be more likely to give you a 5-Star rating if your app is good, rather than a 1-Star rating for being misled.
  • Use Paywalls Sparingly: Whether it’s a game, or a business app (such as mind-mapping software), don’t segregate each feature into its own additional paid-for add-on. Paywalls infuriate the user and annihilate the user experience.
  • Don’t Make People Pay To Remove Annoyances: These are things which simply get in the way and don’t offer any real benefit. It could be something as simple having to watch an advertisement each time before you use the app.
  • People Will Pay For Unique Content: Make the transactions unlock good content and features. When using In-App Purchases, the offerings should be tangible. E.g. Unlocking the full programme, or unlocking all features.
  • People Will Pay For Good Content: If you’re going to offer something extra to people who are willing pay, make sure that the content is worth it.
  • Nintendo Have Steered Clear Of The Freemium Model: And that’s despite one of their investors urging them to adopt it.
  • Treat Customers With Respect: EA are the main culprits here. Many of their games for phones and tablets are blatantly designed to gouge customers. See below.
EA thinks that accusing their customers of being tight-fisted will encourage people spend money just to speed up the game.
EA thinks that accusing their customers of being tight-fisted will encourage people spend money just to speed up the game.

Conclusion

It’s quite easy to summarise this post. Put yourself in your customer’s shoes and treat them with respect. Carefully consider what you’re offering and how best to deliver additional content and features. Don’t treat them like idiots who will just throw money away, and whatever you do, don’t, like EA, insult them.

Remember:
Carrot > Stick

What is Semalt.com? Is Semalt a phishing site? Semalt & the Soundfrost.org Trojan Virus

If you own a blog or website and wondering what heck Semalt is, we have the answer for you.

Semalt is a web service tracking site that is using guerrilla tactics to gain a user base… and its working.

Semalt will go to your site, and will in turn show up on sites that are referring traffic to your website. This then gets you curious, and click on their website, and BOOM now they have your information. The site is beyond shady, and I would not trust them with your information.

Noone knows what they actually do, if they do anything at all… Avoid at all costs

~ This Is Tight

The above quote is from a website I found when I was searching for information on Semalt.com. Like many other people, I’d been receiving a load of traffic from this site, and when I checked out their homepage, I was given no information. I either had the choice to login or register, that is all.

I was rather suspicious, and it seems many other people are too. I did register to find out what they do, and it appears that they just offer a way to monitor traffic on your website (for a fee of course.)

What really grated me about how I found them was that they spammed (using bots) my website with fake visits, messing up my stats. I suggest that no-one has anything to do with this shady company. Although my research has shown that they are just (yet) another website monitoring tool, I don’t like how they went about increasing their search engine visibility. Besides, Google offers all the tools you need to monitor your website – for free.

EDIT: Semalt’s method of gaining pageviews on their own site appears to be against Google’s rules as it’s a method of trying to falsify their page ranking. It’s known as a Black Hat technique and is frowned upon. If Semalt pester your website and mess-up your website stats, you can report them for spam here – https://www.google.com/webmasters/tools/spamreportform?hl=en.

ANOTHER EDIT: It appears that Semalt.com have been deleting all of the negative comments from their Social Media channels. Bad move guys. It’s best to admit mistakes and respond to criticism professionally. They’ve actually blocked me from posting or contacting them via Facebook.

Semalt and the Soundfrost.org Trojan Virus

EDIT: In a sinister turn of events, Semalt has started using a botnet to spam websites, and even have their own Trojan virus to infect computers. See https://www.virustotal.com/en/ip-address/217.23.11.15/information/ for information on (and proof of) the threat. See this other blog post with a detailed look at the threat from Semalt – http://blog.nabble.nl/post/93306955157/semalt-infecting-computers-to-spam-the-web

This is being done through another website belonging to Semalt’s owner. The site is Soundfrost.org, and the programme they offer as a download is the virus.

The owner is spamming the Soundfrost.org link all over the place, people download it and then that’s it, your computer is infected and becomes part of their botnet. Goodness only knows what else this malicious software does.

Fund-Raising / Charity Funding Websites, Sites Like JustGiving

Charities are continuously searching for new sources of funds, particularly as they’re feeling the squeeze along with the rest of us. There’s a number of sites available that will help you get going and reach a wider audience than you may otherwise be able to, though at a cost.

Charity Fund-Raising Websites. Do They Work And Are They Worth It?

These are slightly complicated questions. Although fund-raising sites are undoubtedly useful, there are some things to consider. These sites are not (usually) the altruistic enterprise that you may consider them to be; they have running costs, and many of them are there to make money – and there’s a lot of money to be made. Let’s say one year you make £50,000 and they keep 5%, that’s £2,500. When you consider that they may have thousands of charities on their books and that some charities can make considerably more, you can soon see why such sites are often money-spinners for the people who run them.

If someone wanted to send you a large donation, they’d be better off sending you a cheque or bank transfer, cutting out the middle man so you get the whole amount. However, fund-raising sites do make it easy to donate by giving people a number of options, and making the process streamlined. In this regard you will gather funds from those who are the types to give to charities but for whatever reason tend not to get around to it. Secondly, you can reach a global audience, which lets face it, would be hard to do on your own without substantial capital available to get a campaign of the ground.

To quickly sum up, yes they are very useful, but usually at a price. Try to gather funds from other sources or get people to donate directly if possible.

How Do Fund-Raising Sites Differ From Crowd-Funding?

The main difference between fund-raising sites and those which help generate funds to get a project off the ground (crowd-funding), is that fund-raising sites are designed for long-term money generation with no time-limit, and no expected return on a donation. You can read more about crowd funding here – Crowd Funding, Fund-Raising Websites Like IndieGoGo.

A Comparison List Of Fund Raising Websites

these sites are mentioned in no particular order. When I started to compile the list I didn’t favour any particular site.

What To Look For When Choosing A Fund-Raising Website

Each site has its own benefits and different charges that you’ll need to look out for. I haven’t talked specifically about them here as they change all the time. Have a look at your options and see which will offer the best solution for your situation.

Useful Tools For Charities & Non-Profits – Google, Bing and others

New non-profit organisations are often springing up all over the place as self-sacrificing individuals put their time, effort and money into a worthy cause that strikes a chord with them, making the world a better place. It’s a remarkable thing to do, and I salute you.

I’ve worked with a few non-profit and charitable organisations, and here’s some of the useful things I’ve discovered along the way.

Google for Charities & Non-Profits

Google has a great number of useful tools and resources for charities. We’ll have a look at what they have on offer. Unfortunately some of these are location dependant, with US-based organisations being able to boast access to the lions-share of tools. Even so, what is currently available worldwide and to the UK, is not to be ignored.

http://www.google.com/nonprofits/index.html
Google’s Non-Profit home page, the portal to all the products. Here you’ll be able to see if you’re eligible, and to which products you’ll be able to have access to. Some of these are free, but they do have premium tools available also, though usually with heavy discounting applied.

Be prepared to jump through some hoops to get yourself registered, but it’s not laborious. They do need to ensure that you’re representing a legitimate charity.

Let’s have a look at what’s on offer.

1. Google Apps
– Gmail
The email service that you may be already familiar with. You can even use your own custom address i.e ‘yourname@yourdomain.com’, making your organisation seem more legitimate.

– Calendar
A powerful calendar to aid you with organising events, meetings etc.

– Drive
Online storage for files and documents. You get a little included (5GB at time of writing) and can purchase more as you need it. It can become expensive though…

– Docs
Meaning ‘documents’. Allows you to create and share word processing files, spreadsheets and presentations.

– Places
Allows you to pin-point your organisation on Google Maps. You can add contact information and other information.

– Analytics
Monitor your website traffic, see what people are searching for, how they manage to find your site, and examine your visitor behaviour.

– Google +
Google’s foray into the social media boom. They were a little late to the party, but their platform is quite good, even if it doesn’t have the same following as Facebook. Worth creating a G+ page for your organisation to help spread the word.

– And more…
There’s lot’s of other apps to discover, though I’ve mentioned the main ones here.

2. Google Grants
The grants are in the form of credit which is applied to a Google AdWords account. Again, you need to have recognised charitable status. You start with a credit of $10,000 (USD) per month. That seems like a lot, but advertising through Google can be very expensive. If you exceed this, you may be able to get an allowance of $40,000 (USD) per month. There are very strict rules on how this credit can be used.

3. YouTube For Non-Profits
YouTube (owned by Google) also has an offering to help charities out. You can create a channel which has features that are normally only accessible to premium members (usually large corporations with a budget to match.) These extra features include custom channel branding, donate buttons, live video streaming and other useful tools.

PDF: Google Playbook For Good

4. Google Earth Outreach
Using the powerful Google Earth, you can visualise your positive impact on the planet. You can integrate with Google Earth to overlay information and graphics over the areas you wish. There’s quite a number of exciting tools, and endless possibilities.

Facebook for Charities & Non-Profits

http://www.facebook.com/
As far as I’m aware. Facebook doesn’t haven’t any particularly special offerings for non-profits. You can set up a page for your organisation, but that’s currently as far as it goes. A Facebook page is still an important part of any campaign, so it shouldn’t be neglected.

Bing for Charities & Non-Profits

http://www.bing.com/explore/helpyourbritain*
Bing is Microsoft’s search engine offering. Not as widely used as Google, and lacking many of the features, it’s trying to re-position itself as a market leader (it was, but lost it’s grip) by entering the search engine market and giving its web browser (Internet Explorer) a massive overhaul. Microsoft is working on producing new tools for web users, and the ‘Help Your Britain’ addition is aimed at providing a promotional tool for non-profits.

You can also set up a profile for yourself, and your organisation.
https://profile.microsoft.com/RegSysProfileCenter/default.aspx

*Kindly informed of the updated link by Richard at Stretch Digital.

LinkedIn for Charities & Non-Profits

http://www.linkedin.com/
Social entrepreneurs should certainly leverage the possibilities that LinkedIn offers. There’s lots that can be done to help promote your cause, and I’ve written a couple of articles discussing how to use LinkedIn for maximum effect – Read my article about using LinkedIn.

Twitter for Charities & Non-Profits

https://twitter.com
Twitter is another social media platform which doesn’t have a specific range of tools for non-profits, though it has been used very successfully to raise awareness for a large number of concerns. Read about some of the success stories.

More useful resources