What Can We Glean About Facebook From Mark Zuckerberg’s Congress Hearings

Last week, the CEO and founder of Facebook, Mark Zuckerberg, has spent 2 days before 2 committees of the US senate answering questions about privacy concerns at Facebook in light of the Cambridge Analytica scandal. As a Web programmer myself, I found these series of exchanges and Mark’s responses fascinating as well as enlightening. I replayed most of the sessions thanks to YouTube. Here are some key observations.

It was particularly amusing, and concerning at the same time, that many of the senators simply did not understand the fundamentals of how Facebook works, what it actually does, or its business model. A good number of them relied on questions submitted by their constituents who, in turn, did not have much better understanding themselves. As a result, too many questions were irrelevant to the most recent data breach and, instead, focused on advertisers, how users’ data is used, shared, or sold relative to advertising. Zuckerberg had to repeat numerous times that data is not sold to advertisers, neither is it shared with them directly. He also had to repeat that advertising is Facebook’s business model quite a few times. The way Facebook uses users’ data is to decide who sees specific advertisements based on the advertiser’s selections and the users’ expressed interests, as well as their browsing history. This is a pretty standard way how online advertising works across the board. Nothing particularly new or noteworthy there.

From those interrogations, it was made apparent that there are three distinct platforms that are integrated into what is Facebook today. These are the publishing, advertising, and developer platforms. The issue at stake is not the first two but the third one, which the senators spent extremely little time discussing. The key question should have been, “why does Facebook allow developers to collect data from users through their apps?” This is how Cambridge Analytica acquired the data of 87 million Facebook users when a Russian-American researcher, Alexandr Kogan, created a simple quiz app. He was somehow able to collect that data of those that accessed the app and the data of all their friends (without their knowledge). Kogan then sold that data to Cambridge Analytica. It is safe to say that the vast majority of Facebook’s users don’t know that their personal data (and those of their ‘friends’) may be, and likely is, shared with 3rd party app developers when they interact with the apps, including game apps.

It is also noteworthy that as much as 29,000 data points are collected by Facebook on each user. What is a data point? A data point is a unit of identifiable information about you. For example, favorite dessert, favorite food, favorite ice cream, favorite pet, favorite color, favorite vacation destination, married, single, divorced, name of significant other(s), location(s) you live(d) traveled, religion, and so on, etc. That is just a small number of data points. It is hard to know exactly what each of the 29,000 data points are beyond the ones that are obvious. But that is far more information than you or anyone else close to you knows about you. The more you post personal details, use apps, or interact with Facebook in any other way, you help them fill each of the 29,000 plus data points.

In the same senate sessions, it also was stated that Facebook collects data points even on non-Facebook users. Now, you may ask how is that possible if you are not a Facebook user? Zuckerberg gave some clues on that. He said that it was for security reasons. So, if you have ever had an account on Facebook and closed it, or if you tried to access Facebook with a phony login, or even just visited Facebook, there is what is known as ‘cookies’ which can be tracked and collected between visits. Cookies are tiny bits of code stored on your browser that are used by almost every website from simply tracking visits to that website to allowing visitors to log in and do stuff on the website. This is one potential way that Facebook may track non-Facebook users. If that is the case, those are some pretty sophisticated ‘cookies’. Generally speaking, ‘cookies’ do not store personally identifiable information.

Facebook is not the only player that is going to great lengths to collect as much data on Internet users as possible. Google and Amazon are other competitors for such data. What makes Facebook unique is that it is marketed as a platform that allows you to connect with friends and, as such, encourages users to post personal information. I remember one time it asked me to upload a copy of a photo ID such as a driver’s license or passport page. Just to unlock a recently created account or perform certain action. It was very eerie to see that and I refused. The account remained locked and I couldn’t access it even to delete it. Thankfully there wasn’t much on it.

Your most precious commodity is you and your privacy. Be careful how you share any information about yourself online and don’t give up that privacy readily. Keep in mind that if something is offered for ‘free’, there always is a catch. Oh, and Mark Zuckerberg’s personal data was stolen as well.

Facebook’s Most Recent Scandal Illustrates the Dangers of Using Facebook For Business Exclusively

With the surge of popularity of Facebook over the recent years, many small business owners have made the decision to use a Facebook page to market their business exclusively on that platform without having a separate domain name and website. And why not, they reason, a Facebook page is free and most of their clientele is also on Facebook. So why should they fork out the money to build a website as well. But the recent scandal with Facebook and Cambridge Analytica shows just how short-sighted such thinking is. The scandal is still very new in the news and who knows how long it will continue for, what new information will surface, and what long-term effect, if any, it will have on Facebook as a company. But it does show that this scandal or the next one, or the one after that, can impact Facebook in very significant ways. This most recent breach in trust will most definitely have the consequence of people leaving or, at the very least, spending less time on the platform.

Using a Facebook page, exclusively, to promote your business online is very short-sighted because it assumes that the platform will stay as popular as it is, or was, indefinitely. Do you remember what happened to MySpace and Friendster? Two of the biggest social media platforms prior to Facebook. They both had their peak user base and then their decline. Reports are already showing that Facebook had a 5 per cent decline in the time users spend on the platform in the second quarter of 2017, and that’s before the scandal came to light. It may very well be that it may rebound, but what happens after the next scandal? Using Facebook for business today maybe a good decision for you. But the platform should be used to direct traffic to your own online property, your business website.

Even if Facebook fully recovers from this scandal unscathed, they still have control of your business page on their platform, they have the power to shut it down if they perceive their terms have been broken or another reason. On the other hand, only you have control of your website and its traffic. And your domain is your online identity that will be uniquely yours for the life of your business.

Be Extremely Wary of Those that Promote Building a Website in Quick and Easy Steps

There are many individuals and companies promoting the idea of building websites very quickly and easily with little technical knowledge and, even being able to build websites for free. Many are quite simply marketing scams designed to sucker in the inexperienced and then charge them for so-called ‘premium’ features. Others are just dangerous and careless ‘how-to’ YouTube videos or Web pages attempting at getting more subscribers or boosting their search rank as well as getting clicks on affiliate links. We have a lot of experience building websites on the popular open-source CMS (content management system) software as well as building custom CMS solutions. Here is why you should be extremely wary of the false claims mentioned at the outset.

Although it is true you can build a website for free, it is not really free in the long term. Not free from the business perspective. You are paying with your time. By the time you realize that the site is not working, how much time have you spent already? Free websites are not SEO-friendly. Free websites come with 3rd party advertising. Free websites will not allow you to control or own the code. Even if you upgrade a free website to a DIY (do-it-yourself) premium version, you are still stuck with the same company and code that is not SEO-friendly.

What about cheap hosting that comes with easy-to-install CMS software? Today’s Web hosting control panels, such as the popular cPanel platform, come with quickly installable CMS software functions to install popular open-source software such as WordPress and even DIY quick site builders. And while it is true that you can register a domain name, get hosting, and launch a bare WordPress site in minutes, this is a far cry from launching a fully functional, full of SEO’d content, completely secured business-class website. Those two things are worlds apart. And this is what you are not learning from those individuals and/or companies pushing free and quick DIY (Do-It-Yourself) website builders. This is very misleading. Launching a WordPress site in minutes using the click-to-install features of the hosting control panel may save some time, but it is extremely little time compared to an experienced Web developer. An experienced Web developer can manually install WordPress in a few minutes and can do it much much better.  That is, she or he can implement some basic security measures that don’t require much time but make the installation far superior to the click-to-install method of the hosting panel. The same is true of any other open-source software.

The issue here is not necessarily with the DIY website builders or the click-to-install functionality of the hosting control panel. The issue is regarding the misleading claims and representations made by the individuals and companies promoting them. The claims that you can build a website in minutes. This is simply not true. Installing a CMS application on a domain name is not building a website. Using a free or ‘next-to-free’ DIY website builders to launch a site in minutes is also not building a website. If you buy into such claims, you will quickly learn that there is much more involved.

How Hackers Can Exploit Your WordPress Site

Being the most popular content management platform, as WordPress is, means that it also is a favorite target for hacker attacks. Also the fact that the core application is open source (i.e. free to download) means that hackers can get their hands on the source code and look for backdoors (i.e. ways or holes in the code to get into the installation on the server). As a website becomes more and more popular, it can easily end up on the radar of a WordPress hack. Some hack into sites for some weird sense of personal accomplishment or notoriety, others do it to insert spam links and affiliate links to adult sites for a quick buck.

The latter is the situation that one of our clients found themselves in. It was hacked with the goal of injecting spam links. Thankfully it was not to crash the site so content was not harmed outside of some posts having links added into the text. Files were also uploaded attempting to create fake headers to redirect the client’s site to porn sites. At TCK Media we went through the site files and database forensically to remove all malicious injections and restore original content while increasing security. This allowed us to see how the hackers tried to exploit the site.

As already mentioned, the hacker installed files such as default.php and others in an attempt to redirect to porn sites. This did not work and only created “headers already sent errors”, fortunately. However, the inserted files also prevented admin from being accessible via http.

A new user was created maliciously with admin permissions in order upload files via media uploader and also insert links into very old posts. The links were inserted within <div> tags and CSS to prevent them from being visible in the visual editor of WordPress admin, only in the text editor (where code is exposed) could they be seen. This would make the links hard to spot by the site owner unless he goes back to revisit old posts and only in editor set to text view. Also the links have ‘nofollow’ tags in order to prevent Google from flagging the sites as dangerous.  All of this explains why hackers target high traffic sites. Obviously, the hacker knew that the old posts would be indexed in Google and was hoping that visitors from search queries would see the spam links and click on them.

Through forensic review of all files and database we were able to isolate the illicit user, files, and injected links. Core WordPress files were re-installed and original content restored with added security.

Even though WordPress is a free open-source application, building a large site with high traffic using this tool requires a lot of different considerations to make it secure and able to withstand hack attacks. Premium themes, plugins, customization, hosting, etc., will make the cost add up. You can also take a look at our Insights feature, Guide to WordPress Security, for more information and practical steps each site owner can take to prevent a WordPress hack.

E-commerce Tips

E-commerce is the business of buying and selling products online. Anytime there is a purchase over the Internet in exchange for goods, whether physical or digital, a website must have e-commerce functionality. This basically entails having a way to accept online payments and take orders that then can be fulfilled either offline, for physical goods, or automatically online, for digital goods usually in the form of downloads.

Over the past number of years e-commerce has been growing incredibly in popularity and even traditionally brick-and-mortar stores have created an e-commerce website where customers can order online and either pick up at the nearest location or have the item(s) delivered via mail.

Today, e-commerce is a multi-billion dollar industry where annual revenue is in the hundreds of billions of dollars. With those high numbers also comes competition and certain standards expected by customers. Also, an e-commerce website must have a higher overall user experience (UX) to be successful. Here are top e-commerce tips to help you succeed.

Don’t Rush the Launch
This is one of the biggest mistakes made by unsuccessful e-commerce entrepreneurs. Make sure that you have all the areas covered of your website, from content & SEO to design and functionality. You only have one chance at a successful launch and to make a first impression. Nothing turns people off a website more than errors in functionality and poor experience. So make sure you have all aspects of your site fully tested before launching.

Focus on User Experience
One of the major shortcomings of an e-commerce website is that the visitor can’t feel, touch or smell the product. You need to compensate by making the site as user-friendly as possible. This means that you should have clear images of all angles of the products along with the ability to enlarge images. Make the check out process as easy as possible. Process the order immediately after payment. And offer a reasonable return policy to put the customer’s mind at ease.

Closely Integrate Social Media
Social media is the life-line of a business. This is where you can interact with your customers and potential customers. Get almost immediate feedback and stay close to your audience. As well as reach out to new prospective customers. Social media management should not be delegated to a third-party. You want to stay close to this part of your e-marketing. If you have a social media manager, make sure that you are involved as well. Also add social media widgets to your website such as Facebook likes, latest tweets, and social media sharing buttons.

Make Your Site Mobile-Friendly
More and more people access e-commerce websites using mobile devices such as tablets and smartphones. The amount of purchases online using mobile devices is growing exponentially each year. If your website is not mobile-friendly then you are losing a lot of business and may become irrelevant in a few years.

Make SEO a Priority
There is no question about it, when it comes to succeeding only in any type of business, SEO is critical. If you are not getting sales from people coming to your site via organic, or natural, search engine results then you are struggling and will continue to struggle. In order to succeed in e-commerce, prospective customers must be able to find you on the search engines using keywords related to your products. A professional SEO company can help you in this area.

Build a Customer Database
Customers that have purchased from you and are happy with their purchase are more than likely to buy from you again. Build a database of email addresses. Put up a subscription form on your website so that visitors can subscribe to receive special discounts, new product info, and more. Sending out periodic email flyers will keep people coming back to your site and encourage them to buy. The best part is that it the benefits far outweigh the cost of email marketing.

Take Full Advantage of Testimonials and Reviews
If you have positive comments from customers who were happy with their experience on your site, make sure you post those comments for others to see. It will help build confidence in your e-commerce site. Also, integrate reviews and ratings for your products. Not only will good reviews and ratings promote more sales, but also even if you get bad reviews, it can help you gauge what products to continue to sell and which to discontinue. As such you keep only the best products that customers buy more often and return less often.

Provide as Much Information as Possible
Have a detailed FAQ page on your site. There should also be a Company Info page as well as clearly outlined policies and easy to find contact information. The more details you provide and more questions you answer, the likelihood of misunderstandings are much lower which leads to more customer confidence.

Integrate Strong Analytics Program
You want to be able to track your visitors that come to your site. Where are they coming from? Search engines, direct navigation, or links from other sites. This can help you to see if your SEO program is working and if it needs improvement. What are they doing on your site? You want to know what pages are visitors spend time on and how much time. What the landing and exit pages are. What the bounce rate is. If your visitors come to only one page and then leave after a brief time then it is a bounce. You want to keep the bounce rate as low as possible. Analytics will also show you how many visitors are completing important goals on your site such as making a purchase or signing up to your email newsletter.

By incorporating these e-commerce tips into your site, you are greatly increasing your chances of success.

Guide to WordPress Security

WordPress security is a growing concern as the popularity of this software continues to grow. The great thing about open source software such as WordPress is that it is available to everyone for free. The worst thing about open source software is that it is available to everyone for free. Although this great piece of software has many developers working on improving it and creating new plugins all the time, it is also extremely vulnerable to hacker attacks because everyone has open access to the source code. For this reason Open Source software such as WordPress receives a lot of security updates for each new version release. However, this is not enough and WordPress site owners can do a lot to increase the WordPress security of their sites.

The WordPress team has made the installation and launch of a new website very easy and fast. Some hosting companies even offer one-click installation. This simplified installation process can make one easily overlook the security steps needed to make their WordPress site very secure, which can take some effort. Whether you are using an open source CMS such as WordPress or custom built CMS, security is always a serious concern.

Here are the top tips for protecting your WordPress site:

Basic WordPress Security Tips

1. Use a good Web hosting company with proven track record. A good hosting provider will ensure their servers have the latest security patches, PHP/MySQL updates, firewall, brute force attack prevention, and other security features. One that specializes in WordPress business hosting is ideal.

2. Install your WordPress core admin files in some other directory than the root one.

3. Change the table prefix from wp_ to something else.

4. Use a very strong password for the database user.

5. Also use a strong password for your WP login and choose a username much less obvious than ‘admin’. WordPress now comes with a password strength indicator. Make sure that it shows that your chosen password is strong.

6. Delete the pre-installed pages, posts, and plugins.

7. Use only premium themes and plugins. Make sure that the plugin you install has good reviews and a good number of active installs. If the plugin is a security risk it likely will not have many installs and if it does, it will have a low star rating. Poor plugins have lazy or buggy code that can be easily exploited by hackers.

8. Use a good captcha plugin for ALL of your forms, including your wp-admin login. You can install a Google Recaptcha integration plugin or another anti-spam plugin keeping in mind point number 7 above.

9. Always update your core WordPress files, themes and plugins to the latest versions as soon as they become available. You may want to install “Advanced Automatic Updates” to help you automate the process.

10. Keep your computer virus-clean by regularly doing a virus scan with anti-virus software that also is regularly updated. Some hackers can get your password and username through malware installed on your computer.

Advanced WordPress Security Tips

1. Install and configure an anti-malware firewall plugin.

2. Activate 2 factor authentication (2FA). This is another step in your login process that gives you an extra peace of mind. You can search for 2 factor authentication plugins through WordPress plugin marketplace or Google. The two most popular currently are “Clef” and “Two-Factor Authentication (Google Authenticator)”. Both use your smartphone (iOS or Android) as the second layer of authentication.

3. Install an SSL on your website hosting account.

4. Ensure that none of you subdirectories can be viewed via http by creating a blank index.html(or php) file in all subdirectories.

These are some of the key ways you can beef up your WordPress security and stay protected from malicious attacks.