Businessman hand holding money banknote for paying the key from

When your website helper becomes your website hacker!

We are just six weeks into 2019 and I’ve personally helped recover three websites and one social media account so far this year after each was hacked. Every one of these cases caused panic and alarm in the website owner. Two of them involved fraud, or attempted fraud, and one caused a website to be flagged as malicious by Google.  We’re still trying to recover its ranking and reputation. Let me say, whatever you can do to protect your website is worth the investment, rather than dealing with the stress of a stranger attempting to destroy your hard-won livelihood.

But today we had an incident different to the norm, and it’s prompted me to write because it’s a flippin scary scenario.

Businessman hand holding money banknote for paying the key from

This particular client has strong connections to businesses overseas, her family often travels and her husband actually works with outsourcing centres abroad. Consequently, rather than use our services in the UK, they had engaged a website support in another country they worked in. This made sense finanically and they felt they had a trustworthy person on board. He had been working for them for about six months I believe. Then today, out of the blue, this person contacted them threatening to delete both their business websites unless they paid him a large sum of money.

Website sabotage by a person you trust

Our saboteur had logged in to both sites with my clients’ details that she had given him to do the work. He then defaced both websites by deleting all the posts and pages. He created himself a new administrator account and deleted all of the other users, so nobody could login directly. Moreover, he accessed a back-up plugin that we had installed and deleted all the back-ups on the server and, using the same plugin, deleted our copies too from remote storage. (Happily we do not rely on that particular back-up plugin for this sort of emergency.)

Keep back-ups that are separate from your server

This guy was quite clever in that he thought he could hold the business to ransom because he believed he had deleted all their back-ups. But thankfully, as part of our support package, we also create copies of our websites overnight and store them remotely on a completely different server. Plus any web host worth their salt will create a daily back up of their server – so we usually can restore a website that way as long as you contact them right away.

In this situation then we were able to restore both websites quite quickly and lock the perpetrator out. Thankfully, he wasn’t as smart as he thought he was. And luckily he wasn’t technically able to break into the hosting account or the server directly to plant any nasty viruses or malware. Consequently he was cut out fast.

We could also identify his IP address and block that too!

But it left me wondering… after all there was no way of penalising the perpetrator now, even though he wasn’t an anonymous hacker, he’s not exactly within reach. I’m guessing he will sink into the shadows with very few or nil consequences. Unfortunately, it goes to show that even those you have built a relationship with can and do try to hurt you.

To help yourself, please do take note:

What saved my client from losing her sites?

  1. We kept remote back ups that this hacker could not access.
  2. We had a savvy web host who could lock out this hacker and give us access to a back-up of their server quickly. (IONOS in this instance – not usually my favourites, but they did a great job today!)
  3. We changed all our passwords immediately. This included passwords to the hosting account, database of the website, as well as website logins.
  4. My client had us on the phone to help restore the right files and database within a couple of hours.
  5. We used Wordfence to help lock down her site from future attack. (Our clients have the Premium licences to give them the best chance of avoiding a hack). We identified the perpetrator’s IP address and blocked it. And if he attempts to login to the sites again with his old username or email he will also be blocked.

And what could you do to prevent this happening?

  1. Be very careful giving access to anyone working on your website. Check them out thoroughly, and ideally go and meet them. Get a physical address for their place of work. Obtain client reviews and check a couple to make sure they are genuine.
  2. Avoid giving Administrator access to your website. WordPress has a few standard options, like Author or Editor, for people preparing content for your site. Or you can create a custom User Type to give more access than that. For example, if you employ someone to work on your SEO, they might need to install plugins and work on the structure of your site, so they would need greater privileges than Editor to do that. There is a plugin called User Role Editor to help you give the access they need without giving them the keys to the car, so to speak. Basically you do not want a person to easily be able to add or delete other Users without your permission. Otherwise they can delete you! Just like happened today.
  3. Check any third party who requests Administrator access to your website in order to troubleshoot a plugin or theme problem. Read their Support reviews. Find out where they are based and how long they have been around. Do they have a credible website and associated domain? Did you find them through a well known platform like Envato Market or WordPress? If they approach you directly, rather than you going to them with a problem, I would see red flags for sure. Many well-established theme and plugin authors have developed alternative ways of checking your website if you have a crazy error on it, so they no longer need Admin access. It’s always better to pay for premium support than risk a dodgy person having complete access to your website.
  4. Lastly, if you keep any sensitive data on your website, this one is really important. You must not give access to the sensitive data on your website to a third party unless you have told the people who have given the data to you. This will be stated in your privacy policy as part of GDPR. Therefore, if this is you, and you want a new third party to work on your website, you have to lock down that sensitive data, which you can do with the User Role Editor or with another plugin like Adminimize which can hide chosen links in your left-hand column of options from that user. Alternatively, you must advise your customers that you are sharing their data and informing them of how it is protected and how it is (or is not) used.

I hope this all helps. Please do get in touch if you need support.

Go to Account Settings on SmugMug site

Use your own domain on a SmugMug photography website

This week I was asked to help a local photographer set up her SmugMug website.

What is SmugMug?

SmugMug lets you create specialist photography websites using their range of templates and software. SmugMug hosts your site and the main advantage is that you can also sell your pictures securely through it, all for a monthly fee. (It has some disadvantages too, but I’ll save that for another post).

SmugMug creates a URL / web address for your new photography website

When you first set up a site, you have to choose a sub-domain, in this case,

But there are a few downsides to this:

  1. it weakens your brand as clients might not understand what SmugMug is and what it is to you
  2. it is less convenient to say over the phone to clients
  3. it’s not exactly a pretty name, is it?

The good news is that you can use your own domain instead

This is called “cloaking the domain”. First you need to buy a domain. In this case we bought a couple of domains with privacy from 123-reg. (See here why it’s useful to choose the privacy option). For this example we chose

We want all visitor traffic, whether someone enters the URL or, to land on the right SmugMug pages.

(As an aside, I am amazed by how often I see websites that don’t load with both the www in the URL and without it. It’s an easy fix so read on to the second step if this is you.)

Ideally, because the URL here is quite long, I wanted the preferred domain to be without the www. But, here’s the tiny bit of bad news… you can only cloak it to the www.  You can’t send www. to the root domain and then to SmugMug. But it isn’t awful, because we can set this up so that even if you don’t enter the www into your browser address bar, it will still arrive in the right place. Happy days!

This is how you do it:

How to cloak the SmugMug subdomain with your www address

First point your domain’s traffic to SmugMug

Login to 123-reg

Select the domain you want to use

Select Domain To Manage on 123 reg

Click on Manage DNS.

Select Manag DNS on 123-reg

At the bottom of the table you should add a CNAME record with the address:

Add the SmugMug Domains CNAME

This means that anyone who goes to http://www.yourdomain will be sent to SmugMug.

Second, send all traffic from your root domain to www.

Now you need to add a web forwarder so that any visitors going to http://yourdomain will be forwarded to http://www.yourdomain.

Head back to the Control Panel, then click Web Forwarding.

Selec Web Forwarding on 123-Reg Control Panel

You need to create a 301 Permanent Redirect to http://www.yourdomain. Find your domain using the search box. Then add 301 forwarding.

Set up 301 forward on 123-reg

Set up forwarding 301 direct

Third, tell SmugMug your custom domain URL

Shut down 123-reg and open your SmugMug website and login. Then go to the Profile icon at the top right of the page and click Account Settings in the drop down menu.

Go to Account Settings on SmugMug site

This will open the black settings screen. You need to scroll down on this page and look for Custom Domain Name. Enter your http://www.yourdomain here.


Custom Domain Settings on SmugMug

Now wait. It can take six to eight hours for the DNS settings to propagate.

You may see this change immediately, or you may need to wait a while. If, after waiting, you still cannot see the changes, then check all the steps are saved correctly. And you can also search the Internet for a free proxy server to see if the website URL works as expected there. Bonne chance!


Start selling before you can start selling

The Hair Helper Holding Page

This is what we’ve just done for The Hair Helper so they can start marketing before they launch.

My product isn’t ready

This week I heard this problem from a client who is waiting for her manufacturers to start producing her newly designed product… “I can’t build my website until my product is ready to sell… It’s so frustrating. I don’t have any images until I have a product. Everything is in limbo.”

Not so, friends!

You can still prepare to sell.

Mailing list

Get yourself a holding page on your website domain, set up a mailing list and start building that list of contacts. Word of mouth is the best way to start this process.
Talk to everyone you know and ask if they can help you. (Most people love to be asked to help, especially if they don’t have to do anything). Say, “Would you like to support me? Can I put you on my mailing list? Then you will be the first to see my new shop when it’s live.” And if they are enthused by you, they will mention it to their friends too.

Social media preparation

You can also use social media to identify people who may like to blog for you, or help you with PR, in an exclusive way, ahead of general sale, for example. Sometimes competitions are a good way to generate interest and add people to your mailing list too. (Be careful though, you must make sure that it’s optional to be added to a mailing list, not a requisite of entering a competition). Check out the ICO website for guidance.

Use your journey to market as a story for your Facebook page.

Be inventive and set up a Facebook page and Twitter account even before you’ve got your product or images ready. Tell the story of your business idea, your brand and your journey to market. Your personal story can be a great way to build relationships and be an inspiration to others.

Holding page SEO and Analytics

Just having a holding page on your website means you can get a head start with search engines. Google and Bing will still be able to index your “Coming Soon” page, so you’ll be listed from the word, Go! Don’t forget to add a meta title, keyword and description to your page and submit it via webmaster search consoles. Lastly, you can also set up a Google Analytics account to make sure you can track visitors from day one too! It all helps to build your understanding of what works or not.

Find the right Domain Name for you

What domains do I need?

Domain name help for new business owners

This week I was asked by a contact who is starting up a new business which domains to buy. She said, “Is it important to get Or What about .uk? What about .london?” And on it goes… Here are my tips to register the right domains for you.

Is your business name available?

Check out any domain registrar. I particularly like 123-reg for domain registration as they have a really easy-to-use website and services to help find the best domains. If your preferred name is available, great, and if not, there are other options to consider, like checking if the domain is actually being used, or if it’s up for renewal soon, who owns it and can you bid for it? (I’ll plan to cover that in another post.)

Have you checked for similar-named competitors?

Next I would consider is anyone else or another company using the same or similar name, even with a different domain extension? If yes, where are they and what do they do? Established brands have first refusal on their domain names and you need to be sure for your own commercial advantage that you’re not going to get into a messy wrangle over branding / trademarks or customer confusion. You don’t want people going to your website when they want another and vice versa.

An example of this is when we registered There is an Eclipse Chorus based in Canada, and this is a small male singing ensemble, not a large mixed community choir like ours in London. Given the distance and different audiences, sounds and set up, it seemed fine to stick with the name Eclipse Choir, and it’s doing really well.

Find the right Domain Name for youCan you get the ‘big’ domains?

Thirdly, it’s good practice to choose a domain extension that suits your business. For example, if you’re a charity, then you need a .org or a perhaps. If you’re a business then you’ve got a lot more choice!

Look at bagging at least one major domain. My advice is, if you can get .com, then buy it. It will be more expensive than .uk domain names, but it’s so easy to say and it’s very familiar to everyone.

Plus, if you’re in the UK and selling to the UK it makes sense also to have a .uk domain. If you get both, you can decide which one to use and forward one to another.

When choosing either or .uk, there’s not much in it. The latter is a newer option and so, if you buy that one as a primary domain, you might want to back it up with too, because it may be some people would type that in if they were looking you up directly. You can easily forward to .uk if you like it that way around!

The worst thing is not to buy.

Registering a uk domain costs less than £10 for two years, so it’s not a big outlay, even if you’re unsure of your final business name. If you miss it you may miss out for a long time. I won’t ever forget the candidate on The Apprentice who got to the final interview stage with a business plan and was totally foiled when one of the interviewers announced that he had bought up the proposed company name’s domains. The candidate showed lack of thought and commitment by not buying the domain as soon as he had his great business idea.

What about newer domain extensions?

Newer domain extensions are popping up all the time. An associate of mine uses .co and .eu domains. I also have a client who’s just bought a .yoga domain. That alone makes it self-explanatory what she does, right?! I think the important thing to consider is relevance to your business and how easy is it to say and spell to others. Over time the general public will become familiar with the variety of domain extensions available and not find ‘unusual’ extensions surprising or confusing, so long as they tie in well with your offering.

What about ID Protection?

When you come to purchase your domains I’d recommend buying ID protection. A lot of people don’t know that when you register a domain to your person, or to your business, without ID protection then your contact details, including name and address, are published and available on domain registrars over the world wide web. If you don’t purchase ID protection then you will very probably receive quite a lot of email spam at least. Most of this is advertising web design or SEO services, but some of it is rather official looking, nasty scams. I’ve seen one that reads as if you will lose your website / domain name from search engines entirely unless you order their ‘Search Engine Service’. This is, of course, rubbish. Avoid spam if you can, or if you don’t want to pay the extra for ID protection, please be ready to delete delete delete.

Will it have an affect on my search engine rankings?

Google and other search engines will rank your website based on a multitude of factors, and the most important thing is creating great, relevant and fresh content that keeps your visitor engaged on your website. It takes time to build a good Google ranking, perhaps a year to get from zero to hero on competitive terms. The most important bit about your domain name is the name, not the extension.

I’ve got all these domains, so what do I do with them?

Well, you don’t have to do anything! A domain is not a website. You have registered your ownership of a domain name and that is all.

The next step is to look at what you want from a website and find help to build it. It’s only then you’ll get to the point of buying web hosting, which does not have to be from the same supplier. (And there are a few reasons why it is good to keep them separate… another topic for a later post!)

Once your business is operating and you have a website, you can easily point multiple domains to the ‘primary’ website domain with a simple redirect.

If, on the other hand, you’re a collector and you’ve got a little library of domains that you’ve bought because they *could* be great business ideas in the future, then I would probably treat them like my wardrobe. If I haven’t worn it in a couple of years, it may be time to get rid of it. Think about it carefully, if the domain doesn’t have any real value, and you don’t have a specific plan for it, then let it expire gracefully. It could be someone else’s dream 🙂