Tips from Idea15 Web Design

I have two clients who, for reasons which are more social than technical, prefer to keep their email accounts on a different IP and domain from their web sites.  While their sites reside on my own VPS, their email accounts reside with their previous web hosts.  I have no problem with this – a little bit shifted over to someone else’s bandwidth, after all! – however, the split can cause a few technical problems.

At first, when trying to write to these accounts, emails can bounce back as undeliverable.  The error messages include “This address no longer accepts mail”, “No such address, and “No account by that name.”  Why?  On a VPS, the server does not look beyond itself when sending an email, so it never looks at external MX records which point to the correct location.  You need to force the VPS to check the MX record, not assume it is delivering to a local domain.

The Solution

On an Apache system, go to /var/qmail/control.  Remove the domain’s entry in the virtualdomains and rcpthosts files.  Restart your qmail.

For my “split” clients, this solved the problem immediately and the undeliverable bounces stopped.

Many thanks to Idea15’s database geek par excellence for figuring this out!

WordPress is now the open-source CMS of choice.  But like any web platform, it isn’t perfect.  The responsibility for keeping the installation secure falls solely to you, not to a faraway company.

As a designer, I am occasionally asked to peek “under the bonnet” of other WordPress sites, and I tend to go pale when I see a site that has no security safeguards in place.  It’s a bit like keeping your front door locked, but leaving the key under the mat.  Without some security precautions, breaking in is that easy.

There are plenty of lists and posts out there with excellent information on how to protect your WordPress site, but not everyone has the time or the technical inclination to see it through.  With that in mind, here is a list of a few critical steps you should take to protect your WordPress site.  These will take a minimum of five minutes, and no more than 15.  When I set up a new WordPress install, I do not do one click worth of work until I have run through these security safeguards. Make it your own habit to do the same.

1. Create a new administrator user with a new login name.  Delete the default “admin” user.
2. Use random gibberish passwords of at least 12 characters.  Here’s a helpful random gibberish password generator.
3. Install and activate the Login Lockdown plugin.
4. Install, activate, and run the Secure WordPress plugin.
5. Install, activate, and run the WP Security Scan plugin.  Run its File Permissions check, and change your folder permissions accordingly.
6. Install, activate, and run the Maintenance Mode plugin to create a landing page and “cloak” the work in progress.

This audit will provide your WordPress site with a healthy standard of essential security and protection.  The three security scanner plugins do have some overlap, but I doubt you will mind.  If you want to explore more advanced options for protecting your WordPress sites, here are some definitive lists:

• 12 Essential Security Tips and Hacks for WordPress (Six Revisions)
• 13 Vital Tips and Hacks to Protect Your WordPress Admin Area (WPBeginner)
• 9 tips to make WordPress hack-proof (guvnr)

It goes without saying that you should keep your WordPress installs updated to its most recent version at all times.  This summer’s attack wave preyed on sites which still had older installations running.  Newer versions of WordPress allow upgrades with one click; and if your server is like mine and does not like the automatic system, manual upgrades take less than five minutes.

Some might say that you should not engage in security procedures like this unless the client specifically instructs you to do them – and more to the point, pays you to do them.  That’s a dangerous game to play.  When you decided to use an open-source platform for your client’s site, you consented to the fact that the platform would require occasional vigilance and maintenance from yourself.  Open source is not a cash cow which gives you a means to squeeze money out of your clients every time an upgrade becomes available.  If you feel you should be paid before doing upgrade work, think about what it will cost you in the long run to have your clients’ web sites defaced during a hacking wave because they were not adequately protected.  Being proactive about your existing clients’ ongoing needs – even if there is no pot of wealth in it for you – is what separates the real web designers from the shysters.  Choose where you want to be.

A client contacted me today seeking guidance about an odd email he had received.  Here’s what it said:

I was hoping you might now have had the chance to think about my email, sent to you some time ago. Would you be interested in placing a simple text advertisement on your site? Our clients are some of the best known brands in a range of industries and would value the demographic your site targets. We pay a fixed annual fee to webmasters for placing adverts for our clients. You can find more information at (URL)

This is not the first time I have seen this offer.  It is run from a well-known company which, contrary to their claims of “valuable demographics”, targets sites in a fashion that’s so random as to be laughable.  For example, a small neighbourhood web site I administer here in Scotland was targeted by this company using an IP from an East Asian country.  Many folks in that community can’t afford to put the heat on in the winter, so the thought that they were a “valuable demographic” to the Asian market was odd to say the least.  In the case of the client who contacted me today, the company web site deals with such a specific, narrow, and geographically focussed target market that their counterparts can be numbered on one hand.  The mere fact that they were targeted suggests someone working off a quota list.

The ads this company places are never ads for the sorts of products and services one would want to be associated with.  99% of the time they are the sort of ads which, when they are sent to you over email, are funneled directly into your spam folder.  Don’t think too hard, but medication, casinos, and “recreational activities” should come to mind.  Text ads like this will drag your site’s legitimacy as well as its search engine ranking down like a dead weight. You can read about what typically happens if you do go ahead with this sort of arrangement: Bad ads can come back to bite you.  It makes for depressing reading.

Yes, the company has a perfectly rational explanation for everything (don’t they always?), and a few stock lines they use to retort any pesky questions about their transparency and integrity.  Most of those retorts fall into the “it depends on what your definition of ‘is’ is” category, with a dose of blame-the-victim thrown in for good measure.

If you have received one of these approaches

It goes without saying, but if you as a small business owner are approached by someone wanting to place ads on your web site, think about it.  Why is someone you have never heard of, writing from a random virtual company, trying to skive off your site?  If they are such a market leader, then why do they need the help of a little business like yours?  Will sharing your web site with another company help your brand or dilute it?  Will ads you have no control over serve your customers, or drive them away?  Is this what you went into business for?  And really, is it worth risking your brand integrity for a fee so low it wouldn’t pay your TV license?

If you are interested in placing ads on your web site, do it on your time and on your own terms.  Google AdSense, Yahoo Publisher Network, and LinkedIn Direct Ads are all legitimate, professional, and highly flexible services you can use to integrate relevant ad content.

As always, if you are in doubt about the legitimacy of an approach you have received, contact a professional web designer for guidance.

Web design, it’s safe to say, is a field which has some very unique challenges.

Just yesterday a colleague and I were commiserating -  to the point where we were saying the same words in unison – about potential clients who ask you to come in and do a sales pitch, and then you send them a written proposal, and then you never hear from them again.  There’s nothing.  No response, no follow up, no returning calls or emails.  My fellow businesswoman and I were in complete agreement over why it’s so frustrating: they asked us to come to them.  The pitch was not the result of a cold call initiated on our side.  We made ourselves available to their needs and questions, we travelled to their offices and put our best feet forward, and we spent a working day drafting a letter-perfect proposal.  And from that, we don’t even get the courtesy of a one-word communication from them.  Even if you’ve followed every bit of best practice in sales and follow up, they completely ignore you like a clique of teenage girls.  One simple word – “no”- is all we’re asking for.  But that’s one more word than you will ever hear from the potential client again.

And it’s now happened to me five times this year.  My colleague had similar sentiments about her own business.  Of course, you know that you are not going to win every project you pitch for.  But you don’t expect to be snubbed entirely.  Obviously, if a potential client behaves in that way, not gaining their custom is no big loss.  But that does not make up for the hours of meeting time, effort, and document drafting that you’ve put in without so much as a thank you.  I wish there was a crystal ball – or a widget, or a plugin, or an app – that could tell you which potential clients will turn out to be tumbleweeds rolling across your desktop and which ones are going to be the start of a beautiful friendship.  But there’s not.

It’s not all bad news, of course.  Sometimes you get that fantastic client who you can work with for years.  They just “get” the web and its potential and provide you with a steady stream of project work that never quite feels like working.

And yet.  Sometimes a client responds to your proposal and you dive into the project together.  And then this happens: analysis paralysis.  A simple question which requires two minutes of the client’s thought goes unanswered for two weeks.  The next question stretches to a month.  And then an entire season has passed since you last heard from the client – even though (and this is the really crazy bit) they have paid you money to perform a service for them.  As with your sales pitch, you make yourself available to them, you remain flexible, you stay in contact, you provide multiple means for them to contact you…and they don’t.

So what’s a designer to do? You have committed to working for them, but they are not working with you.  You can’t actually mothball the project because they have not told you to mothball it.  You want to remain professional and see the work through to its completion, even though the completion date in the contract is so far in the past that you are fully within your rights to send them an Abandonment of Project letter.  You run through your past behavior obsessively, thinking “was it something I did?”, even though you are not the one at fault.  You know that there are perhaps less than two working days left in the project, and the thought that you could have the work done and dusted by the weekend annoys you for the principle of the thing.  Your accounting figures – in your books and in your head – said you’d have made twice as much from this project as you actually have, and that causes problems as well.

How do you handle your mothballed web projects?  Are there any tricks you use to sweep away the tumbleweeds?

In the spirit of trying something new, I’ve had an article published on the excellent Find Networking Events site.

Click here to learn what to do if your web site designer has gone out of business.