Red Kite Creative

Security

Does Your Website Need a Privacy Policy?

by

If you have a form on your site, the answer is ‘yes.’

If you collect any type of personally identifiable information (PII) like names, email addresses, phone numbers, or payment information, you need to have a privacy policy on your site. If not, you potentially risk penalties and legal challenges down the road. And if you have an old privacy policy, it most likely has not kept pace with legal changes.

Privacy law is changing fast – more U.S. states are moving to create their own privacy legislation, and if you have European customers, you may already be familiar with the GDPR (General Data Privacy Regulation) that requires protection and disclosure of customer data.

The Colorado Privacy Act

Did you know that Colorado (where we’re based) has a brand new privacy law that was officially enacted on July 8, 2021? It’s the third state (after CA and VA) to enact privacy legislation. If you conduct business in our state or target residents of CO with your products and services, this new law may apply to your business if you have more than 25,000 customers. More information on the Colorado Privacy Act here.

How to Get a Privacy Policy

Check out our sister site WP Minder’s latest post on why websites need privacy policies and get in touch if you have questions or are interested in getting a policy added to your own site.

Three Ways to Share Confidential Info (More) Safely

by

I often need to get sensitive information from clients: domain registrar login, FTP credentials, hosting account login, etc. Sending this kind of info by email is not a good idea, it’s too insecure (although it’s hard to keep clients from doing it anyway sometimes).

What should you do instead? A phone call to share long passwords is not that helpful. But there are some online tools that are built to ‘self-destruct’ once they’re read or after a specific short timeframe. Here are three.

QuickForget.com

This is my go-to tool for sending secrets online. You can attach files, and set it to delete the message after a set number of views or a certain number of hours. The sender types or pastes their sensitive info, selects options and saves, then sends the recipient the link. Very easy to use.

OneTimeSecret.com

This one allows you to set a time limit as short as 5 minutes (virtually a self-destruct on reading) and a password (or generate a random one).

privnote.com

Similar to the first two, privnote also has some other features. By default it asks for confirmation by the recipient before showing and destroying the note (which you can disable). You can also send yourself, the sender, a note when the private message has been destroyed. And you can set the message to self-destruct immediately after reading.

Any of these tools is a much safer option than using email to send confidential info.

Did you find this information useful? Please share with your friends and colleagues and comment below if you have questions.

Did Your Site Get Blacklisted by Norton Safe Web?

by

One of my sites was blacklisted by Norton Safe Web last week. A client’s site was blacklisted two days after launch. Both have no malware and are not blacklisted anywhere else – a sure sign that Norton is doing something very different than all the other blacklisting services.

Here’s how Norton describes their ‘service.’ While I’m sure there are legitimate flaggings going on, the only ones I’ve encountered so far are not. Sucuri confirms that Norton is sending out ‘false positives’ in a chat I had with them today:

‘Regarding the Norton blacklist alert, Norton systems have been flagging a lot of false positives lately.’

One of my clients first reported this problem about about a month ago. Despite not being on any other blacklist, and having her site cleaned by Sucuri repeatedly and verified to have no malware whatsoever, she remains on Norton’s blacklist. Here’s what her site profile on Norton Safe Web says:

‘This is a known dangerous web page. It is highly recommended that you do NOT visit this page. The threat categorization is not complete & details will be added soon.’

So if your site is blacklisted by Norton and a potential customer is running some form of Norton’s security software, when they visit your site they will see a warning like the one above. They will most likely choose to avoid your business as a result.

Improperly flagging a site without due process can harm the business and doesn’t help anyone except Norton. No one should blacklist without due process, and unless they offer a reasonably fast and easy removal process for improperly flagged sites.

Here are the steps required to request (but not necessarily receive) a review from Norton to get your site off their list.

1. When you go to their report for your site you’ll see the link for ‘Site Owner? Click Here.’

2. You’ll see a menu of choices. If you click on ‘Do you think your web site’s rating is inaccurate,’ you’ll see this: ‘Please note that your site needs to be registered and site ownership verified to get the site re-evaluated.’ It goes on to say:

If you feel that your Web site has been given a rating by Norton Safe Web that is inaccurate, you can easily request a re-evaluation following these steps:

  1. Sign in to your Norton Safe Web account.
  2. On the “site dispute” tab, click the “Re-evaluate my site” link next to your Web site name. You can raise your concerns and issues regarding content on your Web site here.

The “site dispute” tab lists any threats detected on your site. You must remove these threats from your site.

3. You are required to sign up for NortonLifeLock and join their Safe Web community and create a display name.

LifeLock is an identity protection company that many of us were signed up for in the wake of the credit reporting agencies’ personal information theft debacle. If you were one of those signed up and later tried to leave LifeLock, you know that they make it extremely difficult, time-consuming, and onerous to remove yourself from their services.

4. When you go back to your site’s report page, you can click on Add Site under Site Dispute and then will have to verify that you actually own it. To do this you’ll have to either upload the supplied HTML file to your site or add a meta tag to your site header. I chose to get the HTML file, but I don’t think it matters which one you do.

5. Once you do one of the above (HTML file or meta tag) click ‘Verify Now.’ During this step, I got this message: ‘The Norton Safe Web site is unavailable. Please try again later.’

…..

6. When I could see the profile page again my site was verified. Click on ‘re-evaluate my site.’

7. You’ll see that the language is broken, looks like a scam email rather than a legitimate company: ‘Please provide re-evaluation reason for each reported threats and proceed to click on Submit button.’  There was no space to provide any reasons or comments, at least not for my submission.

8. After you click the Submit button you should see your site and a ‘re-evaluation in progress’ message under Status.

That’s it for now – I’ll report back when I get a response.

EDIT: An email from Norton says it takes 2 weeks for a re-evaluation. Don’t hold your breath – one of my colleagues has had a clean site blacklisted for 9 months – 3 attempts to contact Norton have been met with complete silence.

If you work with Sucuri (recommended if you know you have a legitimate malware issue, they are great) they submit a request to all blacklisting databases once their cleanup work is complete. But my client has been on Norton’s list for almost a month now. Even Sucuri is having problems getting false positives removed from Norton Safe Web, it seems.

Also – Norton began sending me ads the day after I registered on their site to request removal.

Weekly Links Roundup – Podcasting Mics, WordPress Updates, Social Media Marketing

by

The top website and online marketing links of the week.

Thinking about starting a podcast? Or already doing one, but need to upgrade your gear? Here’s a review of the top 10 podcast microphones and some reasons to justify getting one!

Do you keep your WordPress website up to date? A recent study showed that only 36% of WordPress users have the latest version of the core software installed. That’s a big security problem. Did you know that the WordPress folks publish the details about the reasons for each update they publish in their changelog? That makes it easy for everyone (including hackers) to learn about the vulnerabilities in old versions of the software. Here’s an example of that from May 2019. So if you’re not up to date, hackers have a roadmap to exploiting your website.

(If you need help with updates (as well as backups, security, high-quality hosting and much more) sign up for one of our WordPress Care Plans and get 10% off any monthly plan when you sign up in March with coupon code O1485GNVFH.)

If you’re thinking about getting started with social media marketing, you may be feeling a bit overwhelmed. Where do you begin? That’s a great question and here’s a post that tries to answer it. Start with a clear goal (get people to see your products; share promotions; show how customers love your services) and then think about the content types you want to share. The social media platform(s) you choose to concentrate on must fit with your brand, what you want to publish, and what your customers are using. This is a great article for starting out!

Did you find this information useful? Please share with your friends and colleagues! And comment below with questions or observations.

Weekly Links Roundup – Great Photos, Free Stock Photos, CCPA Compliance

by

The top website and online marketing links of the week.

Are you a stickler for great imagery on your website to show off your products or services to the max? Or is it just one of those things that doesn’t get a lot of attention – you either have little imagery or use photos you took on your phone? Whichever camp you’re in, the quality of your site images says a lot about your business. Learn why having great images is so important to giving a professional impression to your customers and how high-quality photos improve your credibility.

To follow up, here’s a review of 10 sources for free stock photos that have pretty good variety in their collections.

By now, you’re likely very familiar with GDPR (the European regulations that improve consumer privacy and control over personal information). Now we have the CCPA, the California Consumer Protection Act. CCPA is similar to GDPR but compliance will require you make some additional changes in your website, especially if you have customers in CA.

Many smaller business will not be impacted because they don’t meet at least one of the thresholds, which are:

  • annual gross revenues of $25 million;
  • annually buy, sell, receive, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or
  • derive 50 percent or more of its annual revenues from selling consumers’ personal information.

However, it’s still a good idea to get familiar with the new regulations because we’ll likely see more of these in the future. Learn how to make your WordPress site comply with CCPA.

Did you find this information useful? Please share with your friends and colleagues! And comment below with questions or observations.

Weekly Links Roundup – Banner Ads, Blogging Ideas, VPN, Favicons

by

The top website and online marketing links of the week.

Don’t know if you noticed, but if you logged in to your WordPress site in the last day or two and are using Yoast SEO, you would have seen a great big irritating animated banner advertising Yoast’s black Friday sale. There were so many complaints and so much pushback, they actually apologized and released a new version of Yoast SEO minus the ad. (WP Minder users, you’ll get this update on Monday!). Please think about the impact banners and popups have on your users, this one is a good example of being pushy.

Next… Do you ever draw a blank when trying to come up with something to blog about? It can be hard sometimes… Here’s one of those posts that might help: 25 blog post ideas for when you’re stuck. This tool looks interesting, I’ll be trying it myself: Answer the Public.

Do you work on your website in public – at coffee shops or other locations with free wifi? If you do, you really should be protecting yourself by using a VPN (virtual private network). If your site uses SSL (it has an https address) that’s great, because it means your connection to the site is encrypted. But if not, a VPN is in order. It will act as a middleman to protect you from security problems on the free wifi network, where it’s frighteningly easy for hackers to watch your activity and gain access to your site. Learn about three VPN options for WordPress users.

Finally – all about favicons. What they are, why they matter so much. What’s the easiest way to get your favicon into your WordPress site? This plugin by RealFaviconGenerator.

Did you find this information useful? Please share with your friends and colleagues! And comment below with questions or observations.