Why the big brands love WordPress

WordPress logo

We’re only just back from a trip to the Netherlands for a European conference for people who work with WordPress – known in the community as a WordCamp.

What did we learn? Well lots actually and we’ll be putting a lot of it into practice in the coming months, but for now we’re just going to share this presentation which details how WordPress is fast becoming the top choice for big business, never mind small business websites.

WordPress, which is Moghill’s favourite website tool, now powers more than 20 per cent of the web.

The presentation is by Sara Rosso of Automattic, the company that runs Wordpress.com and leads the WordPress project.

 

This presentation and another nine from the event are available on the WP Tavern website

Website contact forms: Why you must keep them short

Screenshot of contact form

Ever given up on an online transaction – like filling in a form – because it took too long? You and just about everyone else.

Web contact forms play a big part in every day web use. If your business has a website, chances are there is at least one contact form on it.

Many people visit business websites to get a phone number, but others will want to contact you using your form.

But instead of making it easy for people to contact you, that contact form could be acting as a barrier.

Are you asking for too much information?

Screenshot of contact form
Do you really need to know all that?

Often businesses and organisations use contact forms as a way of prioritising how quickly to get back to them – or whether to respond at all.

Sometimes forms ask for totally irrelevant information, or at least information that isn’t needed at this early stage.

But if you want potential new customers to contact you via your website, you need to make it as easy as possible for them, and that means asking as few questions as possible.

You may have to deal with more people you can’t help, but form submissions will rise too, as will the number of conversions.

There have been plenty of studies that back this up.

Why keeping forms short helps sales

Holiday company Expedia discovered it was losing $12 million in sales thanks to one extra form field on their website. The field asked for the visitor’s company and people filled it in wrongly, causing the transaction to fail.

A study by Kevin Hale, co-founder of online forms company Infinity Box Inc showed that site visitors are more likely to fill out shorter forms because they require less effort. The number of questions on a form correlates closely with the rate at which people abandon the form.

And a study by US web company Imaginary Landscape showed how reducing the number of fields in their forms from 11 to four resulted in a 160% increase in forms being submitted and a 120% increase in their conversion rate.

The smaller 4-question form resulted in a significantly higher number and ratio of submitted forms.  In addition, the quality of the submissions remained the same, even with the reduction in submitted information.

Also, the quality of submissions stayed the same.

How to keep your website forms short and efficient

Ask for essential information only – only what you absolutely need to progress.

On a simple contact form this often need be no more than a name and a means of contact – an email address or phone number, of preferably both.

Once you have these then it’s all you need, though it helps to have a comments form that people can fill in if they like.

If you are looking to trim an existing form then ask whether everything you are asking for is really necessary for a first contact. Do you really need to ask for company information? You will find it out soon enough.

More information

ZDNet: Expedia on how one extra data field can cost $12m

Six Revisions: 10 tips for optimizing web form submission usability

Smashing Magazine: An Extensive Guide To Web Form Usability

Inman News: Increase online conversion rates

Imaginary Landscape: Contact Form Case Study

Five tips for writing effective website copy

Five tips for writing effective website copy

Writing for the web is different from any other form of copywriting and needs special attention.

It’s not just a matter of taking your printed promotional material, grafting it onto your website and hoping it will do the job – because it won’t.

And going on at length about what you have to offer and expecting people will read every word will not work either.

Writing for the web
Follow some basic rules and writing for the web gets a lot easier.

Content marketers like to bang on about web copy that is ‘engaging’ and ‘grabs the reader’s attention’, but this is wishful thinking at best.

After all if your customers are on your website you already have their attention: The hard part is keeping it!

How to write website copy that works

So here are five tips to help you make the best of your business website. We’re not intending to cover everything here – just the basics of how to structure and lay out your website content.

1. Make your text easy to understand

Generally, people will arrive at your business website with a task in mind and want to know if you are the people to do it for them.

Also, most people do not sit and read web pages from top to bottom, savouring every word: They scan pages, eyes darting over the words looking for something that matches what they are looking for.

So your writing needs to be clear and concise, without complicated sentences with ambiguous meanings.

You also need to put the most important points at the top: If you keep people waiting to get to the point the chances are they won’t hang around long enough to find out.

Don’t try to be clever and throw in some puns or other ‘witty’ writing. That sort of thing can get old very quickly, but mainly doesn’t help get your message across.

Make it easy for people and they are more likely to stay around long enough to find out if you can help them.

2. Break up your text

Great big blocks of text are hard to scan and therefore hard to read on a website.

Everyone is time poor these days with a thousand different things competing for our attention. This makes us impatient and blocky text will be skipped over rather than read.

So you need to use short, succinct sentences and lots of paragraphs – ideally one sentence – and one idea – to a paragraph.

You’ll be amazed at how much easier a page is to read if it’s been split up properly.

You can also use headings (heading 1, 2, etc, not just bold text and bigger font size) to break things up, and if you use the right, relevant, words these actually help your page get found on search engines.

3. Go easy on the formatting

Another trap that people fall into is to try to emphasise different aspects in their text, but tests have shown the more you try and make something on a web page stand out, the more you end up hiding it!

Bold text, entire words in capital letters and random big text sizes can all be used to add emphasis, but once you start using them it’s difficult to stop.

If you find yourself doing this, then the chances are there is too much irrelevant stuff in your web page and you need to edit the copy down.

Formatting needs to be consistent and sparse. Don’t use italics (hard to read), underlining (easy to confuse with links), stick to a body text size and font and set heading sizes and use bold very, very sparingly.

4. Keep it short and stick to the point

Information overload normally goes hand in hand with trying to squeeze too much into a web page – it’s a very common problem on small business websites.

We often see business owners go into all kinds of detail their potential customers do not need to know. The end result is visitors are bombarded with too much information and end up taking in nothing.

If you want to take your car in to be fixed by a mechanic you don’t want to know what make of spanners he uses, or for that matter anything about his methods. You just need to know that he is competent to do the job and how much it’s likely to cost.

Yet many business websites are marred by the business going on at length about how they do things when potential customers do not need this information.

If you want to make it easy for your website visitors (and that’s the only way they will stay), keep it short, simple and stick to your essential information.

5. Read it – Then cut it! (Then read it again)

If you are expecting others to read your carefully crafted web copy the least you can do is read through it properly before you press the Publish button. Sadly this doesn’t happen.

Everything that goes on your business website should be read by at least two people first, to make sure it makes sense and doesn’t contain grammatical errors. A spell checker is also a must.

If you can’t get someone else to read your copy, then take a break – overnight at least is good – and come back to it with fresh eyes. Sometimes it’s easier to read through copy that has been printed out.

At this point you should be reading with a view to cutting it down by up to a half. And once you’ve cut it you’ll need to read it again.

If this sounds extreme it isn’t – once you get into practice it’s amazing at how much you can lose and every word you remove will be helping to make your copy more concise – and above all more effective.

More information

Concise, SCANNABLE and objective: How to Write for the Web – Neilsen Norman Group

How to write for the web: BBC News School Report

If you want to hide it, emphasize it: Gerry McGovern – New Thinking

photo credit: RLHyde via photopin cc

Why online shops fail

Why online shops fail

If your business sells things in the real world, it’s simple enough to set up an online shop and just sit back and watch the money roll in.

That’s the theory but it rarely works out that way. Here are the main reasons why online shops become online flops.

[box type="info"]This post has been updated to reflect changes in UK consumer law introduced in 2014[/box]

We get asked to fix a lot of online shops and nearly always the complaint is the same: No-one’s buying.

Sometimes no-one’s visiting at all, but often when we look at statistics we can see plenty of visitors but few or no sales.

So why does nobody buy?

The answer lies in a combination of factors, assuming you are selling something people want to buy in the first place.

Computer keyboard and credit card
Get it right and the card will come out

Trust and credibility

These days the average web user is afraid of online fraud and needs reassurance. First of all they need to know who you are: They need your address.

It’s surprising how many shops ignore this basic rule but it’s more important than that – it’s the law in the UK.

If you are UK based and selling online, the Consumer Contracts (Information, Cancellation, and Additional Charges) Regulations 2014 apply to you. These replace the Consumer Protection (Distance Selling) Regulations 2000, and they are tougher.

Put simply, the regulations make up for the fact that online shop customers can’t inspect your products in person. But they are also a good framework for building a shop that people will trust.

Broadly, this means your shop should:

  • Provide clear information about the supplier, the goods or services and the sale in writing
  • Give shoppers the right to 14 working days in which to change their minds and return the product (though there are some exceptions)
  • Be totally clear on everything, from delivery charges and dates to any other charges you may make
  • Provide protection from credit card fraud.

By covering this you are answering questions potential buyers are bound to have, such as:

  • When will I receive my goods?
  • What if they are not the right size or otherwise unsuitable?
  • Am I safe giving my financial information to this shop?

If you are transparent about who you are and provide clear information about delivery, returns and how to contact you then that all helps to build trust. Oh, and it’s mandatory now, though many online shop owners don’t seem to know this.

Of course, the product descriptions must not be misleading!

Another big aspect of trust is the safety in numbers principle – that the shopper will feel safer buying if they know others are. This is sometimes called social proof.

You can help in this way by encouraging customers to review their purchases or write testimonials – but if your shop has a review facility and nobody has reviewed anything then this can have the opposite effect, and draw attention to your lack of customers.

To make this work you will need to give people an incentive to leave reviews or link to you on social media. More about the importance of trust and websites.

Poor promotion and management

Getting the shop right is only part of the job. To get people to buy from you you need to get them to your site.

This means you need to promote your site, whether offline through promotional leaflets and flyers, or online through methods like social media.

Who to target depends on what you sell, just like every shop needs to plan for how to get the visitors and the customers.

But once you have got the customers you need to be able to look after them and that means having the systems in place to staff the shop – answer questions, get the products to the customers and deal with any issues. These things don’t happen by themselves.

In the end your shop is a part of your business, just the same as any other part, and as such it will require some time and effort to run it.

Your shop is hard to use – or doesn’t work at all

If you build a shop, you MUST test it. It’s amazing how many times this is forgotten.

That means doing a test purchase to make sure everything works as it should and that you and the customer will get the right email notifications.

You should also test the contact form to make sure it sends email to the right place. We’ve seen a fair few shops where email enquiries disappear into a black hole – along with potential customers.

Nothing puts customers off faster than a shop with that doesn’t work properly – and that includes broken links.

Nothing except a shop that’s hard to use.

Getting around

Shops are generally big sites, which means it should be as easy as possible to find what you want. Navigation should be clear, simple and consistent and the search should be effective (often it’s not but nobody tests it).

Checkout and payment

Your customer has decided to buy and so you have to make it as easy as possible for them.

The best shops have a single page checkout where customers enter their details, review their shopping cart and proceed to payment: The worst have three or four pages to wade through, and won’t let you buy unless you set up an account first.

You also need to think about how people want to pay and give them as many options as you can.

Payment by cheque only, for example, is likely to lose you customers – who needs to wait for a cheque to clear before they can have their goods when they bought online in the first place to save time?

If you do nothing else, at least set up payment by PayPal as it is a trusted brand for online payments and offers some protection – and therefore more trust in your shop.

Other online shop ‘fails’

  • Text that’s too small to read
  • Product images that are too small and/or low quality
  • Not enough information about the products
  • Not focusing on the products – it’s a shop so the products must be front and centre
  • Being so clever or gimmicky that customers can’t use your site

More information:

Jeff Bullas blog: 12 Reasons I won’t buy from your website

The Floating Frog: 13 Reasons why your online shop will fail

E-Commerce Rules: Top 5 reasons Why your online shop will fail

The UK Department for Business Innovation and Skills: Consumer Contracts (Information, Cancellation, and Additional Charges) Regulations (PDF format)

E-Consultancy: Why does customer service suck online?

Photo credit: Fosforix via photopin cc

Update your WordPress now!

WordPress logo

Have you updated your WordPress website yet? If not you need to do it now.

Last week a new version was launched – we’re now on WordPress 3.5.2 – and it’s a maintenance and security release. This version is plugging seven security holes that exist in all previous versions of WordPress, so this is not an update you can ignore.

[caption id="attachment_543" align="alignright" width="405"]Wordpress logo WordPress logo[/caption]

It’s also making other security improvements to keep ahead of the hackers who like to try and take over your WordPress website, bring it down or the other things hackers do.

Why do I have to update WordPress?

Here at Moghill Towers we’re often going on about how if you have WordPress you must keep its software up to date – not just the core WordPress software but also any plug-ins you are using for extra things like forms or online shops.

Why? Because of the sheer number of business websites we see who are using out of date (and therefore vulnerable) versions of WordPress. Not just WordPress but another piece of free software that is often left to go out of date and become vulnerable: Joomla.

And why is this happening? It’s usually not the fault of the business concerned, more that the business has been badly advised by whoever built their website.

Some website companies are happy to just sell businesses a website on a free software platform like WordPress without warning them that it needs to be maintained. Some web designers don’t even realise that updates are necessary.

But that’s like buying a car you never have to service: It would be a nice idea but it doesn’t really happen in the real world.

Hacking danger

WordPress in particular is the most popular software for building websites in the world. It’s free at the point of use, can be extended to do whatever you want it to and made to look however you want it to.

We make no secret that we love WordPress and what it can do. We even like its cousin Joomla, too, which is also free but not as versatile.

But with that popularity means it’s attractive to hackers, and that means you must keep it up to date. Only in April there was a massive automated attack on WordPress websites around the world. If you were clued up on your security you were okay, but many sites fell victim.

The end result of not updating WordPress is your company website gets hacked, and if even if the reputation of your business is not damaged, you have to spend a lot of time restoring what you had, or re-building it completely.

And don’t think it doesn’t happen – in the last few weeks alone we have helped a couple of companies update and secure vulnerable web software that had been hacked.

That’s why we’ve taken it upon ourselves to spread the word and raise awareness of the problem.

Let us help with Your WordPress site

We keep the website software of all our customers up to date – WordPress and plug ins in particular – as part of our managed hosting package. Our sites were updated to WordPress 3.5.2 this morning.

We also offer a service where we can bring your WordPress software up to date for you if you don’t host your site with us – and we can also update Joomla websites to the latest version.

If you need help with updating your WordPress site then contact us for a chat.

Further information

WordPress website attacks hot up

Is Hacker Barbie responsible for the attacks?

As I write this, hosting companies all over the World are fighting off a huge attack on WordPress websites that has been going on for at least 24 hours.

Our sites were hit for about 20 minutes yesterday afternoon, but thankfully our hosting company has a solution so all our customer websites have been safe today.

How are the attacks happening?

Basically, the attacks are being conducted by an army of computers infected by a virus, known as a botnet.

They are simultaneously hitting thousands of WordPress login pages and trying to guess the password to get into the sites.

It also is cycling through various obvious usernames but most of all trying the default ‘admin’ username.

[caption id="attachment_1176" align="alignright" width="375"]Hacker Barbie Is Hacker Barbie responsible for the attacks?[/caption]

This is called a brute force login attack, and an estimated 90,000 IP addresses are involved.

What they will do if and when they actually get in to websites is not known, but we’d expect the usual nasty surprises you get with a hacked WordPress site.

But a by product is this attack is slowing down websites all over the world, whether or not they use WordPress, as most websites are on shared hosting, and as the most popular content management system in the world, most websites are bound to be sharing a server with WordPress sites.

The repeated attacks basically cause everything to slow down.

Moghill customers

If you are one of our customers and you want to get into the back end of your site you may see a password prompt screen you have not seen before.

This is an extra layer of security placed by our hosting company.

The box says: “A username and password are being requested by http://www.your-site.co.uk. The site says: “Automatic Protection” It now gives the username and password you need.

For current status visit our system status page. Once you have entered these details you can log in as you normally would.

If you have access to the admin area of your site make sure you have a secure password.

Minimum password recommendations:

  •  At least 8 characters total
  • Mixture of upper and lower-case letters
  • Numbers and special characters, such as punctuation or other non-alphanumeric characters

Example weak password:
password1

Improved strong password:
Z#ggghuZ2M4!Z

In the meantime we are watching the situation closely and will implement any suggested security improvements across our customer websites as part of our normal service.

Is Wordpress not secure?

WordPress is fine but this attack tries to exploit the weakest link in any security system: The human factor.

If your site has secure username and password then it will not fall victim to this attack. We never use the default ‘admin’ account in WordPress, and delete it where we come across it in WordPress installs done by anyone else.

The rest is down to our hosting company who have added the extra layer of security to prevent unauthorised access to the login pages in the first place and making sure all our sites stay live.

WordPress is popular, and therefore it is a target for attacks like this. That’s why it is vitally important that you keep your Wordpress version and any plugins up to date.

The problem is not confined to WordPress as there are literally millions of Joomla websites on out of date versions that are just waiting to be hacked, too.

More information

Securi.net: Mass WordPress Brute Force Attacks? Myth or Reality?

Silicon Republic: Major brute force attack against WordPress Under Way (Note: The Limit Login plugin suggested will not prevent these attacks because they come from multiple IP addresses).

Matt Mullenweg (WordPress co-founder): Passwords and brute force

Photo credit: nic221 via photopin cc

Never say ‘Click here’ on your website

Never say Click Here. There are lots of better ways to say 'this is a link'

Whatever you do when writing links or anything on a web page, don’t ever, EVER use the words ‘Click here’.

The phrase has been around as long as people have been building web pages. And for as long as people have been using click here as link text, usability experts have been tearing their hair out telling people not to.

Link text says click here
Click here. And for added annoyance, it’s in block capitals too.

Why? Well it should be obvious, but then everything about creating user friendly websites is obvious once it’s pointed out to you.

So let’s look at some really good reasons why you should never use the dreaded phrase click here.

It’s patronising

You don’t see posters inviting you to ‘read here’ – you just read them. A bottle of beer doesn’t have the instructions ‘drink here’ on it either.

If you have to give instructions then your site is not user friendly. It should be obvious that the text in question is linked up so there’s no need to add pointless instructions.

Remember: Instructional text must die (©Steve Krug).

It’s not user friendly

Website visitors – or users – do not sit and read every word on a website. They skim, eyes darting all over the page, looking for something that matches their goal. For many this means skimming from link to link.

After all a link is a gateway to another page and the text that is linked up should really give people an idea of what they can expect if they follow that link.

Click here is mystery meat navigation – like a cheap burger, you have no idea of what you are going to get.

Websites should make things easy for people to use them. Click here inevitably assumes some knowledge on the part of the website visitor – as if they are supposed to know why they should click here. Which is annoying.

It’s no good for disabled people

Plenty of people using the web are disabled and many of them use assistive technologies to help them. These may, for example, just read the links on a page, and if your page is full of links that just say click here or even here then how are they supposed to tell where the links will take them?

It’s good practice to make web pages accessible for disabled people, especially since the first step to accessibility is making sure your site is user friendly.

It’s a common courtesy.

It assumes that people are using a mouse

Maybe a bit pedantic on the face of it, but many of the people visiting your website may be using phones and therefore won’t be clicking at all.

And back to the accessibility argument, some disabled web users do not use a mouse either.

Advert saying click here
Why say Click Here once if you can say it twice? And why does the guy on the right have two phones?

If you use it once, the chances are you will use it a lot

Like all bad habits it’s easy to get into doing, and once you start you can’t stop doing it.

If you use click here once, the chances are you use it a lot.

It becomes a sort of lazy shorthand for saying: This is a link, folks, please use it.

A little thought goes a long way and makes things easier for the people using your website.

The easier you make it for them, the more likely they are to stick around long enough to buy from you.

The more thoughtful you are for your visitors, the less effort they have to put in to use your site because it’s intuitive.

Click here makes things that little bit harder. And quite annoying.

There is always, ALWAYS a better choice of words than click here.

Try using active words instead and you will find that your links are worded much better and more direct – and where websites are concerned, direct is good.

So instead of click here to find out more about us, try find out more about us.

Actually, the more you think about your link text, the more you realise you are much better off without using click here.

It makes things much more long winded than they need to be, and you need to be short and to the point.

It’s bad for SEO

I’m not going to carp on and on about this but Google likes user friendly websites and that means sites that are easy to get around.

If the links on your site, especially the links within it that people use to get from one page to another, are clearly marked you get points for that. Just so long as you don’t overdo it because that’s annoying too.

What you should do – in a nutshell

Explain what users will find at the other end of the link, and do it in plain English and without jargon.

Be short and to the point.

More information

UX for the masses:  The curse of ‘click here’

Neilsen Norman group: Top ten web design mistakes of 2005

UX Movement: Why your links should never say “click here”

More Website Sins

Things to avoid saying and doing on your business website.

  1. Never say ‘Click Here’
  2. Don’t use ‘Under Construction’ pages
  3. Why you don’t need an FAQ page
  4. Why pop-up light boxes are a bad idea

photo credit: nsfmc via photopin cc

Shropshire Tree Services – Business website

Shropshire Tree Services logo

The Project

Shropshire Tree Services has more than 25 years’ experience of providing professional tree surgery services in Shropshire, Wales and Cheshire.

The company chose Moghill to build its new website after speaking to us and several local and national web providers about their aims for the site and what they wanted it to achieve for the business.

[caption id="attachment_1109" align="alignright" width="450"]Shropshire Tree Services website screenshot Shropshire Tree Services website screenshot[/caption]

The aim of the project was to create a website that will build awareness of the company and its services,  win new customers and make it easy for potential customers to get in touch.

What Moghill did

We got to know and understand the business and its services from the point of view of what customers would need to know and offered the company straightforward advice in plain English

Therefore we emphasised the company’s professionalism, experience and expertise and boiled down its services into easy to understand sections based on what potential customers may search the web for.

We were greatly helped by a large stock of photographs the company had taken during various projects, which who chose the best of to help illustrate how the company handles difficult projects, such as felling a large tree in sections, or completely removing a tree stump.

With a lot of other tree surgery sites in the Shropshire area we have built the site to perform well against the competition in web searches.

The site is to be a standard desktop website without a mobile version but still viewable on a phone. We have also provided email services, taking on an existing account, and two other domain names which now point at the new site.

View the website: www.shropshiretrees.co.uk

What the customer said

Gareth Stephens of Shropshire Tree Services said: “Moghill were not the first company we approached to build our website,  I only wish they had been.

“The service we have received has been first class from the first meeting to the point where the website was ready to go live.

“The professional approach of both Pat and Fiona has been superb! They made us feel that our website was as important to them as it is to us.

“Communication has been excellent throughout the process and nothing has been too much trouble.  There are many pitfalls when choosing a web design company and many companies will promise you the earth.

“Moghill have offered the benefit of their technological knowledge and expertise to build our website and I would not hesitate in recommending them.  Their straightforward and hassle free approach made the process of getting a website up and running stress free.”

[button link="https://www.moghill.co.uk//blog/category/case-studies/" bg_color="#ba2e24"]Back to website Case Studies index[/button]

Using an early version of Joomla? Best think again before you get hacked

Joomla Logo

Joomla is one of the most popular free content management systems in the world – but it has its drawbacks as a lot of people with Joomla sites are finding out right now in the cruellest way.

Thousands of owners of Joomla websites are waking up each day to find that their site has been taken down by their hosting companies, or replaced with what’s called a bragging message.

[caption id="attachment_1035" align="alignright" width="450"]Hacked Joomla 1.5 site This charming fella is what hackers are placing over the homepage on vulnerable Joomla 1.5 sites. If you’re really unlucky you get music, too.[/caption]

Typically it’s this:

Hackeado por HighTech Brazil HackTeam

NoOne – CrazyDuck – Otrasher – L34NDR0

But if you’re really unlucky you get the nasty character in the picture and some hard rock tunes, or the clown who appears further down the page.

Here’s a report on the start of the hacking attack in early January, although it’s still going strong now.

So why are Joomla sites getting hacked?

The main reason why hackers are attacking Joomla sites is because they can. Where there is a vulnerability they will exploit it.

The current hacks seem to be coming from one group claiming an affiliation with Lulzec, who usually attack big business websites.

But practically anyone can hack a Joomla site: There are plenty of videos giving full instructions on YouTube.

The attacks are mainly confined to sites in the early versions of Joomla – 1.0 and 1.5 and later versions – 2.5 and 3.0 – appear unaffected. Two experimental versions, Joomla 1.6 and 1.7, are also vulnerable.

Joomla is created by a community of developers who work together to create this system, but from the end of last year that community stopped supporting the early versions and urged site owners to upgrade.

The problem is it’s hard to upgrade. Wordpress can (usually) be upgraded with a click of a button and the same is true of later versions of Joomla – but not the early versions. It involves a migration, which can be a long and involved (and geeky) process.

Essentially it means building the site all over again.

[caption id="attachment_1036" align="alignright" width="450"]Hacked Joomla 1.5 site Another example of a hacked Joomla site.[/caption]

And to make things worse, many web companies have been knocking out cheap Joomla websites for years with no provision for upgrading when the software is no longer supported.

Not just that, we know of several companies who were still building sites in Joomla 1.5 last year, when they should have been aware that support for the software would soon end.

These factors mean many site owners are sticking with their old versions of Joomla – and these are the ones who are getting hacked.

How is it happening?

At present the hackers are seeming to target one particular Joomla add on (or extension) called JCE editor, which is present in most Joomla installs as standard. The security hole was sealed last year but the problem is that early versions of Joomla do not warn you about out of date extensions.

So if you have Joomla 1.0 or 1.5 and JCE installed, check you have the latest version. You can download the latest version of JCE Editor here.

Ashamed to say it, but we were caught out by this when one of our Joomla 1.5 websites was hacked in this way a few weeks ago. It took a whole day to clean the site up and get it live again, then close the security hole.

[caption id="attachment_1037" align="alignright" width="200"]Joomla Logo Joomla Logo[/caption]

Thankfully it was not a customer site and we closed the same hole in all our other Joomla 1.5 sites and began migrating them so it does not happen to us again.

By the end of March we will not have any sites left in Joomla 1.5.

Why? Because this is likely to be the tip of the iceberg and more hacking attacks will come as more security holes are discovered.

The Joomla community no longer supports early versions so nothing will be done to stop the security holes. It’s called End of Life for a reason.

Joomla 1.0 or 1.5 site? Start planning now

So if you have a Joomla 1.0 or 1.5 site, our advice is you need to start planning either migrating it to a later version or into another content management system, such as WordPress.

It’s not the end of the world and early versions of Joomla may stay stable for years, but why take the risk?

Our hosting company, Heart Internet, is advising all owners of Joomla 1.x sites to upgrade as soon as possible and they aren’t the only ones.

Knowledge Republic has been documenting the stream of hackings for some time: Case Study on: www.pa.gov.sg being hacked by HighTech Brazil HackTeam. This also covers vulnerable Wordpress installs, which we’ve talked about before.

There’s also an interesting article from a Canadian IT Company suggesting Joomla 1.5 is already not secure.  This article from an Australian hosting company explains Joomla 1.5 and end of life.

For an alternative, and slightly less ‘The end is nigh’ view of things, this article from OsTraining weighs up the pro’s and cons of running outdated software.

How can I tell if my website is vulnerable to hacking?

This is relatively simple.

  1. Go to your website
  2. On a PC, right click on an area of blank space
  3. Select ‘View Source’ or ‘View Page Source’, depending on your browser.

You will see a stream of text but very close to the top you will see the Meta information. In Joomla 1.5 sites it usually says this:

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />

If this is present you have a vulnerable site. Contact us if you want us to identify whether your site is vulnerable.

Got a Joomla site? We can help

If you’re one of those affected by this then we can help you weigh up what to do and plan for the future.

Contact us for a no obligation talk through the options. Whatever you decide to do, do something.

If you have a later Joomla site – version 2.5 or 3.0 there’s no need to do anything as both are actively supported and will continue to be until at least 2014. They are also far easier to upgrade.