In the expansive domain of WordPress, a critical security flaw has been unveiled within the widely-utilized All-in-One SEO plugin. Known by its identifier, CVE-2024-3368, this vulnerability exposes a concerning loophole that malicious actors can exploit through Stored Cross-Site Scripting (XSS) attacks, jeopardizing the security of numerous websites. The trouble concerns all versions of All-in-One SEO older than 4.6.1.1.
This flaw was unearthed during routine security evaluations, shedding light on a troubling scenario where unauthorized individuals can inject harmful JavaScript code directly into WordPress posts. This unauthorized access allows for the manipulation of administrative privileges, potentially leading to serious repercussions such as website tampering and unauthorized data access.
In response to this alarming revelation, immediate action is crucial. WordPress website owners are strongly advised to promptly update their All-in-One SEO plugin to the latest version, fortified with patches to address this vulnerability. Furthermore, implementing stringent security measures, including regular audits and access controls, is essential to mitigate the risk of exploitation.
Behind the scenes, CleanTalk remains dedicated to safeguarding the WordPress ecosystem. Through vigilant monitoring of plugins and the provision of timely alerts, CleanTalk aims to empower website owners with the necessary tools and knowledge to defend against cyber threats effectively and preserve the integrity of their digital platforms.
We’ve been wanting to make our own branded useful merch for our customers for a while now. For this purpose, we needed a marketplace on which we could place our goods, as well as deliver them to customers. No wonder we chose Amazon. In this article, we’d like to share our experience in launching our giftware sales and hopefully help those who are just thinking about how to start selling on Amazon.
Step 1: Finding the Right Products to Sell
One of the most important factors in determining your success on Amazon is finding the right products to sell. If you go to https://www.amazon.com/bestsellers you will see lots of products, that are sold way more often than others. Here you need to research products that sell well to find the ones, you like best or what you would be more comfortable branding.
We have chosen the water bottle category for us for several reasons:
It’s a product for everyday use.
It promotes the healthy habit of drinking enough water every day.
These bottles look great and it will be convenient to put a logo on one.
After choosing the right category and product you will need a product that you can buy as cheaply as possible, apply your logo, and sell at the average market price or higher. To find such a product we went to alibaba.com. It was difficult to find the same item as we wanted, but we were able to find the most similar one and contacted the seller to find out the details.
The good news was that for orders of 50 pieces or more, the seller would put the logo on the items for free. All we had to do was send the logo to the seller and a day later we received a photo of a bottle with the logo already applied.
To make sure of good quality goods and quality logo application we ordered delivery of 1 item.
Despite the $38 shipping cost on a $10 order, it was the right decision. Because after a week we received the product and after that, we were absolutely sure that the product would be a pleasure to use. So we ordered a full batch of 50 water bottles.
Step 2: Setting Up Your Amazon Seller Account
First, you need to choose a seller account type. There are two types of seller accounts:
Individual accounts are free but you are charged $0.99 per sale.
Professional accounts cost $39.99 per month, no matter how many items you sell.
We weren’t sure at what rate the items would sell, so we chose an individual account.
After that, you will access your Amazon Dashboard. Once you have connected your payment card and added your brand information, you are ready to add your product to Amazon.
Step 3: Adding a product and setting up a fulfillment plan
ASIN is an Amazon Standard Identification Number, which is the unique combination of 10 letters and/or numbers that is given to your product by Amazon. ISBN is an International Standard Book Numbers, which are unique identifiers for commercial books with a barcode. UPC or Universal Product Codes, is a unique 12-digit code assigned to retail packaging to help identify products in the US. EAN or European Article Numbers is simply a European version of UPC. It consists of 12- or 13-digit numbers for product identification.
If your product is unique like ours, select “I’m adding a product not sold on Amazon”. In this case, Amazon will assign an ASIN to your product, which will become your product’s primary identifier.
After that, you need to fill in all the information about the product in as much detail as possible. Here’s how it looked for us in the end.
And since Amazon’s interface doesn’t explain what and where it is, we’ve prepared a hint for you.
Title 200 characters max, capitalize the first letter of every word
Images 500 x 500 or 1,000 x 1,000 pixels to increase listing quality
Variations Such as different colors, scents, or sizes
Bullet points Short, descriptive sentences highlighting key features and benefits
Featured offer (“Buy Box”) The featured offer on a detail page. Customers can add to their cart or “Buy Now”
Other offers The same product sold by multiple sellers offering a different price, shipping options, etc.
Description Keywords improve the chances that people will find your listing
Once your item is added you need to decide how you will package and ship your items. Amazon has 2 solutions for this:
You can fulfill orders yourself, maintaining your own inventory and shipping products directly to customers. We call this merchant-fulfilled shipping (MFN).
You can send your inventory to Amazon and have us pick, pack, and deliver products through Fulfillment by Amazon (FBA). FBA also takes care of customer service and returns.
We chose the second option because we wanted to delegate this issue to experienced professionals to minimize the possibility of mistakes.
Fulfillment by Amazon (FBA)
We would like to talk about this option separately, as it has both pros and cons.
Pros
free shipping for your customers;
lower operating costs;
no need to contend with client inquiries;
Cons
laborious product preparation requirements;
potentially costly charges;
long-term storage fees;
complex sales tax;
Long story short, FBA is definitely not a cheap option and can make it difficult to justify the expense. But if you want to save your time it is really great.
Step 4: Driving traffic to the product
When you want to increase your sales in a marketplace you shouldn’t just rely on people finding your product on their own and choosing it because of its quality-to-cost ratio. Because there are indeed a lot of products on Amazon. This is especially true for products about a brand that, few people know about.
In this case, you need to take care of additional sources of traffic and a good option could be your website or online store, where people are familiar with your brand.
We have placed several banners on our blog and on our clients’ dashboards. This is roughly what it looked like.
Statistics on traffic sources and purchases are not available on the individual tariff, so we can’t say for sure what share of sales these banners brought, but we assume that not less than a half, taking into account the fact that the main products of our company and the brand itself for a fairly narrow audience.
Step 5: Keep track of your orders and adjust the price
In case you’ve enabled the FBA option, the only thing you’ll have to do is keep an eye on the status of your orders and how Amazon does everything itself.
Also, we recommend you collect sales statistics for a certain period and try to increase or decrease the cost of the product and track the impact of the cost on the number of sales as it can help you optimize your costs and increase your profits.
We wish you great sales!
It is difficult to fit all of our experiences into this article, but we have tried to mention the most important issues that we had to deal with ourselves.
We welcome questions in the comments and will be happy to share more specifics to help you save time and money.
Securing your WordPress website is a critical aspect of website maintenance. In this article, we will explore how using the “Send additional HTTP headers” option from CleanTalk can help bolster your site’s security. We’ll delve into three crucial HTTP headers: “X-Content-Type-Options,” “X-XSS-Protection,” and “Strict-Transport-Security.” We will understand how they work and the benefits they bring to your site’s security.
1. Header “X-Content-Type-Options”
What Is It?
The “X-Content-Type-Options” header is a mechanism designed to prevent certain types of attacks related to file types on your site.
How Does It Work?
This header, with the “nosniff” parameter, instructs the browser to strictly adhere to the Content-Type specified in the header. If the browser detects a mismatch between the actual file type and the one specified in the header, it can block script execution and prevent the download of potentially malicious files.
Benefits for Your Site
Setting the “X-Content-Type-Options” header with the “nosniff” parameter helps prevent attacks such as MIME-type attacks and drive-by downloads, safeguarding your users from potentially harmful files.
2. Header “X-XSS-Protection”
What Is It?
The “X-XSS-Protection” header is designed to combat cross-site scripting (XSS) attacks.
How Does It Work?
This header enables built-in protection against XSS in modern browsers. If the browser detects a potentially malicious script on a page, it can automatically prevent its execution.
Benefits for Your Site
The “X-XSS-Protection” header helps protect your site and users from XSS attacks by preventing the injection of malicious scripts, thus keeping data secure.
3. Header “Strict-Transport-Security”
What Is It?
The “Strict-Transport-Security” (HSTS) header ensures your site’s data is secure during transmission.
How Does It Work?
HSTS requires the browser to establish only secure (HTTPS) connections with your site, even if a user attempts to connect via insecure HTTP. This prevents attacks related to data interception.
Benefits for Your Site
Utilizing the “Strict-Transport-Security” header helps ensure the security of your site’s data and protects users from potential attacks associated with data interception.
Conclusion
Configuring HTTP headers on your WordPress site using the “Send additional HTTP headers” option from CleanTalk can significantly enhance your site’s security. The “X-Content-Type-Options,” “X-XSS-Protection,” and “Strict-Transport-Security” headers provide robust protection mechanisms against various types of attacks. Remember to stay updated and regularly assess your site’s security to ensure reliability and protection for your users.
If you are seeking solutions to enable security headers and safeguard your website, look no further than Security by CleanTalk. Elevate your WordPress security effortlessly with these essential headers by choosing Security by CleanTalk.
We were contacted by one WordPress website owner with the issue of a website hack. Consequences of the hack were that their whole website content was deleted, meaning articles, pictures, plugins and themes were gone and visiting the website displayed a blank page. What was left in the folder «wp-content» was a single folder «uploads», new files in the root directory and many custom files «.htaccess» in other folders.
What measures were taken in the first place before restoring the website. To avoid future successful connections from the hacker, all passwords were changed, including database ones, authorization over HTTP was enabled, installation of any files and themes were allowed only over FTP.
What Has Been Done to Find Out the Source of the Hack
The main task was gathering information about how the hacker managed to get access to the website and delete all of its content.
The first step was saving the entire file system in a way where the files can not be created anew but to be saved in their current state (It’s important to know for identifying the creation time of the malicious files).
saving nginx «access.log» on the date of the detected hack
saving nginx «error.log» on the date of the detected hack
saving nginx «syslog» on the date of the detected hack
Input data:
logs «access.log» (200 MB) «error.log» (47 MB)
website files
The local repository of Splunk was chosen for the log analysis, data sources were the files «access.log» and «error.log».
To determine the time when the website infection happened, the creation time of the suspicious files in the website folder was inputted.
The next step was selecting a set of lines from the log files within a certain time period and the server response 200, while requests from «admin_ajax» and «wp_cron» were excluded.
Thus, we found the hacker’s IP address that was able to get a response 200 for its POST request to this address: /wp-content/themes/seotheme/db.php?
Next, we analyzed every line of activity of this IP address within the same time period. Based on this data, we see that someone created this folder: /wp-content/themes/seotheme
Furthermore,
the cybercriminal from the IP address 43.153.77.57 was able to get a response 200 to their POST request while forcing /wp-content/themes/seotheme/db.php?u and in the end a number of malicious files was created which were started being called;
a set of files «.htaccess» was created and modified specifically for the Apache-like webserver to allow executing files;
the file «index.php» was modified, added obfuscated malicious code;
the file «plugins.php» was modified, added obfuscated malicious code;
the file «pluggable.php» was modified, added obfuscated malicious code;
there were some eval constructions in the files, and parsing them was impossible.
It’s also impossible to know the origin of the folder /wp-content/themes/seotheme and the files in it, the reason is self-deletion of the malware results.
How to prevent future hacks:
constant monitoring of the website files for any new unknown files in the system,
aggressive response to status changes of the «.htaccess» files if you use an Apache web-server
force to implement any filesystem actions with a protected FTP account only, you can edit your wp-config.php by adding the code below:
CleanTalk Traffic Control monitors each request from any IP address and if the number of requests exceeds the limit in a certain time period then this IP address will be temporarily blocked and it wouldn’t be able to access your website at all.
For instance, if an IP address sends requests to your website with a frequency of 1000 requests per 1 hour, such activity will definitely be blocked for 1 hour.
You can adjust the settings of Traffic Control as you want and as you find appropriate. To do that, go to your WP Dashboard → Settings → Security by CleanTalk → General Setting → Firewall.
Time frame to measure page hits – here you can set a time period which will be taken to calculate the number of requests of your visitors.
Block a visitor if the count of the opened pages in the time frame more than – here you can set your limit of requests after exceeding which any IP address will be blocked.
Block a visitor if they exceed the limit of opened pages for X minutes – this option is meant for setting a time period a blocked IP address will be put in.
Ignore logged-in users – tick this option to ignore all requests going from your logged-in users.
Also, on the tab Firewall, you can see all IP addresses that are visiting your website right now.
What are DDoS and DoS?
These are types of attacks on a website when a lot of requests are being sent. If the number of requests is quite high then it will result in problems with the website functioning.
The difference between DDoS and DoS consists of that DDoS has a distributed attack, meaning it is executed from many IP addresses, while DoS has just one or a few IP addresses.
Why DDoS and DoS might be dangerous to a website
Such types of attacks is based on the fact that a webserver has to process each request, thus running all website page scripts, loading all pictures, and so on spending its resources. As a result, the website will function slower or start giving an error on attempts of visiting any page. The second trouble is in a high volume of your website traffic, in some cases, it may lead to unexpected expenses or a warning from your hosting provider.
It’s unwise to underestimate the dangers of such types of attacks and spend your time forbidding IP addresses manually, it’s more efficient to give this task to the automated tools.
Now you can buy our merch on Amazon. The water bottle with multiple lids is already available to order. So, be sure to protect your website from spam and drink at least 1.5 liters of water a day 😏
By the way, what other merch would you like to see? Let us know in the comments.
Some people do daily reports to account for their time at work, some are proud to share their progress, and for some, it’s nothing more than an obligation. The reasons may vary, but the important thing is that it should work for you.
For us at СleanTalk daily reports are a full-fledged communication channel, so each employee sends their daily report with the current day’s results and the next day’s plans to the whole team at once (we use Gmail + Google Groups for this). Yes, each employee gets about 20 report emails at the end of the day but it really helps to save time. Let us share with you how it works.
1. Your report is opened by someone interested in it
There’s nothing worse than wasting time on a report that isn’t useful. In a normal “vertical” reporting system, you and your colleagues end the work day by sending reports and plans for the next day to your team leader, and it’s nice if they have enough time to read and make sense of them. Also, it will be a great success if they are able to give feedback on them. With this system, the synchronization of the team members’ work lays entirely on the team leader’s shoulders who further distributes and monitors the tasks.
With a horizontal reporting system (like ours), all reports end up in the same mailing list group in Google Groups. When employees work on the same product, they often know the details better than their team leader, that is what exact task should be paid the most attention to and whose attention should be prioritized higher based on their previous experience.
2. You can adjust the plan of action better or correct a mistake in advance
For example, when one team has to start doing a new part of the project, and the other team has not yet finished the required previous part. In this case, it will become visible in the reports and the workflow can be adjusted. That is, some of the issues can be solved at the planning stage before the actual implementation.
If an error in the workflow could not be avoided, the earlier it is detected the less time it will take to fix it. For example, a backend developer can notice a possible error in the work of a frontend developer in advance and notify them. That will help in fixing the mistake quickly and time will be saved.
3. This is a full-fledged communication channel on par with audio and video conferences
In our team, on average, at least one dialog appears out of 20 reports, this happens almost every day. Part of our time is saved because the employee is not waiting for a scheduled online meeting to discuss a particular issue. Such reports are great for non-urgent tasks scheduled for the current day. However, if the task is urgent and needs to be solved quicker, an audio or video conference is more effective.
4. Possibility of retrospective analysis
You can always examine the history of reports on a particular task and evaluate what went wrong and what could have been done differently. Sometimes this may seem like a waste of time, but it helps to avoid such mistakes and save time in the future.
5. The openness of information and team building
When we say your report is seen by the whole team, it literally is without exclusions. This applies primarily to team leaders and CEOs. It’s always essential for employees to know what the company founder or their top manager is contributing to the product. Such a team leader will always earn more respect from their colleagues. Besides, when everyone sees each other’s contribution it is very important for team building and a cohesive team will probably show better results in the same amount of time than any other team.
We hope this article helps start-up companies in saving valuable time. We were a small company once, we invented and tested various approaches to organizing reports and competent time management. Some of the techniques didn’t work for us, but we’ve been practicing this approach to organizing reports for a long time and are happy that it helps our employees save more time for their families and hobbies.
We want to share our experience on how we handle feedback from our clients. Here are some of our rules helping us to get great feedback about the quality of our tech support:
Speed of response to a client request.
The faster you respond to your client’s question the more satisfaction your client will get from working with you. Even if you use auto-replies when your client creates a ticket and inform that you will reply within 24 hours, it will be a depressing factor as the client is already potentially expected to wait for your reply in 24 hours. You have to reply within 1, maximum 2 hours. At CleanTalk we stick to the rule that 80% of all replies must be given within 1 hour since the creation of a question and since the previous client reply, moreover, we manage to get it done about 20-30 minutes faster. Such speed of replies is very motivating for clients and we get feedback that our support team is one of the fastest they have worked with.
Accessible and clear information.
Provide your client with a clear and accessible description of how the issue should be resolved. If the client is required to perform some actions from their side then do the following: – describe a detailed and step-by-step order of such actions; – provide a screenshot, mark the needed area of the interface and what actions are needed to be done; – provide your client with a link to the necessary interface or guide, this way your client will not have to search for the necessary pages themselves. These steps are needed so the client does not have to ask you again how to do a particular action that you were asking earlier, which ultimately reduce the time it takes to resolve the issue and the number of responses per request. On average, we get 3.33 responses per request.
Deadlines of solving the issues must be met.
If you can not solve the issue immediately and you require some help from your colleagues such as your programmer, then give a realistic date when you will respond to the client. Do not give unrealistic deadlines to avoid rescheduling. If for objective reasons you will not meet the deadline then inform the client about it and give them a new deadline. You should keep track of the deadlines and not let the issue be continually postponed because of the workload of other employees. Establish smooth cooperation between departments, there should not be any delays on any stage of the problem solving process. In our company in each department (Web Developers, Client-Side Developers, Server-Side Developers) there is an employee who is solving client issues that came from the technical support.
If the question is complex and requires more time to find a solution/answer and you can not immediately give your answer in an hour, tell the client about it right away. Write how much time you’ll need for troubleshooting the question and prepare your answer. For example, “I’m sorry, it will take longer than usual to investigate your issue and I will be able to give you a detailed answer in 4 hours”.
Provide your support staff with all details they need.
Your employees should not spend their time searching for information about the client. Analyze how the workflow of your employees is made, note the most frequent and time-consuming activities and try to automate them so that these activities would be performed with a single button.
Offer a bonus for your mistakes.
If there was a mistake by your fault then offer your client a bonus to compensate their time. It’s a good practice for building loyalty to give some encouraging attention to your clients.
Prepare your reply templates for the same type of questions.
Analyze your client requests. There will always be similar questions and it takes a lot of time if you have to type your similar replies quite often. It is easier to prepare the standard reply templates that can already be edited depending on the situation. Try not to make such templates look like a machine answer, edit the template in your answer for more human-like communication.
Make sure that the client’s question is resolved.
If the client reached out to you and you gave them a solution, ask the client at the end of your reply if your instructions helped them and if their question has been resolved. It greatly reduces the time it takes to resolve the issue.
We hope, our experience that we shared will help your support team and your clients to get the most useful communication with each other. If you have any thoughts to add, please write them down in the comments.
If you want us to share more of our experience with you – let us know in the comments below and don’t forget to share if you like the post.
Installing the Anti-Spam service by CleanTalk takes about 10 minutes and grants full spam protection for all the forms on your website. It could be a comment form, a registration form, a feedback form, or any other. Just follow the steps below.
Step 1: Make backup copies of your website files and database.
Step 2: Download and unzip the “CleanTalk” folder into your websites’ ROOT folder.
Step 3: Proceed to address (your_website_name/cleantalk/install.php):
Step 5: Enter your email and password and then click the “LOGIN” button to continue with the installation.
At the end of the successful installation, you will see this message
To enter the plugin settings go to (your_website_name/cleantalk/settings.php). Here you can manage the plugin options, see statistics and uninstall the plugin.
How to check that the Anti-Spam already works with your OJS website
Go to any form on your site (e.g. registration form) and type in
You can test the work of Anti-Spam protection by using a test email s @ cleantalk.org (without spaces). Fill in all the required form fields and send a form.
After submitting the form, you will see a block message about the block on the form submission.
That’s it. From now on your Open Journal System website forms are fully protected from spam.
Does your website work correctly right now? Is its loading speed convenient for visitors? Are you sure it is available 24/7 for all your potential customers?
If all your answers are “Yes, sure” then you got our respect. Otherwise, we highly recommend you get control of your website availability and loading speed. Because all of this can greatly affect your website search ranking or lower the number of visitors returned to your website.
As a reminder, here are some reasons for you to start Uptime Monitoring:
Uptime control One of the most important parameters of a website is its reliability and speed, which means a website is available to guests and customers 100% of its work time.
Load speed monitoring Additionally, the service monitors your website load speed. It shows the exact time how long it takes to load each website page.
Real-time statistics The statistics demonstrate changes of data in real-time, so you can identify the time of the heaviest load and see what caused such load in the first place.
Immediate notification 24/7 The service will inform you when your website became unavailable for your visitors, when the access was restored and how much time your website was down.
More stable and faster The more stable and faster your website works the better for the SEO, your visitors and your business growth.
Every-minute checking The Website Uptime Monitoring checks whether your website is accessible or not every minute and it does that from different checkpoints simultaneously.
