Lime Canvas https://www.limecanvas.com Web Design and Marketing Sat, 09 Dec 2017 07:54:32 +0000 en-US hourly 1 https://wordpress.org/?v=4.9.4 https://www.limecanvas.com/wp-content/uploads/2017/02/cropped-lime-canvas-site-identity-1-32x32.png Lime Canvas https://www.limecanvas.com 32 32 Which SSL Cert Should I Use For My Website? https://www.limecanvas.com/which-ssl-cert-should-i-use-for-my-website/ https://www.limecanvas.com/which-ssl-cert-should-i-use-for-my-website/#comments Tue, 04 Apr 2017 18:17:41 +0000 http://limecanvas.com/?p=4584 Information is everything these days and if you have a website which stores or transmits customer data it is your responsibility to keep that data safe from would-be hackers, cons and the NSA (good luck with the last one!). Securing your WordPress website is a great first step – read our WordPress Security Best Practices post, […]

The post Which SSL Cert Should I Use For My Website? appeared first on Lime Canvas.

]]>

Information is everything these days and if you have a website which stores or transmits customer data it is your responsibility to keep that data safe from would-be hackers, cons and the NSA (good luck with the last one!).

Securing your WordPress website is a great first step – read our WordPress Security Best Practices post, but how do you protect the data when it’s being transmitted between your website and the customer or another server?

By default the internet largely sends information in plain-text; that is, unencrypted.  Data being transmitted between computers can easily be intercepted and if it’s not encrypted then Mr Hacker has just hit the jackpot.

Think about how many on-line forms you filled in last week.  Perhaps it was a support form for a product you bought which now isn’t working, or you’re looking for a new house and registered with a property search site.

Surely you do banking and purchase stuff on-line?

How much of your personal and sensitive data are you entering into these forms? Name, DoB, house address, work phone, mobile phone, mothers maiden name?

You’re a wise one though and always check that the form you’re filling in is secure – you know – that little green padlock in the address bar – yes?

Green padlock = your data is being transmitted securely.

As a website owner, now it’s your turn to make sure that the same confidential data your customers are filling out on your website is transmitted safely and securely to wherever it is going.

Welcome to the wonderful world of SSL certificates.

If you need your website to transmit secure customer data and give your customers the security of knowing that, you’ll need to encrypt it and that is done by installing an SSL certificate on your website.

So, now you know that you need to purchase an SSL certificate (SSL cert) to keep your website data transmissions secure, but which one should you choose?

What Are SSL Certs?

Put simply, an SSL cert is an encryption key that a web server uses to encrypt and decrypt data transmissions between other computers.  So rather than plain-text data being transmitted, if any would-be hacker did intercept your website data transmissions it would just look like gobble-de-gook.  Happy days!

[lc-geekbox]SSL cert is short for Secure Socket Layer certificate and they secure data transmission, between your website and a client (another computer), by using the encryption protocol SSL/TSL along with a private and public key which are embedded in the certificate.

Note: the SSL protocol has since been replaced by TSL but the old name has kind of stuck.  In 2014 v3.0 of SSL (introduced in 1996 but still active on servers as a roll-back), was used in the POODLE attacks.[/lc-geekbox]

The SSL cert also tells and verifies to the browser which website it’s been purchased for.

So if you are visiting limecanvas.com, the SSL cert verifies that the website you are at is really limecanvas.com and not some hacker posing as 1imecanvas.com (did you spot the number 1 in the last domain name?).

SSL certs can be purchased from some Internet Service Providers (ISPs) or specialist security/telco companies and then have to be installed on the server which is hosting your website.

If a certificate is installed on a website server, it is activated by visiting a website page using https:// instead of the regular http:// protocol (the s standing for secure).

Most SSL certificates also come with a warranty value from the issuing company.

This means that if your encrypted data got stolen and the hacker managed to decrypt it, the company which issued your SSL will have to reimburse you up to the value of the warranty associated with the SSL cert.

Pending proof and likely court case.

But it’s a good insurance to have as you can imagine the horrible outcome to your business that would result in customer data theft, especially if it wasn’t your fault!

[lc-geekbox]The warranty value associated with SSL certificates is a guarantee for the level of encryption that the certificate provides you with which is usually 256-bit SSL with a 2048-bit signed encryption key pair within the cert.

Huh – 2048 or 256 bits?

The 2048-bit is about the RSA key pair in the cert: RSA keys are mathematical objects which include a big integer, and a “2048-bit key” is a key such that the big integer is larger than 22047 but smaller than 22048.

The 256-bit is about SSL. In SSL, the server key is used only to transmit a random 256-bit key (that one does not have mathematical structure, it is just a bunch of bits)

The cert encryption process is something like this.  The client generates a random 256-bit key, encrypts it with the server’s RSA public key (the one which is in the server’s certificate and is a “2048-bit key”), and sends the result to the server. The server uses its private RSA key to reverse the operation, and thus obtain the 256-bit key chosen by the client. Afterwards, client and server use the 256-bit to do symmetric encryption and integrity checks, and RSA is not used any further for that connection.[/lc-geekbox]

Breaking the encryption keys in an SSL cert using a brute force attack would require a huge amount of computing power to try and guess all the different combinations – see how long.  The NSA is likely exempt though ????

Just like domain names and hosting, SSL certs are certified for a minimum of 1 year and have to be renewed, reissued and reinstalled on the server for each renewal cycle you have chosen to purchase.

So to sum up what an SSL cert does:

  • Encrypts data transmissions to and from your website using https://
  • Ensures your visitors that they are indeed on the real site and not a spoof one

Which Type Of SSL Cert To Use

There are generally three types of SSL certs available.

Domain Validation (DV)

These types of certificates are usually the simplest to get and generally the cheapest.  They provide an SSL cert for a single domain such as www.example.com.

Note: if you also need an SSL to cover multiple subdomains such as host1.example.com and apps.example.com you will likely need to look at getting a wildcard SSL cert.

A Domain Validation SSL certificate is usually issued after proof of domain ownership has been demonstrated.

The SSL issuing company, often known as the Certificate Authority (CA), will usually send an email to the administrative address stored in the WHOIS record of the domain.

Once the domain owner responds to the CA email, the SSL cert is usually issued there and then – this is largely an automated process.

In this case, when the SSL cert is installed and being used the web browser will show a padlock but won’t show the company name as this has not been checked and validated.

The Lime Canvas website runs on a DV SSL cert and shows the green padlock but not the Lime Canvas name in the green bar.  You have to click on the padlock to see that the domain is verified by the SSL cert.

DV certs usually come with an ~$10,000 USD warranty from the CA.  This is protection for you in the unlikely chance that hackers manage to steal and decrypt your SSL cert encrypted data.

[lc-geekbox]

You Got No Green Padlock Guys!

Those who have a keen eye will likely notice that if you visit the Lime Canvas homepage using SSL we don’t have a green padlock.  Why?  Does that mean it’s not secure?

Yes and no.

Yes it is using the https protocol and that is encrypting transmissions securely – yay.

No in that there are elements on the web page which are being called from http (i.e. not the secure https).  These elements aren’t being encrypted.

Using an SSL for an ecommerce checkout page is the normal now but using SSL for general web page browsing is still a relatively new idea.  It’s much easier to make sure that a single page has all its links pointing to https than it is for an entire site.

Not wanting to get sidetracked too much, the short answer is that some WordPress plugins and core functions don’t check to see if the client is browsing in https mode and just spit out http URLs.  It only takes one http request in the source of a web page to stop the green padlock from showing.  Click on the padlock and the browser will tell you as much.

[/lc-geekbox]

Organisational Validation (OV)

These types of certificates often take a while to be issued because the CA will make multiple checks to verify that your company is a valid company as well as owner of the domain you want the SSL cert for.

The CA will require proof to validate the company name, domain name and contact details via various online public databases.

Because of the additional (and likely manual) checking, the cost of OV SSL certs are often a lot more than the DV SSL certs.

When purchasing these types of certs, you will often also be given a “Secure Site Seal”.  This is usually in the form of a logo from one of the major recognised CA’s and sometimes a URL link which points to the validation information that the CA has collected.

Secure Site Seals are usually placed on your website to gives additional confidence to your website visitors.  If there’s a click through to validate the company information, that’s a bonus for you.

e.g. Comodo Secure Site Seal image

Visually OV certs don’t look any different in the web browser address bar from DV certs but they usually do come with larger ~$50,000 USD warranty value against data decryption and theft.

Extended Validation (EV)

These types of certificates are the most expensive.  The CA undertakes a very detailed check of your company.  On top of the same checks done for OV, the CA will likely ask the owner for proof of the legal entity that controls the website, this could include bank statements and public company tax returns for Limited and large incorporations, verification of physical address, jurisdiction of registration or incorporation, company registration number/details and any other related information that will help to it to validate your company.

By providing more reliable third-party verified identity and address information regarding the business, EV certs help to make it more difficult to mount phishing or identity fraud attacks by providing companies with a tool to better identify themselves to users.

Because of the extensive vetting, the issuing of EV SSL certs takes a lot longer than any of the others.  Saying that, they do usually come with the larger ~$1.75m USD warranty value against data decryption and theft.

The advantages to obtaining this type of cert is that your company name will appear in the green bar giving your visitors a strong visual guide to validate that they are on the correct site.  Here’s PayPal’s website address bar as it appears in the Chrome browser – note the addition of “PayPal, Inc. [US]” alongside the green padlock and the confirmation that this is an EV cert.

This is the minimum certificate recommended for ecommerce transactions as it provides the consumer with additional information about the business.

Note: Different browsers have different ways of displaying SSL certs in their address bars.   They mostly all use green in some context.

Chrome:

IE:

FireFox:

Safari:

CA Provider & Domain Type

Great, you’ve decided on which type of SSL to go for; DV, OV or EV.  But there are a few more things you need to decide on before final purchase:

Domain Type

There are three types of SSL cert that can be issued depending on which type of domain(s) you need the cert for.  There will be a price difference depending on which case you need the cert for.

  1. Single domain
    This is usually the cheapest option and will issue a cert for www.example.com only.  So anything other than “www.example.com” typed into the web browser will not active the SSL cert.
    Fine for those who have a single website.
  2. Multiple domains
    This is usually the medium price option and is ideal if you have a large number of different domains (typically up to 100) that you want to bring together under a single SSL cert.
    e.g. www.mycompany.com, www.mycompany.org, www.mycompany.net, www.mycompany-app.com, www.spinoff.biz
    If you host multiple sites on a VPS and want to give your clients cPanel access through their respective domain names, this is the server cert you’ll need.
  3. Wildcard domains
    This is usually the most costly option.  It gives you the ability to certify any subdomain under a main domain.  They are issued to *.example.com with * being any subdomain name you choose.
    e.g. server1.example.com, server2.example.com, tasteycheeseapp.example.com
    If you have a staging server where you set up client testing on a particular subdomain, this is a useful cert to have.

Resign & Reissues

Reissuing is the ability to resign and reissue your SSL certificate.  You will find that some of the very cheap SSL certs don’t offer this, so you get issued with the SSL cert once and that’s that until it expires.  If you need it reissued you’ll have to pay the issuer to do that.

Sometimes reissuing an SSL cert before the normal expiry is necessary.  An example of this was the 2014 POODLE vulnerability.  It was possible for hackers to read the unencrypted server key.  This lead to all server administrators having to resign, reissue and reinstall server SSL certificates as the current ones could have become compromised.

So look at the description of the SSL certs on offer and decide whether you want to pay a little bit more to have the ability to resign and reissue your certs whenever you need to.

Issuing Certificate Authority

Lastly (I promise!) some issuers allow you to choose an SSL cert issued from the many different certificate authorities.  Essentially, you’re paying for branding or “the name” of the CA, so that when a customer visits your secured site they recognise that particular CA and associate that with being safe.

Some of the top CA’s are: Thwate, GeoTrust, Comodo, RapidSSL, Symantec (bought Verisign), GobalSign, Go Daddy and DigiCert.  There are hundreds more.

How To Use Your SSL Certificate

Ok you have your SSL cert – now what?

Once your SSL certificate has been issued to you it will need to be installed on the server and the website domain(s) that your SSL cert is intended for.

Most ISP’s will happily bill you for this installation service.

If you have your own unmanaged VPS you will need to install the certificates manually.  Once you know what to do, it’s a 10 min job and the certificate is ready to use instantly.

[su_box title=”Tell us…” box_color=”#fc7000″]Have you bought or installed an SSL cert? What was your experience like?

Leave a comment below.[/su_box]

The post Which SSL Cert Should I Use For My Website? appeared first on Lime Canvas.

]]>
https://www.limecanvas.com/which-ssl-cert-should-i-use-for-my-website/feed/ 7
WordPress 4.2 and Core Development in 2015 https://www.limecanvas.com/wordpress-4-2-and-core-development-in-2015/ https://www.limecanvas.com/wordpress-4-2-and-core-development-in-2015/#respond Tue, 04 Apr 2017 18:14:13 +0000 http://limecanvas.com/?p=4575 I sat in on the Making WordPress #core Slack channel the other day for the weekly dev chat – the first proper one of 2015. Andrew Nacin kicked off the chat by announcing Drew Jaynes as the 4.2 release lead developer. He also indicated that the WordPress release cycle for 2015 will see 3 releases; April, […]

The post WordPress 4.2 and Core Development in 2015 appeared first on Lime Canvas.

]]>

I sat in on the Making WordPress #core Slack channel the other day for the weekly dev chat – the first proper one of 2015.

Andrew Nacin kicked off the chat by announcing Drew Jaynes as the 4.2 release lead developer.

He also indicated that the WordPress release cycle for 2015 will see 3 releases; April, August and December.

New Stuff for 2015

There are some exciting new features planned for inclusion into core this year and Andrew hinted at some.

  • WP REST API due for late this year; maybe 4.3 or 4.4
  • image flow work
  • customizer plugins (some poss. 4.2)
  • mobile improvements
  • accessibility improvements
  • updates improvements

Over to Drew

With that, Drew took the reigns to discuss what needed to be done for WordPress 4.2.

4.2 has a target drop date of April 8th but also has ~150 trac tickets against the milestone.

At the moment the release schedule is tentative but it’s a good indication of what you can expect to come.

Feature plugins for 4.2

Continuing the successful core development pattern of “Feature Plugins”, focus for 4.2 inclusions will be:

As well as the above plugins, in general the WordPress UI will get a “polish” in the areas of accessibility & mobility.

Other Stuff

There was also chat about including a feature to allow admins to generate and email new password to users (trac ticket) as well as incorporating a random password generator UI on the user profile.  That would certainly be a welcome addition.

A 4.1.1 maintenance release is almost ready to ship as we speak. Expect it sometime in the coming week.

The post WordPress 4.2 and Core Development in 2015 appeared first on Lime Canvas.

]]>
https://www.limecanvas.com/wordpress-4-2-and-core-development-in-2015/feed/ 0
Development, Sun Burn and a New Year Lifestyle https://www.limecanvas.com/development-sun-burn-and-a-new-year-lifestyle/ https://www.limecanvas.com/development-sun-burn-and-a-new-year-lifestyle/#respond Tue, 04 Apr 2017 18:08:50 +0000 http://limecanvas.com/?p=4563 It’s the height of summer here in Australia and that means 30° temperatures and clear blue skies. So, being Scottish I have of course moved my development environment out onto the balcony. Have you ever noticed how you sometimes ‘lose’ periods of time when you’re watching a film or engrossed in a really good book. […]

The post Development, Sun Burn and a New Year Lifestyle appeared first on Lime Canvas.

]]>

It’s the height of summer here in Australia and that means 30° temperatures and clear blue skies.

So, being Scottish I have of course moved my development environment out onto the balcony.

Have you ever noticed how you sometimes ‘lose’ periods of time when you’re watching a film or engrossed in a really good book.  Well, development for me can be like that too.

With PHPStorm open and plugin problems to code, before I knew it over an hour had passed having not noticed the sun slowly creep across the balcony and onto my left foot which is now rather red.  That’ll be interesting in the hot shower tomorrow.

As I was liberally applying some SPF 50, it got me thinking about lifestyle.  OK I zoned out for an hour or so but how many hours a day fly by with me doing nothing but sitting in a char in front of my computer.

Developer friends, remember how important it is to get up and do something every so often.  Make it a new year lifestyle thing.

Move around.  Go make a cuppa.  Walk around the block.  I’m off for a swim.

The post Development, Sun Burn and a New Year Lifestyle appeared first on Lime Canvas.

]]>
https://www.limecanvas.com/development-sun-burn-and-a-new-year-lifestyle/feed/ 0
Christmas 2014 Holiday Business Hours https://www.limecanvas.com/christmas-2014-holiday-business-hours/ https://www.limecanvas.com/christmas-2014-holiday-business-hours/#respond Tue, 04 Apr 2017 18:05:50 +0000 http://limecanvas.com/?p=4551 We would like to wish all of our customers, colleagues and friends a very merry Christmas this year and a successful 2015. Lime Canvas will be taking a holiday break during the festive season for lots of R&R. We close our doors at GMT 5pm on Friday 19th December and reopen again at GMT 8am Monday 5th […]

The post Christmas 2014 Holiday Business Hours appeared first on Lime Canvas.

]]>

We would like to wish all of our customers, colleagues and friends a very merry Christmas this year and a successful 2015.

Lime Canvas will be taking a holiday break during the festive season for lots of R&R.

We close our doors at GMT 5pm on Friday 19th December and reopen again at GMT 8am Monday 5th January.

Customer Support

During our holiday period we will only respond to critical support queries via our usual support channel.

Merry Christmas and a Happy New Year!

The post Christmas 2014 Holiday Business Hours appeared first on Lime Canvas.

]]>
https://www.limecanvas.com/christmas-2014-holiday-business-hours/feed/ 0
WordPress Security: Nulled Scripts & CryptoPHP Infection https://www.limecanvas.com/wordpress-security-nulled-scripts-cryptophp-infection/ https://www.limecanvas.com/wordpress-security-nulled-scripts-cryptophp-infection/#respond Tue, 04 Apr 2017 18:02:06 +0000 http://limecanvas.com/?p=4547 Dutch IT company Fox IT have released a white paper outlining an increase in a security threat they have dubbed CryptoPHP. The Fox IT CryptoPHP white paper is very technical and covers attack vector points for WordPress, Joomla and Drupal. Let me summarise their findings. It concerns something called “Nulled Scripts”.  Some of you may […]

The post WordPress Security: Nulled Scripts & CryptoPHP Infection appeared first on Lime Canvas.

]]>

Dutch IT company Fox IT have released a white paper outlining an increase in a security threat they have dubbed CryptoPHP.

The Fox IT CryptoPHP white paper is very technical and covers attack vector points for WordPress, Joomla and Drupal.

Let me summarise their findings.

It concerns something called “Nulled Scripts”.  Some of you may not have come across this terminology before.

What Are Nulled Scripts

Nulled scripts are bits of code, such a WordPress plugin or WordPress theme, which have their copy protection removed.

Many non-GPL “pro” plugins and themes come with a serial key which gives access to the paid features or entitles you to free upgrades.

Nulled scripts have these protections removed so that it will work for free.  It is outright theft of course or put another way pirated software.

There are many sites offering nulled (PHP) scripts as well as nulled WordPress plugins and themes.

Please do not use them.  Here’s why.

CryptoPHP Infection

The guys at Fox IT have found an alarming increase in deliberately infected  nulled scripts.

It’s not new that many “free” WordPress plugins and scripts can contain malware if not downloaded from a verified source such as WordPress.org, Theme Forest, WooThemes or the like.

This particular infection is more devious that previous malware in that it encrypts data before sending it back to it’s command and control servers.

For a seasoned PHP developer, spotting the infection is rather easy.

include('assets/images/social.png');

Any developer will look at that and immediately be suspicious – why is an image being included in the PHP script?  That’s way not right!

The include() function is used for loading external PHP scripts.  Bingo!

You’ve guessed that social.png isn’t really an image and you’re right. It’s some PHP code disguised as an image file.

This nasty little script can even avoid detection as many malware scanning programmes (and plugins) don’t check image files.

We use WordFence as our go-to security plugin for all WordPress sites.  The newest version of the plugin automatically checks all include() statements for suspicious files and there is also an option to scan image files like they are PHP code.

What Does The Malware Script Do?

Fox IT determined that the malware script injects dodgy, spam and malicious website links into your site’s content.  An attempt as black-hat SEO.

Remember that this security issue doesn’t just affect WordPress.  It also affects Joomla, Drupal and possibly other CMSs which use add-on modules to extend functionality.

The white paper shows how to identify the script so you can check all your WordPress installations today.

We urge that you do check all your sites for this now.  Never download “free” themes or plugins from unknown/community unverified sites and lastly share this amongst your friends and colleagues to make the web a more secure place.

If you want to super secure your WordPress website have a read of our WordPress Security Best Practices post.

The post WordPress Security: Nulled Scripts & CryptoPHP Infection appeared first on Lime Canvas.

]]>
https://www.limecanvas.com/wordpress-security-nulled-scripts-cryptophp-infection/feed/ 0
WordPress 4.0.1 Critical Update https://www.limecanvas.com/wordpress-4-0-1-critical-update/ https://www.limecanvas.com/wordpress-4-0-1-critical-update/#respond Tue, 04 Apr 2017 17:59:28 +0000 http://limecanvas.com/?p=4541 We are advising all of our followers to upgrade their WordPress versions to the newly released 4.0.1. Automattic released the new version when serious security issues were brought to it’s attention in the core code. This is a rarity as the WordPress core is usually very stable.  The last reported core issue was in v2.3.2 back […]

The post WordPress 4.0.1 Critical Update appeared first on Lime Canvas.

]]>

We are advising all of our followers to upgrade their WordPress versions to the newly released 4.0.1.

Automattic released the new version when serious security issues were brought to it’s attention in the core code.

This is a rarity as the WordPress core is usually very stable.  The last reported core issue was in v2.3.2 back in 2008 (ref: http://bit.ly/1yLBUIX)

They announced the release in a post on the WordPress.org website detailing the issues and the fixes they put in place.

WordPress 4.1 is due for release on December 10th but please do not wait.  Update your WordPress version now otherwise you’re website could potentially get hacked.  This is a critical update.

 

The post WordPress 4.0.1 Critical Update appeared first on Lime Canvas.

]]>
https://www.limecanvas.com/wordpress-4-0-1-critical-update/feed/ 0
State of the Word 2014 https://www.limecanvas.com/state-of-the-word-2014/ https://www.limecanvas.com/state-of-the-word-2014/#respond Tue, 04 Apr 2017 17:56:15 +0000 http://limecanvas.com/?p=4533 Enjoy Matt Mullenweg’s State of the Word 2014 presentation. Matt talks about WordCamps, gives some stats from the 33,000 responders of the annual survey and of course lots more about the future of WordPress. Some highlights 33,000+ responders to the annual survey from 179 countries three quarters of survey responses from international people (non-US) 2014 […]

The post State of the Word 2014 appeared first on Lime Canvas.

]]>

Enjoy Matt Mullenweg’s State of the Word 2014 presentation.

Matt talks about WordCamps, gives some stats from the 33,000 responders of the annual survey and of course lots more about the future of WordPress.

Some highlights

  • 33,000+ responders to the annual survey from 179 countries
  • three quarters of survey responses from international people (non-US)
  • 2014 say WordPress international downloads surpass English ones
  • WordPress as a CMS has been declining every year: 93% in 2012, 89% in 2013 and 87% in 2014
  • WordPress as a blog has been declining every year: 32% in 2013,  26% in 2013 and 20% in 2014
  • WordPress as an App Framework has increased: 5% in 2013 to 6% in 2014
  • 785 contributors to the WordPress project in the past year
  • WordPress 4.1 to be released on Dec 10th
  • WordPress now powers over 23% of all websites
  • over 34,000 plugins in the repository
  •  almost 3,000 themes in the repository
  • new developer code reference at https://developer.wordpress.org/reference/
  • language packs for themes and plugins coming in 2015
  • internationalization will be a big thing next year
  • better stats for plugin and theme developers being worked on actively now
  • push to get WordPress installations running on PHP 5.5+
  • new Twenty Fifteen default theme for next year
  • pull requests for WordPress from GitHub will “not go into a black hole”
  • contributors are now going to use Slack rather than IRC – available to every user on WordPress.org- see chat.wordpress.org
  • 5% for the future – see Matt’s blog
  • Full JSON REST API should be available soon

 

The post State of the Word 2014 appeared first on Lime Canvas.

]]>
https://www.limecanvas.com/state-of-the-word-2014/feed/ 0
SSL v3.0 POODLE Vulnerability https://www.limecanvas.com/ssl-v3-0-poodle-vulnerability/ https://www.limecanvas.com/ssl-v3-0-poodle-vulnerability/#respond Tue, 04 Apr 2017 17:54:12 +0000 http://limecanvas.com/?p=4526 The Interwebs world has been rocked again with yet another server vulnerability.  This one is called POODLE and is anything but cute and cuddly. What’s the issue? Poodle is actually an acronym for Padding Oracle On Downgraded Legacy Encryption.  There’s a problem with v3.0 of the SSL (Secure Sockets Layer) protocol that most Linux-based servers […]

The post SSL v3.0 POODLE Vulnerability appeared first on Lime Canvas.

]]>

The Interwebs world has been rocked again with yet another server vulnerability.  This one is called POODLE and is anything but cute and cuddly.

What’s the issue?

Poodle is actually an acronym for Padding Oracle On Downgraded Legacy Encryption. 

There’s a problem with v3.0 of the SSL (Secure Sockets Layer) protocol that most Linux-based servers still run today.

It allows for the plaintext (decrypted) credentials to be read allowing for the possibility of somebody to snoop into your “secure” transmissions.

SSL v3.0

The v3.0 SSL service protocol is pretty old – in fact 15 years old to be precise but many web servers still have it switched on.

Newer protocols are used today, TLS 1.0, 1.1, or 1.2 but when these fail the server will automatically try a fallback connection via SSL v3.0 and that’s the issue here.

Does this affect SSL Certificates?

No it does not.  All your SSL certificates are still good and don’t need to be reissued.

How do know if your server is affected by this issue?

The Poodlebleed website has a small testing script that you can use to see if your server is affected.

Fixing the issue on the server

There are quite a few services on a server which may use the SSL v3.0 protocol including web servers (Apache, Nginx, Lighttpd) and email services such as Sendmail and Dovecot.

Here’s a great resource on how to test and fix each of these services.

More Security?

You should should also check out our WordPress Security Best Practices Infographic.

The post SSL v3.0 POODLE Vulnerability appeared first on Lime Canvas.

]]>
https://www.limecanvas.com/ssl-v3-0-poodle-vulnerability/feed/ 0
WordCamp Sydney 2014 https://www.limecanvas.com/wordcamp-sydney-2014/ https://www.limecanvas.com/wordcamp-sydney-2014/#respond Tue, 04 Apr 2017 14:07:21 +0000 http://limecanvas.com/?p=4514 It was April 28th, 2013 around 5pm and I was sitting in a lecture theatre at RMIT University Melbourne. WordCamp Melbourne 2013 had just finished.  A few of us, including the rather exhausted looking organisers, were relaxing at the end of the conference while the buzz of people heading home and things being packed up surrounded us. It was […]

The post WordCamp Sydney 2014 appeared first on Lime Canvas.

]]>

It was April 28th, 2013 around 5pm and I was sitting in a lecture theatre at RMIT University Melbourne.

WordCamp Melbourne 2013 had just finished.  A few of us, including the rather exhausted looking organisers, were relaxing at the end of the conference while the buzz of people heading home and things being packed up surrounded us.

It was a great weekend – fantastic even!  I wanted more.

So, leaning forward I asked the organisers if they were planning on organising a WordCamp in Sydney for the following year.

Eyes flicked back and forth between them, an agreeing non-verbal communication and an answer came back.

No, but it sounds like you just volunteered!“.  Thanks Pete and Dee.

So, zoom forward a year and a bit and in three weeks time WordCamp Sydney 2014 will happen.

Including myself, the organising team are:

Where and When?

WordCamp Sydney 2014 will be at the University of Technology in Sydney (UTS) on September 27 & 28.

Two full days of presentations and networking on all things WordPress.

We have two streams of talks; one for users/bloggers and one for developers/tech.

The official website is http://2014.sydney.wordcamp.org/ and you can get in touch with us on Twitter and Facebook.  The schedule is also on Lanyard.

It’s not too late to buy a ticket or help with sponsoring the event.

Once the event is finished I may just write a post letting you all know what it’s like to organise a WordCamp.

See you there!

The post WordCamp Sydney 2014 appeared first on Lime Canvas.

]]>
https://www.limecanvas.com/wordcamp-sydney-2014/feed/ 0
How To Update Notifications on Gravity Forms https://www.limecanvas.com/how-to-update-notifications-on-gravity-forms/ https://www.limecanvas.com/how-to-update-notifications-on-gravity-forms/#respond Tue, 04 Apr 2017 13:59:47 +0000 http://limecanvas.com/?p=4506 First off if you are reading this congratulations because you have a WordPress powered website with Gravity Forms installed on it. GF is an amazing plugin for WordPress, without question the most powerful and amazing forms plugin you could have on your website. Below I will take you step by step through the process you […]

The post How To Update Notifications on Gravity Forms appeared first on Lime Canvas.

]]>

First off if you are reading this congratulations because you have a WordPress powered website with Gravity Forms installed on it. GF is an amazing plugin for WordPress, without question the most powerful and amazing forms plugin you could have on your website.

Below I will take you step by step through the process you will need to go through to update your Gravity Forms notifications settings.

Your notifications settings are a screen of settings inside each form that govern who will be alerted to the form submission. This can be your prospect (form submitter), or perhaps a specific team member in your organisation who is tasked with handling all queries from a certain area.

Step 1: Login to your wp-admin dashboard

This is simple, go to http://www.YOURDOMAIN.com/wp-admin

Step 2: Click on the Forms menu item in the left hand navigation panel

On the left side of your dashboard you will see a menu that looks somewhat like the image above.

Step 3: Locate the form you want to update from the list of forms

Step 4: Edit “Admin Notification”

This is the default notification that Gravity Forms sets up. This might be labelled something else, or you might find multiple notifications set up. Either way the mechanisms are the same.

Click on the label as per the image above.

Step 5: Edit notification settings as desired

Below I have taken a screen grab of the Notification Settings screen which I will break down item by item below.

Having clearly thought through what it is you want to have happen when a user submits the form is absolutely essential before you get into tackling these settings.  For example some questions you need to have answers for are:

  1. Is it a case that you want the email to just be sent to one person or multiple people?
  2. Are they all in your organisation or are some parties external?
  3. Do you want everyone to be able to see who else got the notifications?
  4. Does the notification need to go to a different person depending on answers submitted?

Below I’m going to outline what each setting does so that you can understand the possibilities.

Send To…

Enter Email – this is exactly what it sounds like. You can input an email address or you can use a tag. This is the most popular option and likely what your website is set to.

By default it comes pre-populated with {admin_email} which will send the notifications to the email address you specified in your website settings.
( wp-admin dashboard > Settings > General )

Select Field – If you have multiple email address fields in your form you can select which one receives a notification.

This is useful if you wanted to set up a form on a page where you wanted to encourage your website users to “Tell their friends about this…”.

Routing – This option is where Gravity Forms really moves into a league of it’s own. Inside this option is great power because it introduces logic to route your notifications!

Let me give you a very basic example of how this might be utilised. Lets say you had a contact form and the form at the top had a drop down menu item asking the user to select what department could help them: Sales, Billing or Support. Underneath that is a text area where they can put in details of their problem/issue/comment, to let you know.

Now inside of your organisation different people look after each of those areas, so you want an email to be sent to the right person depending on what your website user chooses.

So, to continue the above example, when setting up notifications we would add details in a similar fashion to those in the image above.

Then you would click the little + sign at the end which would open up a new row so that you could also add rules in for Sales and Billing. Now no matter what choice your user makes on the form, their comments will be routed to the right resource inside your organisation.

From Name…
and From Email…

This is simply whom the form appears to be sent from. You could set this to the same value (i.e. Website Contact Us Form) or you can use merge tags to dynamically put in the person’s name or email based on what they’ve filled out the form with.

In the image above we have: {Name (First):1.3} {Name (Last):1.6}

As complex as that looks, for our form this will dynamically send emails to us from the submitters first and second name.

NB: These values will be different on your forms. Click the Merge Fields button to the right side of the field. DO NOT simply copy the values from this post as they won’t work.

NB: These merge fields are available on most fields in Gravity Forms and you can always access them by simply clicking the button highlighted with an arrow in the image above.

The field below From Name operates in exactly the same fashion but this is for the email address you want the form to show up from.

NOTE: There is an issue some email systems have where if you assign the same email address in this From Email field, as you have in the To: field the email will not get delivered. Office365 is particularly guilty of this. If your website’s main admin email is info@ for example, we recommend you use a noreply@ or something like that for your From Email. In this scenario you will want to label the From Name field something that your recipient will recognise.

Reply To…

In most cases you will want to leave this the same address as the From Email field above. However there may be situations where it is advantageous to have somebody different receive the email from the email address that sent the email. The only instances of this I have seen however were with marketing automation type work.

BCC:…

This is where you add any email addresses you want to carbon copy in on the notification email’s contents. This is the field to use if you are sending your notifications to multiple people and you don’t want the original submitter of the form to be aware of all those email addresses.

In most cases this is the field you will want to use to avoid confusion and potential SPAM issues down the road.

Subject…

This is fairly self explanatory I think. You can use merge fields here to personalise should you wish.

Message

Again this is fairly self explanatory. You have a full WYSIWYG editor and you can use merge tags in your message body so really anything is possible here.

Auto-Formatting

Just leave this un-ticked unless you experience formatting issues with your emails being sent.

Conditional Logic

This is form wide conditional logic where you can create rules that go something like:

Send this notification email is X form field had Y selected

This can be useful if you are receiving a lot of notification emails and you want to reduce the volume. So for example you could ask a user what their age is and if you only want to receive emails from 20 -35 year olds because you know they are the only one’s who buy your products, you can set the form up to only notify your sales resources if they selected that age range.

Conclusion

That wraps up my guide to the Notification Settings of a form in Gravity Forms. If you have any questions please ask them in the comments.

Have you used Gravity Forms? Any difficulties? Please let us know in the comments below…

The post How To Update Notifications on Gravity Forms appeared first on Lime Canvas.

]]>
https://www.limecanvas.com/how-to-update-notifications-on-gravity-forms/feed/ 0