Photo of a person facing a long road ahead.

Finding Motivation on Mondays

Happy Monday, everyone. I’m back from a great weekend at WordCamp Rochester, coupled with a little bit of winery-touring with my husband through the New York Finger Lakes. Now it’s time to sit down and get back to work. But work on what, exactly? When there’s no client work to be done, where is the motivation to begin the week when Monday rolls around?

I’ve previously written on my personal blog how Mondays can be super-hard when you’re a freelancer, but that seems like that goes double for when the client projects are on the thin side. Since rolling off The Big Project which consumed most of my professional life for over a year, Taupecat Studios is showing the results of its neglect by me. Several potential projects have been put on hold at the client level, and The Big Project consumed so much of my time that the pipeline has run a bit dry. So this is the perfect opportunity to look inward a bit, and work on internal projects, right?

If only it were that simple.

I’m a person who thrives on stress (although that’s probably not so good on my heart), specifically the stress of meeting deadlines. When client work lulls, as is the case at the moment, it’s hard to find the push that will get me working on the myriad of internal projects I have on my Trello board. I have no shortage of things I could be working on in both the short-term “it would be great if this worked a little more smoothly” sense, and the long-term “this will really help my business succeed for years to come” sense. While internal projects are important, they never seem to be imperative. Yes, they’re vital to my business’ success, but they don’t actively generate revenue in the here-and-now in the same way client work does.

The other problem is there are so many items on my internal projects list, it’s hard to really know which one or ones to focus on. I’ve been watching and attending more WordCamp talks on running a business (this one on Taming the Whirlwind by Nathan Ingram is especially good), and while they’ve fueled a lot of great ideas to act on, it becomes a bit overwhelming at the same time. Where to begin? The quick, low-hanging fruit project that I could knock out in a couple of days, or the long-term one that’s going to take weeks (or months), but have a significant R.O.I. when all is said and done?

And what happens when I finally begin down the road on a particular internal project, and the client work picks up again? In the “feast or famine” cycles since I’ve become a freelancer, the famines never seem to last very long—which is great, don’t get me wrong! But it also means my internal processes end up stagnating in a half-completed state because they’ve had to be put on pause for the latest client projects.

The Roadmap

There is a rough roadmap in place, and a bunch of things I hope to accomplish between now and the end of 2019. Near the top is revamping the agency website, and for that I got some awesome content advice from Bridget Willard she gave me at Pressnomics. From WordCamp Rochester, I got some great ideas for tools and processes that I can implement to increase the value I provide to my clients. And, as always, there’s a wishlist of technical tasks and automation processes that will make my life easier, once I build them, of course.

Photo by unsplash-logoTegan Mierle on Unsplash.

Abstract image representing online security

WordPress Insecurities

Once again, I find myself up against a client’s preconceived opinion that “WordPress is [inherently] insecure.

It’s a common refrain, and one that I’ve heard over, and over, and over again since I began specializing in WordPress. But let’s set the record straight.

What Is It You’re Really Afraid of?

Is it WordPress you’re concerned about, or open source software (OSS) in general? Despite powering software for most of the planet, OSS still has a reputation of being developed by “amateurs,” and being unstable because it lacks the backing of Big Corporations.

While I won’t argue that OSS has its fair share of abandoned projects, it’s simply wrong that all OSS is written by hackers in their basements at 2 o’clock in the morning. Most major for-profit technology companies—the likes of Microsoft, Apple, Amazon, and Google—are often large backers of OSS, contributing time, money, and resources to its development. They know that their own businesses rely on OSS.

The Myth of “Closed Source Is More Secure”

The only correlation between closed-source software and security is that fewer white-hats (people with good intentions examining software for possible security vulnerabilities) are able to pore over closed-sourced code than open-sourced. (You still have plenty of black-hats examining both, looking for opportunities to exploit vulnerabilities for their own personal gain.)

OSS has the eyes of the world scrutinizing code every single day. Closed-source software only has the company’s own team of developers, who’ve seen the same code day after day after day (and hence, has become jaded and/or blind to its faults). And what if The Security Person is on vacation the day a major exploit is revealed?

When Was the Last Time WordPress Security Hacks Made the Evening News?

Think about the security breaches that make the headlines. I think I can recall a WordPress one back in the 2.* days (WordPress is currently at version 5.2.3). But I can pretty much guarantee that the Capital One, Starwood, and Equifax data breaches did not involve WordPress.

To say that WordPress is inherently insecure is to say that the Internet itself is inherently insecure. I’m not saying that that statement is wrong, but the only conceivable solution to that issue is to stop using the Internet altogether. Does that seem very practical?

Anything Can Be Insecure; Anything Can Be Made Secure

If you throw software out onto the Internet, be that in the form of a website running WordPress or any other platform, and fail to maintain it, then yes, it will, over time, cease to be secure. New vulnerabilities are discovered on a daily basis, not necessarily in WordPress, but in everything that touches the Internet.

The key is to make sure your web properties are properly maintained, with security patches and other updates made when they become available.

Most WordPress Compromises Have Nothing To Do With Software

By far the most common way of breaking into a WordPress site is not through the software itself, but by something called a “brute force attack,” whereby automated attack bots literally try to force their way into a privileged account on the site by guessing usernames and passwords. If you use weak passwords, or (worse yet) reuse the same password across different Internet services, you’re increasing your risk of compromise. Often, data breaches on one service serve as jumping points for attacks on different systems because exploiters know that people often use the same usernames and passwords across accounts.

There are plenty of password security best-practices you can do to reduce your security exposure, including:

  • Using strong, nonsensical, and unique passwords along with a strong password management system such as 1Password or LastPass.
  • Don’t use “common” usernames for your accounts (like “admin”; never create a user account in WordPress called “admin”).
  • Make as few user accounts on your WordPress site as possible, and don’t give users any higher level of access than absolutely necessary.
  • Don’t transmit passwords over email.

Don’t Go It Alone

Chances are, WordPress is not your core business. But it is mine. If you don’t feel like you have the time/energy/resources/interest to maintain your WordPress site properly, get in touch, and we can discuss outsourcing that responsibility for peace of mind.

Photo of printing plates.

Gutenberg & You

For the past year, the WordPress core development team has been working on a complete revision of how editing content in WordPress works. Now the results of this work—codenamed Gutenberg—are very close to release in the core version of WordPress.

What is Gutenberg?

Gutenberg is a new editor in WordPress. Instead of one big “content editor” box in your WordPress administration, the editing paradigm is shifting to one of many, much smaller blocks. Content authors will create their sites using these blocks which will give them finer control over the formatting and presentation of content in their WordPress pages and posts.

When Will Gutenberg Show Up on My WordPress Site?

Gutenberg has been available for some time now as a plugin—an extra you can add to your WordPress site. But beginning in the recently-released WordPress 4.9.8, you’ll start to see notes encouraging its download and use.

You’ll still have to install a plugin to use it, and if you’re hosting your site on Pantheon, that means going through Pantheon’s workflow (just let us know if you need some help with that).

Come WordPress 5.0, slated for release later this year, Gutenberg will be integrated into WordPress core and will be the default interface for editing content.

What If I Don’t Want Gutenberg?

Fortunately, the WordPress core team has offered an opt-out solution if you decide that Gutenberg isn’t right for you. Taupecat Studios has already installed the Classic Editor plugin to every site we manage. It’s sitting in your plugins administration screen, deactivated but waiting. Once Gutenberg goes live, you can always switch back to the classic editing window you’re comfortable with by activating that plugin.

How Does Gutenberg Affect Beaver Builder and/or WPBakery Page Builder and/or Advanced Custom Fields?

Some have called Gutenberg a response to the plethora of WordPress page builders available as third-party content editor alternatives. While this isn’t exactly true, it isn’t exactly false, either.

Responsible page builder plugin developers have known about Gutenberg for awhile, and have planned accordingly. Beaver Builder has pledged their commitment to supporting Gutenberg upon its release. Advanced Custom Fields (not exactly a page builder, but often used like one) has also been testing their development against Gutenberg, and promises to be 100% compatible with WordPress 5.0. WPBakery Page Builder also promises a smooth transition to Gutenberg.

Anything Else I Should Know?

Only that change is hard. But don’t worry. We wouldn’t leave you to face a change of this magnitude on your own. As always, let us know if you have any questions or concerns.

And as always, Happy Pressing!

Why Individual Accounts Are Almost Always a Better Idea than Shared Logins

Often when working with clients I need access to legacy websites or services such as DNS providers and web hosting dashboards. Usually when this happens, I’m given the same credentials that circulate amongst the clients’ own staffs, using the same shared logins as they do. Now, I’m a trustworthy individual, but there are many reasons that have nothing to do with my trustworthiness that make this a bad idea.

The Problems with Shared Logins

Insecure password sharing practices and other security risks can plague your infrastructure when account credentials are shared amongst team members.

Default Usernames

While it’s no longer the case, WordPress historically would automatically create the initial account with the username “admin”. Even though WordPress now explicitly asks for the desired username, many organizations that intend to share logins will still use some variation of “admin” or “administrator” for the master account. This makes the site a prime target for brute force attacks, which often use “admin”, “administrator”, or a variant of the site’s own name in their attempts to break into the site because of the frequency of this pattern.

Insecure Passwords

When multiple people are using a common account, by necessity the common password needs to be shared too. This can lead to insecure practices such as sharing via Post-It Note, plain text email, distributed spreadsheets, or other easily compromised methods. Additionally, the passwords themselves are likely to be short and easily-memorizable, which goes against modern password best-practices.

Lack of Two-Factor Authentication

Two-Factor authentication—the practice of using a secondary, one-time password from a cell phone, for example—is possible when sharing common account credentials, but it’s extremely cumbersome, and unlikely that an organization using shared logins would be taking that extra security step.

Bad Actors

Every time your account credentials are shared among a team, you’re increasing the possibility that one of the trusted members might do something harmful—intentionally or through an honest mistake. And if you need to change credentials quickly because of a bad team member (or a team member that inadvertently compromised the security of those credentials), you’ll need to quickly change the credentials to the account and then distribute the new information, often by similar insecure means. Not to mention damage to the account in question that might need repairing.

Possible Solutions

There are a number of steps your organization can take in order to lessen the risks that come from shared logins.

Delegation of Roles

In systems that allow for multiple accounts to control the same information—content management systems, for example, and some of your more sophisticated managed web hosting providers—you can create individual accounts for every member of your team, complete with their own unique password, and delegate the required authority to them. This makes everyone in your organization responsible for their own online security and no one else’s, and also allows you to quickly shut out a compromised account without affecting the other members of your team.

Rule of Least Required Privilege

Not everyone on your WordPress site needs to be an administrator. Set the proper roles to go along with each team member’s role in your organization. Similarly, on your service provider’s site, only the account owner probably needs to be able to see all the billing information; the rest of the team can be assigned various levels of functional access without being able to see (and change!) things they shouldn’t.

Use a Password Manager

Insist that your team members use a password manager, or better yet, invest in an enterprise-level password manager for your organization. Not only do these systems store passwords in a more secure format than written paper or your computer’s sticky notes, they also let your team member generate long, nonsensical, and difficult-to-crack passwords that are unique for every service they have access to. Also, if you really must share account credentials among team members, doing so through a password manager is the most secure method to do so.

Sometimes, you just can’t avoid the shared login scenario. Not every service is up to speed on the need for individual accounts and role delegation. If you really must use shared logins, keep those account credentials as secure as possible and limit their distribution to as few people as possible. And petition your vendors to upgrade their own security practices.

Why Do I Need a Maintenance Partner if I Use a Managed WordPress Host?

Managed hosting providers are a breed of website hosting that has emerged over the last few years as a popular option for hosting WordPress sites. Some—such as Pantheon and WP Engine—only provided managed hosting services and nothing else. Others—DreamHost, GoDaddy, and SiteGround, for example—offer managed WordPress hosting in addition to their other shared hosting plans.

As a whole, managed hosting plans cost a bit more than shared hosting, but is usually a good investment if your WordPress site is out there to make money for you. On the technical level, the servers are usually fine-tuned to max out WordPress’ performance with caching options and configurations that have WordPress in mind. They usually offer other goodies as well, such as a dashboard that gives you a birds-eye view of everything going on with all the sites you have on that host, backup options, maybe access to third-party performance tools, etc.

So if you’re paying out the extra bucks to run your WordPress site on managed hosting, you may be thinking you don’t need a separate maintenance partner. After all, what’s the value add?

While managed hosting is great, they don’t do everything your site needs to keep it running healthy and top-form. A good maintenance partner will fill in the blanks, and complement your managed hosting provider with services they don’t—or often can’t—provide.

Redundancy of Backups

Almost universally, managed hosts will perform regular, incremental, and staggered backups of your site, which is great. And if you’ve done something catastrophic to your site and need to roll back, it’s usually no more than a few mouse clicks and a couple of minutes’ wait and you’re back in business.

But what about if there is a massive failure of the hosting provider? It happens. As much as your better hosting providers build in redundancy into their systems, total outages can and do occur.

Having another backup in a system other than your hosting provider can provide peace of mind that if something really, really bad happens to that provider, your site and data can be restored somewhere else as quickly as possible. Remember Schofield’s Second Law of Computing: Data doesn’t really exist unless you have at least two copies of it.

Massive failures of hosting companies to the extent where an extra backup is needed are extremely rare, but they do happen. Maybe they cut off access to your account in some sort of legal dispute (think DMCA take down notice or a perceived violation of the hosting company’s terms of service). Maybe the host just goes belly-up and shuts down its servers in the middle of the night. Crazier things have happened; it’s best to be prepared.

Updates of Plugins and Themes

Managed hosts are usually very good about applying updates to WordPress core soon after they are available. Important, because some managed hosts block the mechanism by which WordPress can self-apply security patches.

However, they won’t usually update plugins and themes. There are good reasons for this: Plugins and themes—coming from a variety of developers—can contain bugs or breaking changes that could bring down a site. It’s much more important in this instance to have a human somewhere in the process independently verify that plugin and theme changes are safe by applying them to a testing or staging environment before they go live.

Uptime Monitoring

Many, but not all, managed WordPress hosts will notify you if there is some problem on their side that affects the availability (uptime) of your site. But there are many reasons a site will go down (or just become very, very slow) that their automated notification policies won’t pick up.

For example, if your domain name expires (many managed hosting companies do not provide domain name management services), the site will still be “up”, technically, but it will be unreachable because the global network of phone books that keeps track of what domain name goes to which site on the Internet will be directed to some landing page set up by your domain name management service, not your website.

Another possible problem is if your site is under a DDoS attack; some managed hosts will pick up that as a security issue, but others might not. Either way, the performance of your site may slow to a crawl, but because it’s not “down” in the technical sense, you might not see a notice from your hosting company. A third-party uptime monitoring service accesses your website in the same manner than human visitors do, making it more likely to catch slowness. If it doesn’t get a valid response in a timely fashion, it will warn the site owner of the problem within a few minutes.

At Taupecat Studios, we love managed hosting, and recommend one in particular (Pantheon) to all of our clients. We also realize that good managed hosting isn’t enough to take care of all the needs of your website hosting. Therefore, we offer a maintenance plan to perform all those tasks the managed hosting providers don’t.

Are you running on managed hosting, but need a little extra help for those tasks? Drop us a line and let us know how we can help!

Telephone switchboard operators from the 1950's.

Demystifying DNS

DNS—or Domain Name System—is one of those geeky terms that usually flies above the heads of people who aren’t entrenched in the world of websites and the Internet. Mostly because, for the most part, it’s invisible. It’s one of those crucial pieces of Internet infrastructure that usually just works without you noticing it, let alone thinking about it. But when it doesn’t work, bad things happen, or rather, good things don’t happen, like people finding your website. And if you’re about ready to launch your brand-new website, chances are you’ll have to make some DNS changes in order to get things working.


To explain how DNS works, I’m going to use an increasingly antiquated metaphor: that of a phone book. Just like you have a name, if people want to reach you (by telephone, that is), they need to know your telephone number. Just dialing your name into the phone doesn’t work. When I was a kid, we found out this information by using a telephone book: I would look up the name of my friend, and the book provided the number I could use to call her.

This won’t work.

DNS works in much the same way. Every website you want to visit has a name, but behind that name is one or more numbers that are the true location of where that name leads to. These numbers are called IP (Internet protocol) addresses, and consist of four groups of numbers that range from 0 to 255 and are separated by dots. (That’s IPv4, the most common standard. There’s also IPv6, but let’s ignore that today.)

So let’s go back to our phone book analogy. Looking up my friend’s phone number was easy since we lived in the same town. But what if I needed to look up somebody who lived in another state? Chances are, I didn’t have that phone book just lying around. I’d either have to call information, or go to the library and hope they had a copy of the appropriate book. And how did the library have it? By sending away to various cities to get them.

And that’s a bit how DNS works, too. There is one place per URL, called the “name server,” on all the Internet that holds the key numbers for any particular name on the Internet. Who the name server for a particular URL is is so important that it’s provided along with other basic information such as the URL’s owner and registration service (or registrar). But then that information propagates to Internet providers (your Verizons, your Comcasts, your Time Warners, etc.) all around the world. Any time there’s a change, the change has to work its way throughout the Internet in a process that could take a little as one hour or as long as five days.

Time to Live

Why the difference in time? Along with the information regarding what URL has what number, the name server also tells other servers around the world how often to check back for new information. This is called the “Time to Live” (or TTL), and the shorter the TTL, the more frequently Internet providers and other servers check back to see if any information has changed.

So when you’re getting ready to launch a website and know you’re going to need to change the DNS, you need to do some planning ahead of time. You can usually change the TTL to something shorter than the default, and so it’s best to do so at least a week ahead of time. Then, when you’re ready to launch, make the change, and once the change has made its way throughout the Internet, you can change it back to the longer TTL value.

Changing the DNS Information

How do you change the DNS? Good question, but there’s no one answer. Often, you manage DNS settings on the same site where you registered your URL. But sometimes, it’s with your web host. Which could be the same provider, or could be different. Sometimes the interface to update your DNS is very simple, but the provider will try and upsell you on a bunch of stuff you don’t need. Other services have complex interfaces that you practically need a computer science degree to edit. In short, if DNS changes are required to launch your site, it’s best to have a professional handle it.

Hopefully I’ve been able to shed a little light on DNS. Have more questions on this or how other parts of the Internet work together, let me know in the comments or send me feedback!

Fall leaves

Hello, Fall

It’s been a wild, crazy, and busy summer here at Taupecat Studios HQ. Which is why, aside from a launch announcement, there’s been precious little traffic on the blog in the past couple of months. But we do have a few things to share about our summer and what’s coming up this fall.

Say Good-bye to Our Intern

We were fortunate this summer to have the services of our intern, Sam, who helped us with content migration, quality control, and site building. (Maybe there was a little nepotism involved in hiring him; he is my son, after all. But hey, it’s not like I’m president of the United States…) Alas, he has to head back to school today, and will be too busy with his homework (hear that, kid?) to help me much more. But I do thank him for all his help over the summer!


WordCamp D.C.

One of the highlights of the summer, undoubtedly, was helping organize the first WordCamp D.C. We had a great turnout of 450 attendees and terrific local speakers along with top WordPress experts from across the country (and one from Europe!). For all those who attended or spoke, a heartfelt thanks, and we’re looking forward to doing this all again next year.

Upcoming WordCamps

D.C. chose to hold its first WordCamp in the middle of summer, but with the arrival of fall, WordCamp season along the East Coast is kicking into high gear. I’ll be speaking about the new CSS Grid specification at WordCamp Philadelphia—October 28-29—and attending WordCamp Rochester (NY) November 18. Other upcoming WordCamps in the region are:

And of course, the big one—WordCamp U.S.—will be in Nashville, Tennessee on December 1-2. We’ll be there (I’ve applied to speak and am waiting to hear back).

3 of the "Tracys" of WordPress

Looking Ahead to Fall

Now that fall is here, it’s time to get back into the groove. We’ve got some more great work lined up for fall, and I spent part of my summer vacation thinking about what kind of blog posts would be truly of value to you, our audience.

Got something your curious about? Confused about WordPress or web technology but didn’t know where to ask? Let me know, and I’ll consider it as a future blog post.

Until then, if you have a WordPress or website need, get in touch! Let’s solve your website problems together.

Virginia Opera

Taupecat Studios Hits a High Note with Virginia Opera

We are thrilled to announce the launch of the completely redesigned and reengineered Virginia Opera website. With our design partner, Jamin Hoyle of Branwellington & Cat, the new website boasts a clean, user-friendly, and responsive user interface, improved navigation, and the bold imagery of Cade Martin photography for the upcoming 2017 – 2018 season.

The previous website, built on Joomla!, was non-responsive and difficult for opera staff to maintain. It was in desperate need of a refresh, especially as season subscriptions neared sale. Jamin’s web designs further built upon the refreshed branding he started when putting together their brochure for the new season, which features Lucia di LammermoorSamson and Delilah, and other passionate operas. Incorporating into the theme of the website is this season’s tagline: “Love that is not madness is not love.”

The new website is also built on WordPress, the powerful and user-friendly content management system that powers an estimated 28% of the world wide web. The site is hosted on Pantheon.

Virginia Opera is our first major-client launch since we started Taupecat Studios this past March, and we’re so excited to help them bring this project to life. With performances in Norfolk, Richmond, and Fairfax, as well as opera education programs throughout the commonwealth, we’re glad to help them bring the beauty and passion of opera to all Virginians.

Virginia Opera Website Before & After

Visit the brand-new Virginia Opera website at Season subscriptions are on sale now.

Have a project that you’re passionate about, but need some help getting it to the web? Contact us, and let us know how we can help!

WordCamp D.C.

Taupecat Studios Is Sponsoring WordCamp D.C.!

Taupecat Studios is proud to announce that we are a micro-sponsor of the first ever WordCamp D.C., running from July 14 through 16, 2017 at the Carnegie Library in downtown Washington, D.C.

WordCamps are great community-lead conferences that focus on any and all things WordPress. Bringing together the top minds about a platform that powers more than a quarter of the Internet, WordCamp D.C. will be three days of intense content on development, design, content marketing, search engine optimization, and more.

Personally, I’m super-excited that this event is finally happening, and happy to be on the organizing team making the whole thing come together. We have an incredible line up of top-notch speakers coming to this event, both locally and from around the U.S. and Europe.

Tickets are only $60 and are now available. The only way we can make tickets so incredibly inexpensive is through the enormous generosity of sponsors, and to that end, we are still seeking a few more to help make this event the best it can possibly be.

I hope you’re looking forward to this event as much as I am, and I hope to see you at the Carnegie Library in July!

About WordCamp D.C.

For more information about WordCamp D.C., visit their website or follow them on Twitter.

What to Know About WannaCry

You’ve probably heard news reports about “WannaCry,” the near-global ransomware attack on computer systems that holds your data hostage until you pay the attacker $300 in bitcoins. And you’re probably wondering if you should be concerned about your digital life.

Everyone should be concerned about computer safety all the time. Bad actors from criminals to anarchists and even rogue governments are always out there, looking for new ways to exploit technology for financial or political gain. The latest reports have linked WannaCry to a shadowy operation run by North Korean agents.

How Did the WannaCry Attack Happen?

WannaCry uses an exploit in older versions of Microsoft Windows that was discovered by the National Security Agency but about which the NSA did nothing to notify Microsoft. When exploits are discovered by non-governmental organizations, it’s customary for the discoverers to notify the software developer and give them time to address the issue before it goes public. In those situations, a financial “reward” may or may not be offered.

However, it’s become clear that when governments discover serious exploits that could potentially make backdoors into encrypted computers available, they would rather hold onto that information than take any steps that could remediate the situation. But governments aren’t invulnerable to their own leaks and hacks, and this information ended up on WikiLeaks for all the world to see. The fact that the NSA knew about this vulnerability, did nothing to publicize or fix it, and it still found its way to the public only serves to validate Tim Cook’s opinion that “a backdoor for the good guys is a backdoor for the bad guys.”

Is My Website At Risk?

Potentially, but not likely. This particular exploit affects older versions of Microsoft Windows only. While there are still hundreds of thousands (if not millions) of such computer systems out there around the world (including the U.S.), they are not the typical configuration for webservers, which more likely run a variation of the Unix operating system. However, a Windows system does have the capacity to run a WordPress site, and PHP files are just one of the targets of WannaCry’s encryption scheme.

If My Website Isn’t At Risk, Then Why Should I Care?

This incident is one of the most high-profile reminders yet of why it’s important to keep your software—all of it—up-to-date. I’ve written here already about the importance of keeping your WordPress core and plugins up-to-date, but I implore you to not neglect your everyday computers—including your smart phone. Previous attacks have targeted software that powers websites, and the next major website attack is undoubtedly lurking out there, ready to strike at any time.