Don’t Get Hacked: Steps To Secure WordPress

A couple weeks ago, I was in California and met someone whose site was hacked, and he was completely unaware. I took on the clean-up of his site and set out to make sure that in the future his site was safe from falling prey again.

That process has really sobered me up, and made me realize just how vulnerable some of my sites have been.

The reality is that the best defense is actually having a defense, if you put your head in the sand, you’re gonna get swift kick in the ass.

The Downside Of Popularity

20% of sites are on WordPress,

Just like driving a really common car, like a Honda Civic, there are a lot of vulnerabilities that come from using the most popular website platform. As more people utilize it, the more lucrative it can be for people to learn how to steal or exploit their availability. Since about 20% of sites now use WordPress, it makes it a bigger target for hacking.

Steps To Secure Your WordPress Site

On average, 20,000 hacked sites are identified every day.

According to Sophos Labs, they identify 30,000 new sites a day that are hacked! That’s a shocking number, but even that is incomplete as it only counts those identified as passing malware and not more subtle hacks that involve redirects or injecting link spam.

Here’s what I learned during the experience I mentioned above and from the helpful comments and contributions from several SEO experts on what you can do proactively to prevent it from happening.

Protect Your Login Page

One of the most common methods for hackers to gain access to your site is through brute force username & password guesses. There are a few options that can be used or combined to reduce the risk of having your password stolen.

Block Access to wp-login.php

The best way to protect your WordPress login page from brute force attacks is to block unauthorized users from even getting to the page in the first place. This will require some editing of your .htaccess file if you’re using Apache and your config file if using Nginx. Most hosts will allow this and if yours doesn’t, it may be worth considering a change.

The first and most secure method we will address is to limit access to your wp-admin directory by IP address. This method should only be used if you know what IP addresses you will be accessing the site from and those addresses won’t change on a regular basis. Typically this isn’t a problem, but it is one to keep in mind since you will block yourself from access if you’re not careful. Use the code below as an example for blocking access based on IP. The code also includes a section that unblocks certain files that may be needed by some of your plugins. If you’re using an Apache server, put this code in a .htaccess file within your wp-admin directory.

# Block access to wp-admin - replace x.x.x.x and y.y.y.y with your IP addresses.
order deny,allow
allow from x.x.x.x 
allow from y.y.y.y
deny from all

# Allow access to wp-admin/admin-ajax.php
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>

If you’re on Nginx, use the following code and replace x.x.x.x and y.y.y.y with your own IP addresses:

error_page  403  http://example.com/forbidden.html;
location /wp-admin {
  deny    192.168.1.1;
  allow   x.x.x.x;
  allow   y.y.y.y;
  deny    all;
}
location /wp-admin/admin-ajax.php {
    allow all;
}

Another method that will block access without the concern of being blocked if your IP changes would be to password protect your login page at the server level. This results in one more level of logging in, but is only a very minor inconvenience. You will want to start with generating a .htpasswd file and uploading it to your server; preferably not in a publicly accessible directory. Once you’ve generated that file and uploaded it to your server, and you’re using Apache, go ahead and add the following code to the .htaccess file in your wp-admin directory (or create the file if it doesn’t already exist). Make sure to update the path in the AuthUserFile line to match the location of the .htpasswd file you created.

# Protect wp-login
<Files wp-login.php>
AuthUserFile /path/to/your/.htpasswd
AuthName "Login Required"
AuthType Basic
require valid-user
</Files>

If you’re using Nginx, you can use the following code in your configuration:

location /wp-login.php {
    auth_basic "Administrator Login";
    auth_basic_user_file .htpasswd;
}

If your host allows, you can pair this basic authentication method with fail2ban for Apache or Nginx and create rules where an abusive IP address gets added to your server’s firewall rules and is blocked for a specified period of time.

Plugin Options

Wordfence – This plugin serves as an additional firewall layer on your WordPress installation. There is an array of login security options available such as enforcing strong passwords and locking users out based on failed logins or the username they are attempting to use. For example, since you should never have “admin” as a username, you can add this to a list of usernames that will result in immediately blocking an IP address. This is frequently one of the first guesses hackers make in a brute force attempt and quickly shutting them out based on that simple rule is a good deterrent. Another handy feature is that you can suppress login errors to avoid tipping a hacker off as to whether or not a username is valid.

Login Lockdown – This is a plugin that can be added into WordPress which will block access to the site after a given number of failed login attempts.

So what’s wrong with your password?

Your password is lame

When we make passwords, we either make something that’s really easy to type, a common pattern, or things that remind us of the word password or the account that we’ve created the password for, or whatever. Or we think about things that make us happy, and we create our password based on things that make us happy. And while this makes typing and remembering your password more fun, it also makes it a lot easier to guess your password. Lorrie Faith Cranor

One solution is to use a longer pass phrase:

To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.

Here are some more common sense steps to further secure your password.

  1. Remove employee access to an application when an employee leaves.
  2. DO NOT write passwords down on paper.
  3. Don’t keep passwords in an unsecure spreadsheet or file folder.
  4. Use a pronouncable password, combining vowels and consonents to make something that flows off your tongue like “vadasabi”.
  5. Don’t use monkey, justin or love because they are among the most common words in the hacked password lists floating around the internet.

More Plugins = Less Security

It’s really tempting to say “is there a plugin for this?” unfortunately, that mentality can quickly lead to trouble. Take for example the huge fiasco that happened because of “Rev Slider”. This plugin was included in a slew of very popular themes but had a security vulnerability that ended up causing over 100,000 sites to be hacked!

Over 100,000 sites were hacked due to a single plugin.

What was this plugin actually supposed to do? Build a freakin’ slideshow.

That’s not the only plugin to cause problems. WP Super Cache and W3TC both had major security issues that made them vulnerable to being hacked. Fortunately, those were updated quickly but not every plugin gets the attention and maintenance needed.

Here’s what you should do to limit your plugin vulnerability:

  • Eliminate un-used plugins and themes. There is no reason to open up your site to problems when you’re not even using them.
  • Don’t use a plugin when you can do it yourself. According to Brian LaFranceA good way to approach choosing a plugin vs. writing code for functionality is that a plugin should be used if functionality needs to remain identical even if a theme/design changes. If functionality is set up to fit in with a specific theme, that should be something built into the theme and not through using a plugin.
  • Update RELIGIOUSLY. Monthly is not enough. The more stale your plugins, the more vulnerable you are to exploits targeted at older versions.

Extra Steps To Improve WordPress Security

Setup Google Alerts for spammy keywords related to gambling and medicine - Conrad O'Connell

Conrad O’Connell reminds us that we’re you’re not always going to prevent forest fires, but seeing the smoke early can realy make a difference.


 

Research the potential vulnerabilities of plugins BEFORE you install them

Doc Sheldon reminds us that a search in time saves nine. Know what you’re adding to your site before you download that nifty sounding plugin.


 

Use Cloudflare for a CDN and consider using SSL

Brian Alaway thinks you should consider SSL as well as a secure CDN.


 

Have a backup plan and store that backup somewhere else.

Brian Lafrance reminds you to hedge your bets. He recommends using https://wordpress.org/plugins/backwpup/ and having them dumped into Dropbox and Amazon S3.

What Say You? Have Some WordPress Security Tips?

If you have some worthwhile security advice please add it in the comments. I’ll go ahead and add it to the post in an image too.

 

Track Organic Landing Page Traffic on Your AuthorityLabs Dashboard

Starting today, if you have Now Provided reports set up for domains in your account, you will see a quick view of the number of organic landing pages from Google when visiting your dashboard. We all know that the goal of improved rankings is to drive organic traffic, so monitoring that traffic as easily as possible is key to your success. This data is available through Google Analytics but not in the easy to visualize format we’ve included on the dashboard. This data is pulled in daily to give you an up-to-date view of your organic search progress.

organic-pages

As you can see above, the example site has seen a dramatic increase in traffic to organic pages lately. The rank averages are reasonably flat, so there are likely some keyword opportunities being missed but are available through our Now Provided report.

All accounts will now include an “Organic Pages” column on the dashboard. If you would prefer to not see this data, you can turn the column off in your account settings. Enjoy this awesome new feature!

Robots.txt Guide For Humans

Robots.txt Guide For Humans

Did you know that you can control how Google ranks your site with a single line of text? It’s true!

Of course, that’s not the whole story. It would be more accurate to say you can control IF Google ranks your website AT ALL.

That’s right. You have a nuclear option to keep your site from being crawled by the “spidering” program called Googlebot that hops from website to website, following each link and communicating it’s findings back to the Indexation program. You can do this with the Robots.txt file, a simple text document hosted at the root of your site, which can be added by plugins like Yoast SEO to WordPress sites.

Robots Get Lost

That’s right, robots are easily confused by what may seem obvious to humans. Our ability to ignore chaos is legendary, if you need proof just visit any teenagers room or any men’s restroom. Your website may SEEM visually appealing and accessible, but it’s very likely that the way you have configured your site may give Googlebot a migraine, and accidentally trigger 1,000 pages to appear as part of you site when you really just have seven.

Avoiding Robots.txt Mistakes

The ability to direct Googlebot on how to crawl your site is a powerful power and as pretty much every comic book reader can tell you, that comes with it’s own measure of responsibility. Here’s a checklist of problems to avoid when you’re configuring your Robots.txt file. Some of them are simple and several get trickier as the size of your site and URL complexity increase.

Nuking Your Site By Accident

“If the client says it’s not disallowed, it still might be disallowed.” – Doc Sheldon

Did you check to see if the site crawl is being disallowed? This line looks like

Disallow: /

You’d think that people could avoid pressing “The Big Red Button” but it happens more often than it really should.

According to Alan Morte sometimes this happens because “the robots.txt file never gets changed from a devopement site (Why it’s not locked down, let alone on the web, I don’t know) that replaces a currently live site. In short, they disallow every page on their site with ‘*’ and drop goes the search rankings.”

Slowing Down Google’s Crawl Is Dumb

You may see this in older robots.txt files

Delay: 10

This crawl delay directive communicates to spread the crawling of your site over a number of seconds. This is dumb. Partially because it’s only used by crawlers from Ask, Yandex and possibly Bing but not Google. Google Webmaster Tools has a crawl speed tuning function, but really it has it’s own programming to be the most efficient crawler so you should leave it up to Google anyways.

The “aside from all that” is that your site hosting should not be so overburdened by the piddling amount of requests these crawls represent. That’s an indicator of a crappy hosting situation that should be resolved.

Blocking The Wrong Things

Stop reading! Keep reading! Keep reading! Stop reading! 

This is what you’re doing when you include a URL in your site’s XML sitemap but have listed it in your Robots.txt file. Long story short: Don’t cross the streams.

The Dreaded Trailing Slash/

“Instead of blocking ‘/example’ (the intended page), they block the whole directory, /example/. Oh ho… your highest ranking category for your ecommerce site just dropped from search… DOHHH!” Alan Morte of Three Ventures

The Oops Index

“Someone[air quotes] removes the admin / login / core functionality pages from being disallowed for wordpress, drupal, or other CMS, and search engines indexes pages you don’t want indexed.” Alan Morte

What you SHOULD Block

 “I block the plugins directory [ like this: Disallow: /wp-content/plugins/ ] because some plugin developers have the annoying habit of adding index.php files to their plugin directories that link back to their websites.” Joost de Valk

Wildcard Parameters

Disallow: *?  These wildcard  parameters can be powerful, so use them carefully.

Wildcards can be a lifesaver to disallow a few directories deep. Always disallow secure/back end pages just in case. Tanner Petroff of Fit Marketing

Panda 4.0 Dropped Traffic to sites blocking CSS & Template via Robots.txt

If you’re not allowing Google to crawl elements that are part of your site’s design and template then you may be getting a penalty from the Panda algorithm.

“We recommend making sure Googlebot can access any embedded resource that meaningfully contributes to your site’s visible content or its layout. Make sure your css/js resources are crawlable. Use the fetch as Google to make sure they are rendering and remember to prioritize the solid server performance.” – Maile Ohye

Double Bag It: No Index/No Follow

“[The] disallow is…dumb. I prefer to double up with meta no index/no follow on pages/directories I’m serious about.” Tanner Petroff

What Else Can You Do With Your Robots.Txt File?

Robot.txt

Hurt People’s Feelings

# IF YOU READ THIS THEN YOU ARE CLEARLY BORED
# AND A BIG FAT NERD

User-Agent: *
Disallow: 
Disallow: /cgi-bin/
Disallow: /wp-admin/
Disallow: /wp-includes/
Disallow: /wp-content/themes/

Sitemap: http://www.techchuff.com/sitemap.xml
http://techchuff.com/robots.txt Ouch man…Ouch.

Protect The Human Race With Robots.txt

http://yelp.com/robots.txt

# As always, Asimov's Three Laws are in effect:
# 1. A robot may not injure a human being or, through inaction, allow a human
#    being to come to harm.
# 2. A robot must obey orders given it by human beings except where such
#    orders would conflict with the First Law.
# 3. A robot must protect its own existence as long as such protection does
#    not conflict with the First or Second Law.

User-Agent: Googlebot

http://www.last.fm/robots.txt

Disallow: /harming/humans
Disallow: /ignoring/human/orders
Disallow: /harm/to/self

Allow: /

http://www.google.com/killer-robots.txt

User-Agent: T-1000
User-Agent: T-800
Disallow: /+LarryPage
Disallow: /+SergeyBrin

Order A Cup of Coffee with Robots.txt

http://www.starbucks.co.uk/robots.txt

#A guy walks into Starbucks and orders a Double Ristretto Venti Half-Soy Nonfat Decaf Organic Chocolate Brownie Iced Vanilla Double-Shot Gingerbread Frappuccino Extra Hot With Foam Whipped Cream Upside Down Double Blended, One Sweet'N Low and One Nutrasweet, and Ice.
User-agent: *

Sitemap: http://www.starbucks.co.uk/sitemap/NavigationSitemap.ashx
Sitemap: http://www.starbucks.co.uk/sitemap/VideoSitemap.ashx

Hire A SEO via Robots.txt

 Seems like it’s a good place to recruit some curious SEO talent.
http://www.tripadvisor.com/robots.txt
# Hi there,
#
# If you're sniffing around this file, and you're not a robot, we're looking to meet curious folks such as yourself.
#
# Think you have what it takes to join the best white-hat SEO growth hackers on the planet?
#
# Run - don't crawl - to apply to join TripAdvisor's elite SEO team
#
# Email seoRockstar@tripadvisor.com
#
# Or visit https://tripadvisor.taleo.net/careersection/2/jobdetail.ftl?job=41102

Make Art With Your Robots.txt

Malcolm Cole's Robot.txt

Robots.txt A Self Portrait by Malcolm Coles – http://www.malcolmcoles.co.uk/robots.txt

Keyboard Cat - Robots.txt

Well Keyboard cat at http://sharkseo.com/robots.txt – play us out!

User-Agent: Contributors
Allow /thanks
https://twitter.com/NChimonas Nicolas Chimonas
http://www.boom-online.co.uk/ @wayneb77 Wayne Barker
http://ghergich.com @SEO A.J Ghergich
http://www.tannerpetroff.com/ @TannerPetroff Tanner Petroff

Hacked and Completely Unaware

I just got back from a trip to sunny Southern California where I was staying just a few blocks away from the magic of Disneyland at an Air BnB.

That’s where I met Doug Kroll, a chiropractor from Hawaii and naturally, because I am a huge SEO nerd, we started talking about websites. He told me about his property management site and how it needed some work, so I started poking around looking at his site.

A lot more under the surface (Finding Nemo ride at Disneyland)

Like the Finding Nemo ride I would take my daughter on the next day, there was a LOT more under the surface.

The Power Of the Site: Query

Since the first few steps that I always take on my site audits is to see what Google knows about a site I ran a site:http://url query. (Just type site: and then your full url) This lets me see fairly quickly if all the pages are properly getting indexed.

Doug’s Lexington rental property site had just 7 total pages. So when Google showed me this, my heart leapt into my throat.

Site:mcgregorrentals.com

Site:mcgregorrentals.com

 

While those first few pages look fine, there’s just 7 URLs. Is there some weird tag issue going on here? I click to page 4.

Those are some nasty URLs

Those are some nasty URLs

Uh oh. Mission control, we have a problem.

Where URLs were redirecting

Where URLs were redirecting

It’s Offical: The Site Has Been Hacked

I did a couple Google searches around the domains being referenced and redirected. I found several articles about WordPress script inject and htaccess redirect hacks. Bingo. That just about fits the bill.

Digging Deeper

Once I told Doug about the problem, I had him update all his credentials and run an antivirus scan on his laptop. Then my second step was to login to Google Webmaster Tools, once Doug gave me access as a user.

Here's the index climbing higher and higher from bogus pages.

Here’s the index climbing higher and higher from bogus pages.

It looks like around 10/24 the hack occured based on the increasing amountof those bad URLs were being indexed from that date onward.

The Good News: Search Traffic was not yet impacted

The Good News: Search Traffic was not yet impacted

However, it looks like Google has not yet sent any messages, added a malware warning or penalized the site’s indexation, ranking, or traffic for their brand.

Well...It does look like Google does see the content though

Well…It does look like Google does see the content though

Well, Google definitely is seeing the spam content keywords, so that’s not good. Isn’t it interesting that this level of spam injected into a site is not causing a penalty, at least not an obvious one yet?

Let’s Clean This Up!

Since the injection involved the HTACCESS file, and the site was so small I suggested to Doug that we just scrap the whole site instead of try to dig out all of the bad files. With his consent, I called up the hosting company and killed it with fire and started a brand new WordPress site on a fresh server.

That’s about where I am in the process. I got permission from Doug to post about the hack, and thought I’d put out an open line for suggestions since the next step is dealing with the aftermath. Here’s my first thougts on next steps:

  • Already had client update his email UN/PW, Hosting UN/PW and run a malware check and antivirus scan on his laptop.
  • Add a 410 for the /script/ urls.
  • Mark those now 500 Errors in Google Webmaster tools as fixed.
  • Add in an extra WordPress security plugin – (Thinking about Securi).

What do you think? Have you dealt with a hacked site of your own or for a client recently? What would you do next?

Social Media Management Tips for Conferences

conferences

Running social for a conference is a TON of work, and the stakes are high. How a conference’s social team interacts with attendees can have a huge impact on their experience and memories of the event. A lot of planning is necessary and there are things you can do to make the process easier for both you and attendees.

I am going to break down some steps you can take if you are running social for a conference or an event that will include social interaction.

Before the Conference

There is a ton of social media prep work needed before a conference begins, and even before you start advertising for it. You essentially need to train your attendees, and potential attendees, on where and how to interact with you. You also have to make sure you provide them with lots of helpful information, and this means you have a lot of data to gather and schedules to create.

Choose a Social Media Platform

You need your conference attendees to use one platform for communications and checking for updates. Plus, for your own sanity’s sake one platform is a good thing. There are going to be issues that arise and you do not want to be focusing on 3-4 networks at a time. I am just going to recommend Twitter because I have personally managed Twitter accounts for conferences and it is easy to use, schedule shares, track and monitor during a conference.

Notify Your Audience

Make it clear which social platform you will be using in the months before the conference. Mention it in newsletters and marketing; let people know how to find you if they need something long before the conference begins.

Hashtag Creation

HashtagThere needs to be an easy-to-remember hashtag for people to use. It shouldn’t be too long or deviate too much from the title of the conference. You need people to remember it and use it.

Start using the hashtag in marketing before you sell tickets. Basically you want to start grooming people to remember, or at least recognize, the hashtag. It should be included in all emails, marketing and ticket sales. You should also be requesting that speakers and attendees use this hashtag often.

This hashtag will help your social manager monitor needs and handle questions before and during the conference; it is best to get everyone using the hashtag as early as possible.

Tweet Planning & Blogging

You can eliminate a lot of the same questions during a conference by educating your attendees ahead of time. I have seen as many as 500 tweets every 3 minutes during conferences and it is not easy to sift through all the tweets to answer questions.

Trust me when I say that you want to provide people with the information they do not even know they need before the conference begins.

Here is a list of tweets you can share ahead of time:

  • Conference times – Registration, keynotes, breakfast and end of day. Create a blog post and tweet it. People can save it or save the blog post.
  • Buses / shuttles – When do they start running and when do they stop, for each day? This is another blog post!
  • Items needed – What will people regret not having? At PubCon Vegas the number one thing people recommend is a sweater because the convention center is so cold, and yes this has been blogged about. Every year you will see new attendees tweet about how cold it is and how thankful they are that they have a way to keep warm. Help new attendees bring whatever will enhance their conference experience – money, power cords, drinks, a jacket, backpack, etc. #blogit
  • Important events – Let people decide the weeks before the conference which events they want to attend – educate them on their options. Breakfasts, keynotes, lunches, after parties, etc. (Yes, another blog post.)
  • Survival Tips – What do people need to know about getting to the conference, the hotel, restaurants, airports etc? Give attendees as much information ad you can to make their experience better.
  • Who is Speaking? – Let attendees and potential attendees know who is speaking and what they will be speaking about. It is really great to include a URL with more information on these sessions as well.

IMPORTANT – IF attendees have a less stressful conference because of the details you provide the overall memories of the conference will be more positive. Those positive feelings increases the odds of them returning!

Choose Social Tools

Long before a conference begins your team needs to test social tools that could make your life easier. Just a couple of things to consider:

  • How will you schedule tweets? Will your tool allow you to easily change the schedule or cancel it in an emergency?
  • Will you have complete access via mobile?
  • How will you monitor tweets to both the conference handle and those including the conference hashtag?
  • How will you keep a record of important tweets?
  • Which tool will allow multiple people to use it simultaneously?

Think about what your needs are and find tools that will enhance your ability to do your job. I personally like Buffer for scheduling.

Crisis Management Planning

Things go wrong. This is just a part of life, but if you have plans in place a crisis can end fast. Before the conference your team needs to brainstorm about all the things that could go wrong and things that have gone wrong in the past.

Create a plan on how you will handle each situation and make sure everyone working at the conference is aware of the plan. The best way to handle a conference crisis is to have plans in place.

Examples:

  • Who will the team contact for each situation? Who is assigned to specific situations?
  • How are things fixed? What tools, programs, rooms, etc. do team members need access too?
  • How will team members get access to the things they need?
  • When – how long will fixes take and who will notify the social team to notify attendees?
  • How will the social team handle inappropriate tweets or behavior?
  • How will on-site emergencies be handled?

During the Conference

I handled social for one conference and the plan was 8 hours of work a day. What I discovered was that 8 hours was nowhere close to enough. I scheduled tweets for the early morning and late evening hours, but soon realized I had to be around to answer questions that resulted from the tweets. Instead of working 8am-5pm it was more like 6:30am-12am. Attendees would be tweeting questions from the bar at 11:30pm. It would have been impossible to handle/monitor social while also attending the conference.

Plan to work long hours and be very tired, but you can make things easier for yourself. I have a few tips I hope will help.

Be Ready To Answer All Questions

Conference attendees will reach out to the conference for answers for a crazy range of questions. You need to be prepared to answer as many as you can and find answers when you don’t have one.

Things I have on hand when conferences start:

  • A list of times for every session and conference event.
  • All times/dates for shuttles, eating times and free drinks.
  • The Twitter handle for every speaker at the event.
  • Links to as many speakers’ Slideshare accounts as possible.
  • A list of conference events and businesses in the expo locations.
  • List of after parties and locations/addresses for parties.
  • Phone numbers for conference employees needed for emergencies and other issues.
  • Important after-conference dates – when will Slideshares be available, videos, etc. be available.
  • Contact info for taxi companies.

Things to Share

Pretend you are the attendee of the conference; what would you need to know? You need to plan on sharing information that the attendee needs. Also, keep in mind that with traveling, late nights, meeting new people and attending the conference people can’t remember everything. Help them as much as possible.

  • Remind people of shuttle times in the morning, afternoon and the following day’s shuttle times. Make sure they can get to and from the hotel.
  • Share info about lunch.
  • Remind people about special events at the conference – keynotes, expo events, book signings etc.
  • What items will be needed?
  • If your conference has one track then it is okay to share the beginning of each session. If you have multiple tracks sharing each session will get too confusing for people.
  • If there are traffic issues or anything that could delay people from getting to the conference on time share the info early with them.

Things to Monitor

If you are monitoring social during a conference there are quite a few things you need to look for and be prepared to handle.

Conference Problems

If computers, projectors or wifi is not working in a particular session/room you need to be able to reach out to someone quickly to get it fixed. Above I mentioned having phone numbers on hand and you will need them when something isn’t working. <- It happens.

People tend to tweet when there is a problem and if you have some strategies in place for how each problem will be handled then problems can be fixed quickly.

Also, be understanding with frustration from attendees when something goes wrong. Remember, they paid to be there and you want them to pay to come back. Be kind and validate their feelings.

Inappropriate Tweets

InappropriateThis is where things really need to be handled delicately. Not everyone will agree with speakers and not everyone will like every speaker. In fact, some people are just not happy ever. If you are managing social for a business or an event you have to be prepared to interact with unhappy folks in a way that validates their feelings and also protects whoever you are working for.

If you see someone attacking a speaker you need to try and encourage the person to talk to one of the conference employees about their thoughts, talk to you via phone/email and/or try to encourage them to not say things that could hurt the feelings of others. Believe it or not, when you approach things with kindness and discuss the feelings of others people tend to back down.

However, there will always be those that won’t stop. Offer to communicate via DM, email or phone. Get them out of the public eye as fast as possible by telling them you are really interested in their feedback and would like to speak with them personally. You will need to take notes and pass this info on to conference administrators.

Sessions/Speakers

If there is a lot of positive or negative about a particular session or speaker you want to keep notes on it. A lot of positive feedback on a speaker means the conference will want them back; make note of it. If there is a lot of negative feedback you need to contact conference administrators so they can address it and/or be prepared for complaints.

Tweets to Keep

You want to keep a record of tweets so when the conference is over you can review them and see what was done right, what was done wrong, what conference administrators missed and who your evangelists are. I create a spreadsheet with the tweet’s URL, the comment and the handle. I place them in different categories. Keep in mind that you can use some of these tweets for marketing later.

What I Keep a Record Of:

  • Humor – These are the best tweets and can be used in a hundred different ways.
  • Complaints – All of these need to be reviewed with your team after the conference and many will need to be addressed with the conference attendee that complained.
  • Positive Feedback – It is always great at the end of a conference to read the positives and make sure you keep the appreciated strategies, speakers and events for the next conference.
  • Problems – Wifi problems, computer problems, behavior problems, temperature problems – what could be improved for your next conference?
  • Images – The images that attendees share during the conference and in night-time hours are really fantastic. They can give conference throwers a ton of insight and ideas for better future conferences (Before you use an image reach out and ask for permission first, and credit them for the usage).
  • Mistakes Made – Any mistakes made by the conference, the social team or mistakes in published information – these need to be reviewed later.

Retweet!

If you see a really nice or funny tweet I recommend you retweet it. People like to see that someone appreciated their tweet enough to share it, especially the conference itself. Remember, a positive experience and memories can result in great blog posts later and re-attendance.

After the Conference

Relax

As the conference is coming to a close I think it is always wise to reach out to those that have been super positive, funny and/or supportive and thank them for their involvement. You can do this on Twitter, via email and/or with a thank you gift.

Conference administrators need to sit down with the social team as soon as possible and review the feedback received. It is better to reach out to people that are upset and address any issues before the person gets home and blogs about why they are upset.

Positive feedback and humorous tweets are a great way to end the conference for everyone. For those that worked to throw the conference the positive and funny information can make them feel like all their hard work was worthwhile. You can also create recap posts for attendees and closer to the next conference you can retweet the great stuff to show people why they should attend.

Lastly, when the next conference is coming up all the data you have saved is a great review to help everyone know what they want to repeat and what they need to avoid. To conference administrators, when the conference is over give your social team a pat on the back. It is truly exhausting work.

Google Analytics Audit – Conversions, Goals & Ecommerce

This is part 2 of my Google Analytics Audit. The first part focused on the code and settings in Analytics. I thought the topic area of conversions and conversion metrics should have it’s own in-depth review so I got in touch with a couple of experts to help give us some helpful perspectives on the topic. So let’s get started!

Events: Things Worthy Of Awareness

Nuclear bomb being dropped? Important event.

Yea. That was important.

Don’t overuse events – they have limits and also can wrongly be used to track  things which are already tracked in Analytics. However, Events should be used to track specific actions that are part of campaigns or can otherwise help identify valuable conversions.

Leveraging Ecommerce Data

Mike Arnesen of Swellpath has some great insights on how to leverage this data that’s sometimes left “on the table.”:

In auditing your analytics, it’s important to look beyond the basics. Ensuring correct implementation of the core analytics tracking code, turning on demographics data, and setting up event tagging/firing are all great essentials, but what other opportunities are there for your site? If you haven’t taken a good deep look into Google’s Enhanced Ecommerce features, you’re really missing out. The name is a bit of a misnomer, because this incredible feature set isn’t exclusively for Ecommerce sites; it can be applied to virtually any type of business (but that’s a whole post unto itself).

What Enhanced Ecom gives you is better insight into the customer journey towards that ultimate conversion event, the purchase. You can even identify specific segments of customers based off of where they dropped out of the funnel. Similar to paid campaigns, you can also track product impressions on category pages and tout/carousel/CTA impressions on your homepage and see CTR inside of GA for your own site. That data can then allow you to optimize your virtual merchandising!

Other great features of Enhanced Ecommerce include being able to track affiliate codes more effectively, see your own coupon code data in your GA reports (see how coupon codes influence revenue generation), and drill down into product attribution.You can even track how many times specific products were added to or removed from you Cart.

Overall, Enhanced Ecommerce is a huge opportunity to level up your analytics and get some serious insights about your customers and their journey.

Having A Goal In Mind

Vintage Mugshot

I had a goal of using this vintage mugshot in my next blog post, success!

It’s surprising just how often I have opened up analytics on a clients site and found no goals. The ultimate sin. If you’re investing any time and effort into building a digital presense, then you should definite have your fingers on the pulse of your website.

  • Take a soul searching afternoon or hold a meeting to determine what conversions look like for your business and then match that to the data you can get from your website. Most often conversions are actual sales or leads that turn into sales. If you’re driving PPC traffic to something, then you definitely should have a goal configured.
  • Beware of forms that don’t send users to the next page, you will have to configure an event for the form submission and set that as a goal vs. the usual process of making a destination URL the linchpin of the goal. The other option would be to change that form type and have it send that traffic to a trackable destination page!
  • If at all possible, add in a goal value so you can use the “Page value” metric.

Connecting Goals To Conversions

Michael Mcdougald the internet Marketing Director of  Commercial Door & Frame Distributors has a lot of imput on not just looking at goals but thinking strategically about Conversions:

With each conversion, it’s important to know where it came from, what they did within the process and what the value of that conversion is to your organization. Then this information should guide strategic changes to increase the conversion rate. Here are two key areas to improve your analytics.

Funnel Tracking
Many conversions don’t happen immediately, but instead require multiple steps, leaving room for a user to start, but not finish a conversion path. By tracking each step as a sequence, a webmaster can gain insight as to where a user stops engaging the website, and try experimenting fix this.

For example, a purchase may happen over several pages from cart, to shipping, to the credit card page. A survey will have a page for each question. Each of these steps is a potential fall off point for a user to leave before finishing. What if you knew that 50% of users left the survey after being asked their household income? Maybe you could then reword the question or add an option to leave it blank.

Conversion Value & Lifetime Value

One of the mistakes most marketers make when comparing their conversion rate to their PPC or marketing costs is simply looking at their “cost per lead.”  While it’s helpful to know this metric, it can sometimes lead to making bad business decisions if you first don’t understand what a customer is worth to your organization. While in some instances a customer may only buy once, many companies will often gain repeat business from the same customer. If at all possible, it is best to compare your cost/conversion against the lifetime value of a customer. By assuming a conversion is a one time event, you might find yourself missing opportunities to gain more loyal higher value customers. Especially when a customer “lifetime” can be anywhere from several months, to as long as 30yrs.

Let’s compare two scenarios:

1. Single Lead Customer View

Assuming one in four leads yields a single customer making one $100 purchase yielding a $40 profit, but costs $15 for each lead, one might assume a loss of $20 per sale.

2. Lifetime Value Customer View

Assuming again that one in four leads yields a single customer making an initial $100 purchase yielding a $40 profit, but costs $15 for per lead, the cost for the initial customer was $60. But in this case the customer repeated that purchase each month for a year. That customer then brought a $420 profit.

By considering the lifetime value of a customer, marketers can then work to create new long term customers and not simply drive one time sales. Happy repeat customers are not only more likely to make larger and more frequent purchases, they are also good for the business reputation often leading to valuable referrals.

Since calculating the lifetime value can be tricky, here’s a great link from KissMetrics explaining how to do it using starbucks as a case study: https://blog.kissmetrics.com/how-to-calculate-lifetime-value/

Here’s how to set up both a funnel and assign a conversion value. Under the admin panel, go to the “goals” section. There you’ll find the ability to turn on goal “value” and also turn on “funnels.”
This value should be carful considered based on the conversion type. In our example the potential value of each lead would be 1/4 the lifetime value, or $105. Next set up the funnel by clearly naming each step for reference later and add the url for each step in the process. Use names like “Credit Card Page” or “Household Income” rather than “Step 2” or other potentially confusing labels.

After the conversions have been tracked over a few days, take a look at “funnels” in the conversions tab and you will be able to see step by step where customers are falling off.

Hopefully this second piece of the audit will help you get the most out of Google Analytics. What other areas of analytics do you struggle with managing? Let me know in the comments!