Posted on

Performing Keyword Research

Google only loves you when everyone else does.

I forget who said it, but it’s true, Google takes notice when everyone starts to love you. SEO has been around ever since search engine rank pages (SERPs) have gotten more and more competitive. And as the world wide web continues to scale, I imagine seeing results off of your SEO efforts will become harder and harder to recognize. The reason I’m interested in SEO is because it’s kind of like a game of chess. It doesn’t matter how much money you throw at it or how much you sweet-talk it, good SEO is a long and strategic game. And good SEO implementation always starts with one thing — research. Specifically, keyword research.

Keyword research is the foundation to any good SEO campaign. Now for those of you new to the tech world and SEO, it stands for Search Engine Optimization. It’s a methodology of strategies, techniques, and tactics used to increase the amount of visitors to your website by obtaining a high-ranking placement in the search results of a SERP. You don’t have to be born of royal blood to have good SEO, you don’t need to be the daughter of a hip-hop mogul; you just need to outsmart the competition.

Search terms to search for…

To start, you’ll want to have a keyword in mind. A keyword that you’ll want your website or your web page/post to rank for. Let’s start with an easy example:

My father blogs about wine at TheWitIsOut.com and he wants to rank for terms like “red wine” and “best wine” — only issue is that these search terms are extremely hard to rank for. Why? Because they are considered ‘head’ terms or terms that are most frequently searched which usually carries with it some steep competition. But head terms can also be ambiguous and not as relevant as other terms. When deciding what keywords you’d like your site to rank for, you want to look at 3 different areas:

  1. Relevance: the keyword needs to accurately reflect the nature of your product, services, or offerings
  2. Volume: the number of searches per month for a particular keyword
  3. Competition: the number of websites or web pages competing for a particular keyword or search term

Ideally, you’d like to find a keyword or search term that has a high number of searches (volume) and a low number of competing websites (competition), and is highly pertinent to your offering (relevance) — if we can just find that keyword, we’ll be all set – LOL!

Tools for searching for search terms…

Although SEO can be a bit of trial and error because search engines (and their algorithms) constantly change, Google does offer some really cool tools to aid in our keyword research. Remember earlier when I talked about head terms and how they are the more frequent terms that are searched. Keywords like ‘red wine,’ ‘car’ and ‘Mac’ – Well, there are also terms called long-tail terms, these are the terms that we’ll be looking at.

Head vs. Long-tail

  • ‘red wine’ —— ‘2003 red wine cabernet’
  • ‘car’ —— ‘2013 Hyundai Accent’
  • ‘Mac’ —— ‘ used Macbook Pro’

Just a few examples – but we can test all these examples for volume and competition with a little tool called the Keyword Planner. Now, you’ll need to sign up for an account with Google Adwords, but don’t fret, you don’t have to spend any money if you don’t want to. The thing that we’re interested in are the tools.

The Keyword Planner will ask you where you’d like to start, and just click on the “search for new keywords” which will pop open a form that looks like this:

Keyword Planner

Now, if you’ll notice at the top you can enter in certain phrases or keywords. You can also select a product category. Or target a certain region or state or city, and you can change filters to show only closely related keywords or broadly related keywords. Let’s type in ‘red wine’ and see what comes back.

Red Wine Keyword Results

As you can see, the average monthly search is about 110k searches. In the graph, we can see that December is the month with the most searches (most likely because of the holiday season) and surprisingly the competition is only at a medium right now, not high! So, that’s interesting. But it does give us a number of other keyword ideas that could potentially help in our SEO efforts.

Research Ideas

The Keyword Planner suggests different keywords for us. Look at the first one in the list ‘best red wine’ – this one has got a lot of volume (which is good), but it’s also got a boat ton of competition (which is not so good!). But let’s go down to ‘types of red wine’ – this volume is also pretty high at 12k average monthly searches, but the competition is pretty low. You can download this list into an Excel or Google sheet to get more accurate information. Let’s do that.

Keyword Research Spreadsheet

As you can see, we get a complete list of recommended search terms and actual numbers to go with their competition, not just a level of high, medium, or low. Now if we look at ‘types of red wine’ we’ll see that the average monthly searches is still at 12k, but the competition is .04 – that’s super low! Super low! So, before you go and use this as your keyword, you have to put yourself in the shoes of your user (or the searcher). Would this search term be good for my dad to use on his blog? I’m not quite sure yet. I always get a little weary when the search term seems relevant and there’s a high number of searches (volume), but the competition is really low. So let’s dive deeper.

My dad blogs about wine; wineries, vintage wine, wine reviews, wine ratings and the like. His ideal visitor is someone who is interested in wine and wants to get good recommendations, but also someone who is just starting to get interested in wine—the novice wine taster. If you put yourself in the shoes of the person searching for ‘types of red wine’ what do you think they are looking for? Probably types of red wine – lol! But the issue is this — we don’t know their intent. Maybe they are searching for types of red wine because they want to buy some, or maybe they just want to learn what types of red wine are out there. If you look at the next search term down ‘benefits of red wine’ – it’s the same thing (high volume, low competition) but my guess is that people searching for that term are concerned about the dietary or health aspects of wine. But still, it could be a good term to try and rank for if you have a wine blog. Either way, I think both of those would be good for my father’s site.

Another tool you can use is Google Trends. Google Trends will show you how often a particular search term is entered and compare it to search volume across various regions of the world and will compare it to different search terms as well. One thing I like to do is singular vs. plural. In the example ‘types of red wine’ we can see if the keyword phrase ‘type of red wine’ is searched more often. Let’s take a look:

Google Trend Comparison

As we can see, ‘types of red wine’ are searched more often than ‘type of red wine’ — so I think it’s safe to say that we can go with ‘types of red wine’ as our keyword phrase.

Keyword distribution…

You’ll want to distribute your keywords appropriately across your website and the easiest way to do that is in a spreadsheet. Ugh, not another spreadsheet! Yup! Map out your entire site and list these categories:

  • Pages
  • Keywords
  • URLs
  • Titles (preferably under 65 characters)
  • Meta-descriptions (preferably under 65 characters) – these don’t so much help with SEO anymore, but they will help with your click-thru rate. And being under 65 characters, you can be sure the search engine won’t truncate any of the text that’s viewed to the user
  • H1’s (the biggest header on your page or post)

You can populate a spreadsheet with your existing content, this’ll make it easy to spot duplicates. Search engines want unique and relevant information. Unique and relevant…

Things to remember with keyword research…

Remember, you have to look at the keyword attributes of relevance, volume, and competition. Relevant keywords are much more likely to drive conversions on your site, than ones that are broadly related. Volume is the number of average monthly searches and you can find this using Google Adwords Keyword Planner, as well as the competition, which is the number of other sites trying to rank or compete for the same keyword phrase. You can download the Keyword Planner results to a spreadsheet which give you a much better reflection of the competition in numeric results.

The other thing you need to remember is that SEO is an on-going process. It’s a long and strategic game. So, you need to evaluate your SEO and keyword research continually. The industry changes constantly, the market changes constantly, the competition changes constantly. You need to be able to adapt to the change as well, so evaluate your keywords on a quarterly basis, see if traffic or conversions on your site are going up or down and re-adjust. More to come on the topic of SEO.

Posted on

The Needs of Web Proposal Writing

Casting a wide net, web proposal writing is probably one of the most daunting yet creative activities one can do in the tech space. Proposals can be the gateway to a super awesome project that soars to success and makes the client very happy…or it can lead to a resounding “we’ve gone with another agency, but thanks for all the time you put into this” reply from your prospect. Proposals can also be the beginning of revision after revision to get the prospect’s challenge mapped to the right solution through hours of project scope development. Ahh…the possibilities…I’m not sure I’ve ever met someone that’s liked proposal writing as much as I do. 

For some, proposals are merely an estimate of what it would cost to get a project done. For others, it’s a templated document where little changes are made except for the company name and date. For me, proposal writing is a journey. It’s a journey of discovery, understanding the challenge, mapping the right solution, building a relationship, and finally presenting that journey with conviction and delivery. 

Many agencies churn out proposals like a shoe factory because they feel proposal writing is just a formality, a number, another template, a means to an end. But it’s not. A proposal is the gift one gives to a company or brand to solve their problem. And that needs to be done with thought and care, strategy and information, good design and presentation, and maybe even a little love. I am not an expert by any means, but I have years of experience writing proposals for web agencies. I wanted to share my evolution of proposal writing and how the actions that proceed the proposal writing process are of the utmost importance.  In order to write strong proposals, you need to ask smart questions.

Proposal writing starts with a question…

As many biz dev people know, proposal writing starts with a single question:

“What is the challenge that needs to be solved?”

This starts the conversation! Now, often times, companies and the people who work for those companies may not know the true answer to this question. And that’s where things like qualifying and scoping really help in identifying a few things.

The way I would usually start the process is by having a phone call with the prospect to understand their needs and objectives. One question I always liked asking or opening with was “what do you want the world to know you succeeded at when this project is finished?” – it’s a great way to get them jazzed about the project and get them feeling good about the conversation they’re having. Keep in mind, they are probably having similar conversations with other biz dev people at other agencies, so anything that’s a little different might surprise them and make you stand out.

The absolute must-knows when writing web proposals..

  1. NEEDS — every company has a need (maybe many) that should be addressed and this may require some digging on your part to really understand those needs. There’s nothing worse than writing a proposal and totally missing the mark on the objective!
  2. AUTHORITY — establishing this is very important. Who is the true decision-maker? But this can be tricky in the beginning stages of scoping a project. Since big brands/orgs will usually send those lower on the totem pole to vet agencies, this may take some prying (and some demonstration on your part that your agency is good) to get to the right person.
  3. TIMELINE — understanding expectations around when a company wants their project to be finished can make or break the proposal writing process. If they have a huge project, but want it done in 3 weeks, that would put the fire out instead of lighting a fire, catch my drift? Onto the next proposal.
  4. BUDGET — getting a sense of what your prospect is willing to pay for their desired outcome is really important. Many people don’t want to give you a number and say “well, just write the proposal with the price tag you think should go in it” – ugh!! That’s a sure-fire way to failure. So, make sure you get some sense of what they are willing to pay, even if it’s saying “projects like that typically fall somewhere between $30k and $50k, does that sound like it would be within your budget?” – anything’s better than no number at all.

Now that you’ve taken care of the absolutes, you can move into the decision making part of the proposal writing process. That’s right…you need to decide whether or not this fits within your parameters. That’s something only you can answer, but I would look at a few things:

  • Lead source: where did your prospect come from? Are they a referral or did they find you in a Google search? I’d opt to go for the one who came in from someone you know than the one who just searched “web agency boston” and came to your site.
  • Project Challenge: is this project challenging for your team and their skill levels? How long would it take them to do, are there any aspects of the project you’re unsure of?
  • Timeline / Budget: is the budget where it needs to be for the project? We all know different agencies charge different prices and can deliver projects at different paces. Does the prospect have a reasonable timeline?
  • Project Match: is the project good for your agency, your brand reputation? Would it be something you’d want to put your name on? I know many agencies who won’t work with the cigarette companies or adult entertainment companies because they don’t want to put that out in the world. So…ask yourself if this is something you’d be proud of when the project is finished.
  • Location: is this company nearby? Can you meet with them in person? In the age of digital, many projects are all done online, and that’s ok. But maybe you’re an agency that likes to meet face to face. Or maybe the client is in Shanghai and you’re located in New York, that’ll make for many a late night!
  • Gut feel: I think this is a good one to mention. Your instinct — how do you feel about the project as a whole, the people you’re engaged with, the company’s objective? Do you think you have a shot at winning? That’s always a tough question to answer (I never thought I’d lose any bid, lol!).

Really scoping the web project and minimizing the creep..

We’ve all heard it—Scope Creep—the infamous added feature that sneaks its way in after the project discovery session when a new stakeholder rears their head and says “hey, but what about this…”

Well, sometimes scope creep is inevitable, but if you can minimize that while you’re scoping, the web proposal writing process will be a little easier.

There are really only two ways to mitigate against scope creep. One way is to understand the full breadth of the project, which can be really difficult, right? Sometimes things just pop up or change happens due to a shift in business, market, or whatever. The second way is to use parameters or boundaries in your web proposal writing. I like to do a combination of both.

Obviously, every project you encounter is going to be different, so depending on what needs/objectives your potential client has, it will guide the questions that you follow up with. If a prospect tells you that they want you to do a branding and logo design, are you going to ask them if they want to use a membership plugin or module? Probably not. So, instead of articulating what to ask on every type of project (that might be impossible, or entirely too long of a blog post), I’m going to type out a mock call so you can get an idea of where to take things.

I’ll set the stage for this scope call…

The potential client wants to do a redesign of their website — they are a travel blog that want their users to sign up for their newsletter and they offer readers ratings and reviews of travel destinations. You’ve spoke to them one time and have gotten the logistical stuff out of the way (Needs, Authority, Timeline, Budget). Here’s the email you were sent with information from Tony at TotallyTravel Blog (fictitious blog..or so I hope!).

Hi Adam,

Thanks for the intro call, I liked learning a little more about your agency and your approach to a website redesign. Here's a little more information on our project. We have TotallyTravelBlog.com that's a custom PHP homegrown content management system. We have about 5 writers that write content for us, but would love to have more. We also have a newsletter that goes out once a month and our goal is to build our subscriber list. We offer travel ratings and reviews on our site and we would like to improve our SEO. We can definitely hop on another call to go over any questions you might have.

Best regards,

Tony

Ok — first and foremost with a prospect like this, they will almost always send you some sort of RFP (request for proposal), so you’ll have information of the basics and maybe even a little bit more. I’ve never read an RFP that’s given me everything I need to write a proposal. So you’ll need to get on a call.

But, right off the bat, we know a few things, right? They are in the media space because they blog about travel, and they have subscribers, so what does that entail? They also have writers (so think WordPress roles), and they’re concerned with their SEO (what does that look like?). Here’s a mock call:

Begin Conversation

Adam: Hey Tony, it’s Adam calling from Being AJiLe, how are you?

Potential Client: Good, good, Adam, and yourself?

Adam: I’m fantastic, thanks for asking. So, I’ve received the information you sent over on the project and I do have some questions. The first one is about the PHP CMS, how much legacy data do you have? I imagine there’s going to be quite the migration involved with this redesign, correct?

Potential Client: Yes, so all the posts will need to be migrated to the new CMS.

Adam: Ok, cool. But just to clarify, the posts aren’t all that need to be migrated, correct? I imagine there are images, authors, tags, categories, and other content types that will need to be moved over as well?

Potential Client: Yes, yes, all that stuff will need to be migrated as well.

Adam: Ok, awesome. What would be super helpful is if we could get an idea of how many content types you have and maybe we could even get a sample of the content types to get a gauge for how relationships are set up? (Sidenote: how many content types are important to know, usually content types (or post types in WP) are going to have different outputs, which could mean unique designs. Also relationships between content types can get tricky with migrations. On this one, more than likely, certain scripts will have to be written to map relationships to content types)

Potential Client: Sure, no problem, I can get that for you.

Adam: Perfect! Now you said in your email that you have about 5 writers? What does their workflow look like with the current CMS? (Sidenote: this will give me an idea of what permissions might look like, and if there’s any way to minimize steps to make things easier for them)

Potential Client: Yeah, so this is big problem internally. We actually have our authors write the posts in Google Docs, they share it with our two editors that approve the posts and then work with our web admin to put them in the current CMS. It’s been quite the hindrance, so that’s why we’d like to migrate CMS’s. We’ve heard good things about WordPress.

Adam: Yeah, so WordPress has got certain user roles written into the CMS. So, your whole workflow that you have right now could be done a lot smoother with WordPress. We could assign your writers roles of either contributors or authors depending on permission levels and they could work right within the CMS instead of outside of it. Editors and admins, also WordPress user roles, would be able to approve things in WP and could push content live. The whole workflow would be much easier to handle.

Potential Client: Ok, that’s great and exactly what we’re looking for.

Adam: Cool, yeah I think WordPress might be a really good fit for you guys, but you also said that you offer certain ratings and reviews? How is that currently done?

Potential Client: We integrate with TripAdvisor

Adam: Ok, interesting. Do you know if it’s just a snippet of code that’s pulled from TripAdvisor or are you using some sort of API?

Potential Client: I believe we just take snippets of code that TripAdvisor offers and insert it into our website.

Adam: Ok, I’ll have to do a little digging into TripAdvisor and see what technologies they offer, they could have a widget or plugin that might work with WordPress. If not, then we’ll have to take a deeper look.

Potential Client: Ok, sounds good.

Adam: Awesome, ok so since you’re in the media and publishing world, I have to ask about ads, will there be any ad-serving on the site?

Potential Client: Oh, yes, absolutely. That’s our biggest money generator. We use Double Click for Publishers.

Adam: Ok, cool, I know of a good DFP plugin for responsive sites and ad-serving, so that should be pretty straightforward. But you said that ad-serving was your biggest money generator, what other revenue do you get off of the site?

Potential Client: Oh, yes, we syndicate our content to a few other blogs in the travel industry.

Adam: Ok, and is that done through an XML or RSS feed?

Potential Client: Yes, they go out through a simple RSS feed that other travel blogs can grab on the site and we have certain agreements with them.

Adam: Ok, that makes sense. Another question I have is around your subscribers. Are these subscribers to your blog, or are they members of your site, do they get certain perks, or are they just subscribing to an email list?

Potential Client: Yeah, so we don’t have any members on our site, although that’s something that we’ve been thinking about doing and offering perks. But right now we only have subscribers through our email list for our monthly newsletter, and users also sign up to get updated blog posts.

Adam: Gotcha, so your readers can sign up to an email list to get blog posts or the monthly email newsletter, do you use a certain email newsletter provider like Constant Contact or something similar?

Potential Client: Yes, we use MailChimp. That’s what we use to send out our monthly newsletter and blog posts to users who subscribe.

Adam: (Sidenote: awesome, MailChimp is pretty easy to integrate with. There’s a plugin for that!). Ok, that’s fantastic. Now you said earlier that your team was thinking about maybe doing some kind of membership on your site, can you talk a little about that?

Potential Client: Yes, so there’s been some talk internally about offering tiered memberships where members could get access to travel deals. But I don’t see that happening for at least a year or more, we’d like to get this redesign done first and then maybe do something a little more with memberships.

Adam: Ok, cool, it’s just good to know because before anyone starts building the platform in WordPress, it’s something that we could potentially prepare for. It would obviously cost more money, but I know there are some pretty cool membership technologies that work well with WordPress like MemberMouse or Membership 2 Pro from WPMUDev. So, that’s good that we’re talking about it, I could send you some more info on those membership technologies to see if it’s something that your team might want to think about implementing sooner.

Potential Client: Yeah, that would be great, I’d definitely take a look and at the very least will have the information for if/when it happens down the line. Thanks!

Adam: Sure, no problem! Ok, I just have a few more questions. Since this is a redesign, I have to ask about actual design. Is there any rebranding initiative involved with this like logo design, brand guidelines or standards, or will all that stuff be provided?

Potential Client: Yeah, we went through a rebranding initiative about a year and a half ago, so we have everything that you need there.

Adam: Ok, great, and in terms of information architecture, would you like to revise the menu? Maybe do a little user testing to see if the terminology connects with your users?

Potential Client: Yeah, you know, I didn’t think about that. That definitely sounds interesting and something worth doing.

Adam: Ok, great, and you mentioned that you wanted to improve your SEO. Are you looking for an on-page SEO specialist or were you just talking about the technical aspects of SEO? Making sure your tags are all set properly, alt image text and meta data is setup, etc.?

Potential Client: Yes, that’s what I mean. I think we have good content, but I’m not sure what goes into SEO on the technical side, so we would be looking to our agency of choice to help us out with that.

Adam: Yeah, fantastic, so we definitely design and build with SEO best practices in mind.

Potential Client: Ok that sounds good!

Adam: Well, Tony, it’s been an absolute pleasure, thanks so much for giving me all this information. I think I have a good handle on things and I’ll start putting together the proposal. Sometimes as I’m putting together the proposal and discussing it with the team, more questions arise, will you be available to discuss if I have any more questions?

Potential Client: Oh, yeah, absolutely. Just give me a call or shoot me an email and we’ll connect.

Adam: Thanks, again!

End of Conversation

Let’s breakdown the call for the web proposal writing process..

First thing I wanted to know about was the migration, that could end up being a big piece of the project depending on how much legacy data there is, and remember that scripts will most likely have to be written to migrate all the content, but 301 redirects as well from legacy content because they still want to maintain (and improve) SEO.

I also asked about author workflow, this won’t be too difficult because it’s already a part of what WordPress does natively, but it’s good to get clarification. Noticed how I kept repeating what the Potential Client (PC) said, that just reinforces things. I also got the PC to uncover a pain point that they are having internally — remember that when you start to write the proposal — challenges to solutions!

Then I talked about the ratings/reviews, and the PC revealed that they integrate with TripAdvisor. You would have to do a little more digging here. I would search if there were any plugins that do this (honestly, I’m not sure if there are), but if not then TripAdvisor might have snippets of code to use. But keep in mind, with any 3rd party, that there might be some speedbumps that could slow down the project. If you use any 3rd party, you need to play by their rules, and that means things aren’t entirely within your control. So..I would put some buffer time (and price) in the proposal for this implementation.

I also asked about ad-serving. Often times, people in the media publishing world will just consider this a part of the package and not mention it. Remember, that these things are so ingrained in their heads as just being a part of their world that sometimes they’ll forget you’re not a part of their world. And the PC also said something that caught my ear – he said “our biggest money generator” – so that means there’s got to be other “money generators” right? Well, looks like there are, good thing I asked! I always err on the side of caution on things like this and ask. I’d rather end up looking a little stupid in their eyes than having an unhealthy project down the line. You can always play off the “looking stupid” part by saying “yeah, I thought that was the case, but just wanted to be 100% sure.” Ask, ask, ask—you’ll thank yourself in the long run and so will your team!

Then we got to the subscribers, and in Tony’s (PC) email I wasn’t sure if he had members on his site or just email list subscribers. But I asked him about members and uncovered it was something that they were thinking about internally. Now, this could be an opportunity to potentially upsell or increase the scope. I said I would get him the information and he’d take it from there. Now, you can get that info to him pretty quick and you can reach out to him in a few days to see if it’s something he’s had time to discuss with his team. He might not have, but it’s always good to get out in front of that stuff because when you’re in the midst of a project and another stakeholder enters the picture who wants the membership piece to the site, you can say “hey, we talked about that, it’s going to be $XX amount more.” You never know when the opportunity will arise. I sold one of the biggest projects of my career after I thought I had lost it! (Story for another day)

Then just to finalize, I wanted to make sure there wasn’t a rebranding initiative along with the redesign, believe me, there are people out there who will get that messed up. It’s just a matter of semantics sometimes and it pays to be clear. And then we talked about SEO, because let’s face it, SEO is a beast within itself. Many people who have homegrown CMS’s don’t have great implementation on the technical SEO. Things as simple as setting up their H1 to H6 tags could be poor. Often times they don’t have meta-descriptions or tags, alt image text, an XML sitemap, or a robots.txt file. And if you want to get really fancy you can talk about microformatting, schema.org might have certain microformatting tags that it can classify their content as. Oooooo.

The needs of web proposal writing..

Now, that was obviously a mock call, but I did have very similar conversations and I went more in-depth than I did in this post. But notice how I left the communication lines open. I told him how when writing the proposal and talking with the team, often times, other questions arise. Set the expectation that they will be hearing from you again before they receive the proposal. That will also set an expectation that they’re not going to get the proposal in a day or two. Remember to leave the door open.

The trick to writing solid proposals is asking smart questions. And more importantly, it’s about asking the right follow-up questions. I know many people think web proposal writing is just a formality, but I think it’s one of the most creative activities one can do in the tech world. Why, you ask? Well…I’ll show you on the next post when I write about my web proposal writing evolution.

Posted on

Overcome Your Website Security Worries

I know I’ve used this clipart before that’s in the featured image (maybe I like it!), but because the Guy Fawkes mask has become synonymous (thanks to Anonymous) with web hackers and in turn with website security, I found it befitting to use once again.

This post is in direct relation to the talk I am about to give this Thursday for NIM on helping people overcome their website security insecurities. I will post the slides by the end of the week.

A little background…

Ever since I’ve been in the field of website security, it’s taken me a while to understand it. Working for Sucuri definitely helped in understanding it —but when I first started I did NOT get website security. It made no sense to me. And I’m a guy who comes from the agency world. I used to do front-end development work, I know design process, development process. That makes sense, you take one step forward and get closer to your goal…hopefully. Not in website security, you side-step constantly. Because it’s not about control. Website security is a combination of technology, process, and people. You can’t control all those things, you can assess and mitigate risk in those areas, but you can’t control.

Helping people overcome their website security worries..

The motivation I have for giving the talk is two-fold:

  1. I really do want to help people overcome their worries and fears. Website security can be frustrating, befuddling, scary, complex, and down-right incomprehensible. And to preface, this is a post about website security. Not web security, not IT security, not PC security, or network security. This is a post on protecting your website. Although, all those other layers of security do sort of play a role in website security, that’s why it can be super confusing.
  2. Is to let people know that as website owners and managers, we have a responsibility to not only our sites, but our visitors, the world wide web as a whole. We need to be good stewards of the internet and that starts with the properties that we manage online. Our posture needs to be strong, solid.

So…I guess you could say my hopes for this post/talk are that the audience picks up one (hopefully more) tidbits of information that will make them more diligent online. I want people to understand website security a little better and to give them a plan of action to get their website security and online posture in order.

Let’s begin

The first thing I need everyone to understand is that website security involves several things. It involves Technology, Processes, and the People:

  • Technology – you have a local computer – you have a hosting environment, the different systems that you use that are integrated with your website, social media, the list goes on..
  • Process – Protocols that are used to transmit data (HTTP/HTTPS), protocols you use to recover your site once it’s been hacked, the process for updating your website or storing a password, the list goes on..
  • People – This one’s the hard one, the wildcard. We have hackers, that are getting better by the minute coming out with new technology. There’s us – the website owners – maybe we don’t have enough education. Then there’s the people that visit our website, maybe they have malware on their computer and upload something to your site, the list goes on..

Technology, People, Process

So, the point is, we can’t control everything, but we can mitigate the risk.

Let’s talk about the people, mainly hackers…

hack·er ~/ˈhakər/ (noun): a person who uses computers to gain unauthorized access to data.

Originally ‘hacker’ was a term of esteem, used to describe someone who tinkered around with systems and could break things down, reverse engineer, someone who was really good at understanding their system (whatever it was).  Now it’s used to describe someone who wants to do malicious harm online.

HACKERS: White-hat, Black-hat, Grey-hat , Blue-hat. There are different types of hackers.

    • Script Kiddies – usually computer novices who take advantage of hacking tools, vulnerability scanners and the like
    • Hacktivists – groups like Anonymous, hacking for a cause, usually to expose information, get someone out of prison, expose a corrupt official, things like that.
    • Cyberterrorists – hackers that go after government entities. Experts say World War III will be fought online, I whole-heartedly believe that.
    • Organized Criminal Hackers (Hacking rings) – groups that take down targets like Home Depot, the MySpace passwords that were recently stolen, etc.
  • Security researchers – the good guys (or the in-betweeners – Grey-hats) that try to get ahead of the bad guys or find a vulnerability before it’s exploited.

Motivations of hackers:

  • Revenue/Money
  • Resources
  • Just because they can / or the challenge of it.

Attack types and distribution..

For the most part you’re going to see two types of attacks. Automated, which make up the vast majority of the attacks that are out there. Then the less frequent targeted attacks. The targeted attacks are the ones we hear about and read about in the news headlines. But the ones we really need to worry about are the opportunistic or automated attacks. Given enough time, attackers can sit back and have their networks work for them, and have their scripts slowly find, test, and attack every available target on the internet. Malicious automation has gotten increasingly sophisticated and shows no signs of slowing down.

You can download Sucuri’s Q1 report on hacked websites here: https://sucuri.net/website-security/website-hacked-report

It’s pretty scary stuff, but to give you a precursor, Google reported in March of 2015 that 17 million website users had been greeted with some form of malware warning that the websites visited were either trying to steal sensitive information or trying to install malicious software on the users’ computers. In March of 2016, that number jumped to 50 million!! I imagine next year that number will grow to triple, maybe quadruple that. You can see as the internet grows, so does malware distribution. Google, alone, blacklists over 20,000 websites per week, over a million per year. That’s pretty staggering.

But what are some of the vehicles for distributing malware? There are a lot, almost too many to name, but I’ll name a few that’s seen quite often:

  • DDoS attacks – it’s an attempt to make a website unavailable by overwhelming it with traffic from multiple sources.
  • Brute Force Attacks – this is a trial and error method used by hackers to crack passwords through exhaustive efforts, not strategic ones. We see this a lot with Content Management Systems.
  • Software vulnerabilities – a weakness in a website or system that allows a hacker to gain access and/or infect it with malware. These are usually due to people not updating their systems.
  • Drive-by Downloads – refers to the unintentional download of a virus or malware onto a personal computer or mobile device
  • Phishing Lure – an attempt to acquire sensitive information (passwords, usernames, etc.) by masquerading as a trustworthy entity online.
  • Malicious Redirects / SEO spam – this is the manipulation of a website’s SEO and/or links to get traffic to a certain page. Often times a pornography site, or pharma page like Cialis or Viagra.

There are others like XSS (Cross-site scripting), SQLi (SQL injections), RFI (Remote File Inclusion), LFI (Local File Inclusion), and more. So we need to be very diligent, things are already working against us.

But what do we control as website owners?

A few things, right? Right now, we control our website (well, hopefully if you haven’t been hacked and locked out of your site), and what goes on it — things like themes, plugins, modules, extensions, add-ons…

We also control our hosting environment. And I want to make a quick note on how hosting plays a role in website security. Here is a picture of my CyberDuck (the FTP client) – I’ve blurred out a few of the domains I have on there (for security purposes).

The thing to note here, is that all these 6 sites, all these properties, they sit next to each other in your hosting account. It doesn’t make a difference to me if you have a dedicated server, a VPS, or a shared server. Most people have shared servers. Why? Because they’re cheap and they offer unlimited domains. I don’t think it’s much of an issue that people sit on shared servers with other people and “share” the resources, that’s not really the problem. Hosting providers will have their infrastructure set up so that it would be very difficult for malware or a virus to jump from one account to the other. But the issue it within our own hosting account.

Take the above picture. Say the two sites that are not blurred out – BeingAJiLe.com and AdamJamesLamagna.com – say these sites were really important to me (they are), but let’s say those are the only two I cared about on my shared server. The other 4 sites that are blurred out, let’s say I don’t care about them. Let’s say I never update (I do, but for argument sake). That means that those sites are susceptible through software vulnerabilities, or weaknesses in the code. If one of those sites gets infected, it could infect all the other sites on my server through an activity called cross-site contamination. I wrote a post on it. But remember this — your web host / server is only as strong as its weakest link.

Your web host /server is only as strong as its weakest link

And that’s how hosting plays a roll in website security. People put development or test sites on the same server as production sites, and then forget about those sites. Take a count of how many sites you have on your server, and do a little cleanup if there are sites on there that you don’t care about.

What do we do to actively protect our sites??

This is the thing, there’s really only 1 thing you can do to protect your site. And that’s to install a firewall, specifically a website application firewall. A firewall is a catch-all phrase, right? There are network firewalls, server-level firewalls, local computer firewalls, they all protect different things. You can read up on the Differences in Security Firewalls, it’s a good post. But a website application firewall, also known as a WAF, will protect your site from malicious incoming web traffic. What it does is inspects packets of data and compares it to known vulnerabilities and known trusted sources. If it matches a trusted source, it passes through, if it matches a vulnerability, it doesn’t.

But Firewalls, as all security technologies, are not infallible. They make mistakes, not very often, but maybe there’s a new virus that it hasn’t seen yet. It won’t pick up on it and block it from your website. But that’s the reality and why having a good online posture comes in handy.

Understanding the security state of your websites…

Another technology you can use to get insight into what is going on already on your website is called a scanner, or monitoring device. There are a few free ones out there like these:

All pretty solid technologies, but again they’re fallible. They’ll check the source code and files and compare it to known vulnerabilities. If a vulnerability has not been discovered yet, it won’t pick up on it. But that’s just the way it is, so we have to be strong in our online posture to be able to react accordingly, and hopefully prevent infection from ever happening.

Essentials of good online posture for your website security..

A few things (and let me preface this by saying ‘I don’t want to tell you what you already know’) that I want to impress upon you that are essential to good online posture.

  1. Backups – this one should be pretty obvious. You need to backup the files and the database (both of these!!). If you don’t change your content all that often, backup once a month. If you blog everyday, backup daily. Now for each specific CMS, there will be tools you can use. For WordPress, I use BackUpWordPress – it lets me automate backups on a frequent basis. But, what it will end up doing is placing the .zip file and .sql backup on the server. Remember what I said earlier about servers. You need to remember that once your backups are complete, to remove them from your server. Put them in a safe place on your local computer or somewhere in the cloud. Otherwise, your backups could become corrupted if your website gets infected.
  2. Updates – another one that’s pretty obvious. You need to update your site. Along with cool new features also comes security patches. This is what we care about – security patches. Now WordPress has been really great at backwards compatibility, meaning that when you update, it’s rare that thing break on your site. Well…as long as it’s not super customized. For those sites that are super custom or other CMS’s that aren’t great at backwards compatibility (ehem…Drupal), then the only way to really protect against this is to get a website application firewall – what I talked about earlier. Most firewalls will stop those vulnerabilities at the edge before it even gets to your site. Known security patches will get written into a firewall’s ruleset to help protect. Otherwise, I would make plans on fixing your website to be able to do updates.
  3. Passwords – I believe people are getting much better about their passwords, I think… Use a password manager like LastPass or 1Password. I bought 1Password for $50 for my lifetime, it’s totally worth it. Password managers will generate strong passwords for you, you don’t have to memorize them (you only have to memorize one – the one that gets you into 1Password). It will open up a particular website and autofill for you, which is super nice! And you can also share passwords via vaults with team members through a service like DropBox or Google Drive.
  4. Access Control / User Access – this ones always a tricky one. You have a CMS, and other users need to be on for whatever reason. Maybe they put new products on the site, or write blog posts for you, or make updates to plugins. Whatever the reason, users need to get on your site, you can limit their access through things like user roles, which WordPress does really well. But the other piece is authentication. Authentication is huge in the CMS world. I wold strongly suggest enabling something called two-factor authentication. You can do this pretty easily in WordPress and I’m sure other CMS’s too. You need to download Google Authenticator in the App Store using your Android or iPhone. Then I used the Google Authenticator plugin. When you install the plugin and go to a User (you can have a different code for each user, which is ideal) it will ask you to enable it and a QR code will pop up. On your iPhone/Android, you just scan the QR code and then miraculously it’s synced up. Now, every time you go to log in, it will ask you to put in your 6-digit code from Google Authenticator. The system knows it’s YOU who is logging in, and not someone else coming through a Brute Force attack. Now, if you don’t have an iPhone or don’t want the hassle, you can always install CAPTCHA or ReCAPTCHA, which will authenticate that the user logging in is not a robot/bot by asking it to spell some hard to read text or doing a math problem. I prefer Google Authenticator, but CAPTCHA is at least another layer of security.

So, where do I start if I don’t know where to start…

You start with an asset inventory list:

  1. Create a list of all the sites you own or manage:
    1. Where are those sites hosted?
    2. What plugins, modules, extensions, themes, 3rd-party systems are on or integrated with my website? Are they necessary? If not, remove them.
    3. Make a list of all the people who are allowed access to your site. Evaluate their permission levels, stress strong passwords, and enable two-factor authentication.
  2. Make a backup of each site:
    1. Files and Database – remember to take them off your server and store them some place safe.
  3. Make sure your site is updated:
    1. Core files, plugins, themes, modules, extensions, etc.
  4. Scan your sites for malware:
    1. Use one of the free DIY tools offered by Sucuri or other companies.
    2. Or use a scanner specific to your CMS, see below.
  5. Actively protect your site using a Firewall or CMS specific technology.

Here are a few tools for you to put in your website tool DIY basket:

Platform Agnostic Scanners:

CMS specific scanners (HackTarget has got some cool tools):

CMS specific scanners will compare your install to a trutsted install of the specific CMS to see if things have changed much, etc. It’s good to see if files have been changed or if there’s something on your site that just shouldn’t be there.

Reasonably priced Firewalls:

If you absolutely can’t pay for a Firewall and need something free, then I’ll use a combination of Cloudflare’s free CDN service, and Wordfence (this is only for WordPress users) – they bill the plugin as the “most downloaded security plugin for WordPress” – I feel like I’ve heard that before. But either way, this combination works really well for my sites, but keep in mind, my sites aren’t super high traffic. I imagine if you have a super high traffic site, that you can pay for a reasonably priced firewall.

But if you can’t, the above combination works for me. I use Wordfence’s automated scanning and Firewall, in conjunction with Cloudflare’s free CDN network (which will speed your site up regardless) and their security features. I also have two-factor authentication on my site and I use Login Lockdown which will limit Brute Force attempts.

In closing…

I know this is all a lot to take in. Website security just isn’t one thing, it’s many. We were told that putting up a website is easy, and that’s true, it is easy. But managing and protecting and keeping your site/visitors secure on a daily basis is the hard part! It’s a constant battle, but I hope this brought a little clarity to securing your website and being a more responsible steward of the internet.

A few more resources if you’re interested..

If you have any questions, please feel free to reach out! Many thanks!

Posted on

The Frustration with Website Security

People just expect their websites to be secure!

People just expect their sites to be safe, and I’ll admit, I did for the longest time too! But that’s a far cry from reality and one that’s hard to sell.

I work for Sucuri, one of the best website security companies on the market today (probably the best – and yes, I am biased!). But I sell web products to agencies and enterprise level clients. It’s not so difficult to sell them on our products. Sucuri’s products, they just work and very well at that! What I need to sell people on is website security as a whole, which is much more difficult than you may realize.

Let me break things down.

There are all these moving pieces to the web, correct? Yes, there are. Even more so at a granular level when you look at company’s servers or hosting environments, file structures and setups, their clients and others who have access to these sites, the sites themselves and all their vulnerabilities. Not to mention the hackers, who rarely leave a trace and rarely get caught and rarely get punished for it.

Let’s start with different environments. There’s a great analogy I use for shared hosting, VPS, and dedicated accounts.

  1. Shared hosting – this, essentially, means that you are sharing resources with everyone else in that environment, like CPU time or memory space. It’s like living in an apartment complex and sharing the pool, laundry, and parking lot with your neighbors. You still have your own place, but if the laundry is tied up, you’ve got to wait!
  2. VPS (Virtual Private Server) – this is like living in a condo, because you’re still sharing resources that are outside of your condo, like parking space, but you’re ultimately responsible for things inside your condo. So, in a VPS environment, there are still shared resources, but portions of those resources are dedicated to each individual VPS.
  3. Dedicated server – this is like owning your own home. You’re responsible for the upkeep, but you also have access to all the resources, and no one shares them with you.

So, this is a very simplified version of server environments. Nowadays, people use the term ‘server’ and the term ‘hosting’ in somewhat the same way. Years ago, when someone said we host internally, it usually meant that they had physical servers inside their offices where they would manage them and actually host their sites on those servers. And for those of you who don’t know, a server is just a computer, with a little different hardware on it (even though, a desktop computer could run a server) – I know, confusing!!!

Hosting is done by a number of different providers like WP Engine, 1and1, GoDaddy, Pantheon, and so on. They have the hardware and resources to handle many different types of platforms (or a specific one), and they also make things easy for people to manage their environments through something called a C-Panel or Control Panel. It’ll give you access to your domains (if you’ve pointed them from your registrar or used the hosting company to buy the domain) and let you change the directory path and DNS settings, things like that.

Now with most servers, there will be server-level firewalls set up with the infrastructure, but that means that it’ll still let in web traffic, which is what we need a lot of protection from. Port 80 (HTTP) and port 443 (HTTPS) traffic can let in a lot of different activity (good and bad).  This is how your visitors reach your site, through one of those two ports depending on whether or not you have an SSL certificate. So, there are many different ways a website can get compromised.

  • Software vulnerabilities
  • XSS (Cross-site scripting)
  • Backdoor Injections
  • SQL Injections
  • SEO Spam
  • DDoS (Distributed Denial of Service) Attacks
  • Brute Force Attempts

And the list goes on…and on…and on…

But you have to be aware of this stuff, and keep in mind that a lot of these attacks are automated. Some may be done manually by a bored teenager sitting at home in front of his computer. But for the most part, they’re automated attacks. And keep in mind there are attacks of opportunity (which we are all susceptible to) and targeted attacks, which are usually for the bigger brands and companies, but make no mistake if you engage in controversial content on your website (like religion or politics), you can very well be targeted too!

There are a few different reasons why someone would want to attack your site or gain access to it. It’s not just money, but that can be part of it.

  1. Revenue – and I’m not talking about people trying to steal credit card info (although, that happens all the time), but if you don’t do anything with e-commerce, hackers can still profit off of your website. Imagine a hacker injects your site with malware and then your mom visits your website. She unwittingly downloads something that your site told her to download (because she trusts you and what you put on your website) and then four hours later she has no money in her bank account. BOOM!! Oops… That’s what I’m talking about. And there’s also SEO spam. Hackers who use your site to redirect traffic to their pages to make money by inserting links, or keyword stuff your site (which will send your rankings through the floor – and it’s hard to recover from) to get better rankings in the short term and make money off of your audience.
  2. Resources – this is another big one. Maybe the hackers don’t want money, but they may want your resources. Things like bandwidth or CPU. They can build a network off of your system and lease it to others. Now hackers can take your resources and use them to attack other unknowing parties, without YOU (the website owner) even realizing it. Scary, right??
  3. Lulz – yup, that’s right, lulz!! What is that you ask? Well…it’s just for the hell of it! Fuck it, let’s try it! I want to see if I can do this. Again, it could be some bored teenager just sitting around chatting on the security forums. Someone tells them about a tool to drop scripts in a website via a contact form, and they want to see if they can do it and gain access. Then once they do, who knows what could happen!! Be careful of this, because this is really hard to mitigate against. Get a WAF (website application firewall).

We have to be careful of things like Ransomware (holding a website owner’s site hostage) or Malvertisements (malicious ads) and there’s no one right way to do this. It really starts with education, so if you’re reading this post, kudos!

Some thoughts on general security

In order to keep your site (and your visitors) safe, you’ll need to explore general website security. Starting with monitoring and a firewall. Sucuri offers an awesome monitor/firewall package, our Website Security Stack. But if you can’t afford that, then look at all the free stuff out there.

You can use our Sitecheck to see if there is malware on your site. But keep in mind this only scans remotely, it can’t check the database.

You can learn how to harden WordPress. Which is basically locking a few things down like access, having containment, certain configurations.

Or you can take a look at OWASP and ModSecurity – which are open source and free to use, you just have to configure the firewall yourself, and that can get confusing!!

The Frustration of Website Security

And this is the frustration of website security—is that there is no 100% solution out there. I don’t think there ever will be! Ever! The reality is is that the landscape of websites and their environments change so frequently that once a solution had been produced, hackers have already found a solution of their own to beat it. And that’s the continual cycle.

So educate yourself and the people around you. If you own a website, you not only have a responsibility to it, but to your audience, and the web in general.

More to come on this topic…..

Posted on

The Cost of Doing Business with a Web Agency

I got asked a really great question last weekend and figure I would expand on it in a blog post. The question was “what’s the difference between a $2,500 project/website and a $15,000 project/website?” This, believe it or not, is one of the most probing questions I’ve ever been asked. Hence, the need to write a blog post on it.

So…what is the difference?

I’ll tell you as I see it, and I want to preface this by saying, my word is not absolute. This is completely my opinion and my thoughts that stem from the experiences I have working at a small agency and a larger one. The smaller agency charged anywhere from $2k – $20k per project and the larger agency charged anywhere from $50k – $250k per project. I would love to say that the difference is level of effort, but that’s not necessarily true. I think what we have to do first, is look at the variances of what we’re talking about. There are many, many variances in agency types or tiers, types of projects or websites, and variances within those projects.

So what kind of an agency is right for your business, what are the pro’s and con’s of each?

Types of Agencies

In the design and development world there are all types of designers and developers ranging from freelancers to mega-web agencies, small design shops to professional engineering firms. There are marketing agencies, social media agencies, and SEO agencies. For the sake of this post, I’m going to concentrate on the different types of website design/development agencies, the ones that do strategy, design, and development. This will be mostly for people or companies looking to get a website designed and built.

  1. Freelancers: These are the hardest ones to put in a category, because like agencies, freelancers can range a great deal. There are the novice freelancers, many of them do projects for next to nothing, sometimes they actually charge nothing. They’re just starting out and want to grow their portfolios. But then, there are other freelancers out there who are phenomenal. Usually these freelancers are expensive and don’t take on many projects because their plate is already full. You can usually find freelancers ranging from the novice to the expert on sites like Upwork or Elance, just make sure to check out their ratings and reviews.
    • Advantages: One person owns the project from start to finish (not being shuffled between people); Almost always less expensive than agencies; Can usually get the job done very quickly
    • Disadvantages: One person owns the project from start to finish (so, stability could be an issue depending on the freelancer), if they run into a speed bump that could mean the end of the project; Skill set is usually limited to one area like development or design, not both — unless you find that unicorn freelancer, they are out there!
  2. Small ‘Everywhere’ Web Agency (2 – 10 employees): These agencies are very common and popping up everywhere (hence, the ‘everywhere’), and like freelancers, they can range a great deal. Most small web agencies don’t have a focus in terms of industry. They’ll work with a lot of companies ranging from lawyers to restaurants to local businesses. The owners often times act as project/account managers and the staff is limited in their experience. That’s not to say that these agencies aren’t good, there are good ones out there, but they mostly do simple marketing redesigns, blogs, and brochure-style websites.
    • Advantages: Prices can range, but usually it’s within a small businesses’ budget. Often times you can get redesigns done for $2k to $10k; These agencies are friendly and will treat you like family, and they’ll go the extra mile to keep you as a client.
    • Disadvantages: They sometimes use templates for design, so you’ll see many clients that have the same navigation bar or search box style; Sometimes they’ll modify themes instead of making custom ones; And often times they don’t have an in-depth process when it comes to the strategy surrounding the project.
  3. Boutique Web Agency (5 – 25 employees): These agencies are the ones that usually have sharp focus in a niche industry, like “we only work with non-profits,” which makes them really great in that one (or two ) specific vertical(s). Their process is somewhat refined and they have a small team. They usually have top-tier talent (one or two rockstars) and project or account managers. They work with medium-sized business and most likely have a few enterprise level clients.
    • Advantages: Focused verticals, know the specific industry inside and out; Refined strategy processes; Top-tier development and/or design talent; Most likely have good project management skills
    • Disadvantages: They have small teams that are most likely working on a number of different projects; May push out the start date depending on workload; Often times rely on the top-tier talent to take the bulk of the projects
  4. Professional Web Firm (25 – 75 employees): These firms are the ones that have focus in a few different industries and market themselves that way, but they’ll also push their own boundaries and take on projects outside their industries (not all the time!). They usually have a sales department (or sales guy) and marketing team. They’ll have dedicated project teams and a handful of project managers. They’ll also have a solid leadership team to motivate and corral the team members when needed. They have processes set in place and incrementally improve them. They consider strategy a big part of the web game and use it to deliver solid projects. They have full day discovery workshops and probably do user testing to confirm hypotheses. They work with big companies and enterprise brands, but still have a few small to medium businesses that they got when they were starting out.
    • Advantages: Custom work, you’ll get a unique website that’s built for your users (hopefully!); There will be an outlined process; Roles and responsibilities will be defined; Strategic thinkers that will use data to make informed decisions; Will assign a dedicated project manager; Top-tier talent
    • Disadvantages: They’re expensive; And they’re not the quickest on project timelines, they plan and plan, and that takes time; Often times they overload their team because of client demands
  5. Mega Web Agency (100+ employees): These are the large agencies that take on a number of different verticals, they almost always have distributed teams and work on some really big projects. They’ll have every type of agency person including user experience designers, digital strategists, marketers, software engineers, strategy partners, and a large leadership team with dozens of years of combined experience. They usually don’t take on projects for less than $250k (I know some that start at $500k or even above!). They work with brand names (think Google) and they’ll do mostly (if not only) custom work.
    • Advantages: Super custom work tailored to your users; Strategy will be the biggest part of the project; They’ll usually work in sprints and test at the end of each sprint to verify concepts and prototypes; Quality Assurance will be meticulous
    • Disadvantages: You need to be a huge company to work with these guys, because they are expensive; There might be a waiting list to work with them; There will most likely be a number of people in on the project at different phases/stages of the project, so you’ll meet new people constantly

What about agencies with 75 to 100 employees?

Good question! Well, this is by no means a complete list. I’ve noticed the farther I go in web services (or just web in general) there are soooo many types of agencies out there. There’s also the Digital Body Shop which usually has anywhere from 50 – 100 employees, and they do a bunch of different projects in different verticals and work with a myriad of industries.

Just remember, this stems from my own experiences and the people I’ve talked with.

Let’s get into project type and what their average costs are with the different agencies.

Types of Projects / Types of Websites

Like agencies, there are definitely a myriad of different projects and websites that can be created, designed, and built. Some are simple, and some are super complex. So, I’ll list out the most common projects most people are likely to encounter and most agencies and/or freelancers would take on. To limit things (because this is already a long post!!), I’m going to just do pricing for the 3 web agencies in the middle: Small Agency, Boutique Agency, and Professional Agency. Please keep in mind, these are averages (prices all depend on the scope) and can realistically range from $1,000 to millions!

  1. Blog: This is perhaps the simplest type of site which mainly consists of a content management system (like WordPress) and updated content coming out on a regular basis.
    • Price:
      • Small: $1,000 – $5,000
      • Boutique: $3,000 – $15,000
      • Professional: $10,000 – $35,000
  2. Microsites: These can be deceiving. Just the term ‘microsite’ sounds small, but I assure you they can be the opposite of that! Microsites are usually when a company wants to promote an event or showcase a certain branch or department of their company. Often times there is video or images, CTA’s (calls-to-action) prompting the user to do something like signup for a service or check out certain resources. They can be cool ways to get more awareness.
    • Price:
      • Small: $2,000 – $8,000
      • Boutique: $5,000 – $25,000
      • Professional: $25,000 – $75,000
  3. Marketing Site: These are called different things, sometimes Informational sites, or Brochure-style sites, but essentially these sites just market your company or cause or whatever! They can be a little trickier than blogs because often times they require implementation of ad-serving, email newsletters, videos, or image galleries. I’ve seen these sites range anywhere from $5,000 to $80k, depending on what’s involved with them.
    • Price:
      • Small: $2,000 – $10,000
      • Boutique: $10,000 – $50,000
      • Professional: $35,000 – $100,000
  4. Site/Application Build: These are a little trickier to price because they almost always involve doing some type of integration with another system. Like integrating with a booking engine or an events registration system. These builds can be complex and should be handled by top-tier talent. Be careful to go with a price that’s too low (there is such a thing!) because they should be priced accordingly – they are hard projects to work on!
    • Price:
      • Small: $8,000 – $20,000
      • Boutique: $35,000 – $120,000
      • Professional: $75,000 – $250,000
  5. Membership Portals / Member-Based Sites: These can be fun projects and if done right can come out really well. With WordPress there are some default membership properties like Editor, Author, Subscriber, etc. But a good agency can do almost anything with these and other CMS’s, like Drupal, let you customize your user roles. But because the needs of a client can vary a great deal depending on what they want their membership site experience to be like can determine how much the project will cost.
    • Price:
      • Small: $5,000 – $25,000
      • Boutique: $30,000 – $150,000
      • Professional: $75,000 – $300,000
  6. Ongoing Support: Obviously this all depends on the size/scope/scale of your digital property and what your needs are, but usually prices start at the following amounts.
    • Price:
      • Small: starting at $100 per month
      • Boutique: starting at $500 per month
      • Professional: starting at $1,000 per month

Again, this is not a complete list. There really are multiple (sometimes endless) types of sites that you could potentially do. You could also have a hybrid of sites, like a Microsite within a Membership-Based Site, oh the possibilities!!

I guess that’s what I like about the web, the possibilities, they are endless!

But I hope this sheds a little light on what types of agencies are out there, what they typically charge for web projects, and what to expect from them if you ever need their services.

So, to answer the original question, I’m not sure what the difference between a $2,500 website and a $15,000 website is. I would say there are different types of agencies that price projects out differently depending on their market size, location, and client type. But with that being said, I really hope that a $100,000 project from a professional agency comes out better than a $10,000 project from a small agency,  but I tell people it’s like buying a car – “You can get a Hyundai Accent for $15k and you could get a Lamborghini for $250k (is the Lambo better? Maybe..) but they’ll both get you from point A to point B!”