Overcome Your Website Security Worries

I know I’ve used this clipart before that’s in the featured image (maybe I like it!), but because the Guy Fawkes mask has become synonymous (thanks to Anonymous) with web hackers and in turn with website security, I found it befitting to use once again.

This post is in direct relation to the talk I am about to give this Thursday for NIM on helping people overcome their website security insecurities. I will post the slides by the end of the week.

A little background…

Ever since I’ve been in the field of website security, it’s taken me a while to understand it. Working for Sucuri definitely helped in understanding it —but when I first started I did NOT get website security. It made no sense to me. And I’m a guy who comes from the agency world. I used to do front-end development work, I know design process, development process. That makes sense, you take one step forward and get closer to your goal…hopefully. Not in website security, you side-step constantly. Because it’s not about control. Website security is a combination of technology, process, and people. You can’t control all those things, you can assess and mitigate risk in those areas, but you can’t control.

Helping people overcome their website security worries..

The motivation I have for giving the talk is two-fold:

  1. I really do want to help people overcome their worries and fears. Website security can be frustrating, befuddling, scary, complex, and down-right incomprehensible. And to preface, this is a post about website security. Not web security, not IT security, not PC security, or network security. This is a post on protecting your website. Although, all those other layers of security do sort of play a role in website security, that’s why it can be super confusing.
  2. Is to let people know that as website owners and managers, we have a responsibility to not only our sites, but our visitors, the world wide web as a whole. We need to be good stewards of the internet and that starts with the properties that we manage online. Our posture needs to be strong, solid.

So…I guess you could say my hopes for this post/talk are that the audience picks up one (hopefully more) tidbits of information that will make them more diligent online. I want people to understand website security a little better and to give them a plan of action to get their website security and online posture in order.

Let’s begin

The first thing I need everyone to understand is that website security involves several things. It involves Technology, Processes, and the People:

  • Technology – you have a local computer – you have a hosting environment, the different systems that you use that are integrated with your website, social media, the list goes on..
  • Process – Protocols that are used to transmit data (HTTP/HTTPS), protocols you use to recover your site once it’s been hacked, the process for updating your website or storing a password, the list goes on..
  • People – This one’s the hard one, the wildcard. We have hackers, that are getting better by the minute coming out with new technology. There’s us – the website owners – maybe we don’t have enough education. Then there’s the people that visit our website, maybe they have malware on their computer and upload something to your site, the list goes on..

Technology, People, Process

So, the point is, we can’t control everything, but we can mitigate the risk.

Let’s talk about the people, mainly hackers…

hack·er ~/ˈhakər/ (noun): a person who uses computers to gain unauthorized access to data.

Originally ‘hacker’ was a term of esteem, used to describe someone who tinkered around with systems and could break things down, reverse engineer, someone who was really good at understanding their system (whatever it was).  Now it’s used to describe someone who wants to do malicious harm online.

HACKERS: White-hat, Black-hat, Grey-hat , Blue-hat. There are different types of hackers.

    • Script Kiddies – usually computer novices who take advantage of hacking tools, vulnerability scanners and the like
    • Hacktivists – groups like Anonymous, hacking for a cause, usually to expose information, get someone out of prison, expose a corrupt official, things like that.
    • Cyberterrorists – hackers that go after government entities. Experts say World War III will be fought online, I whole-heartedly believe that.
    • Organized Criminal Hackers (Hacking rings) – groups that take down targets like Home Depot, the MySpace passwords that were recently stolen, etc.
  • Security researchers – the good guys (or the in-betweeners – Grey-hats) that try to get ahead of the bad guys or find a vulnerability before it’s exploited.

Motivations of hackers:

  • Revenue/Money
  • Resources
  • Just because they can / or the challenge of it.

Attack types and distribution..

For the most part you’re going to see two types of attacks. Automated, which make up the vast majority of the attacks that are out there. Then the less frequent targeted attacks. The targeted attacks are the ones we hear about and read about in the news headlines. But the ones we really need to worry about are the opportunistic or automated attacks. Given enough time, attackers can sit back and have their networks work for them, and have their scripts slowly find, test, and attack every available target on the internet. Malicious automation has gotten increasingly sophisticated and shows no signs of slowing down.

You can download Sucuri’s Q1 report on hacked websites here: https://sucuri.net/website-security/website-hacked-report

It’s pretty scary stuff, but to give you a precursor, Google reported in March of 2015 that 17 million website users had been greeted with some form of malware warning that the websites visited were either trying to steal sensitive information or trying to install malicious software on the users’ computers. In March of 2016, that number jumped to 50 million!! I imagine next year that number will grow to triple, maybe quadruple that. You can see as the internet grows, so does malware distribution. Google, alone, blacklists over 20,000 websites per week, over a million per year. That’s pretty staggering.

But what are some of the vehicles for distributing malware? There are a lot, almost too many to name, but I’ll name a few that’s seen quite often:

  • DDoS attacks – it’s an attempt to make a website unavailable by overwhelming it with traffic from multiple sources.
  • Brute Force Attacks – this is a trial and error method used by hackers to crack passwords through exhaustive efforts, not strategic ones. We see this a lot with Content Management Systems.
  • Software vulnerabilities – a weakness in a website or system that allows a hacker to gain access and/or infect it with malware. These are usually due to people not updating their systems.
  • Drive-by Downloads – refers to the unintentional download of a virus or malware onto a personal computer or mobile device
  • Phishing Lure – an attempt to acquire sensitive information (passwords, usernames, etc.) by masquerading as a trustworthy entity online.
  • Malicious Redirects / SEO spam – this is the manipulation of a website’s SEO and/or links to get traffic to a certain page. Often times a pornography site, or pharma page like Cialis or Viagra.

There are others like XSS (Cross-site scripting), SQLi (SQL injections), RFI (Remote File Inclusion), LFI (Local File Inclusion), and more. So we need to be very diligent, things are already working against us.

But what do we control as website owners?

A few things, right? Right now, we control our website (well, hopefully if you haven’t been hacked and locked out of your site), and what goes on it — things like themes, plugins, modules, extensions, add-ons…

We also control our hosting environment. And I want to make a quick note on how hosting plays a role in website security. Here is a picture of my CyberDuck (the FTP client) – I’ve blurred out a few of the domains I have on there (for security purposes).

The thing to note here, is that all these 6 sites, all these properties, they sit next to each other in your hosting account. It doesn’t make a difference to me if you have a dedicated server, a VPS, or a shared server. Most people have shared servers. Why? Because they’re cheap and they offer unlimited domains. I don’t think it’s much of an issue that people sit on shared servers with other people and “share” the resources, that’s not really the problem. Hosting providers will have their infrastructure set up so that it would be very difficult for malware or a virus to jump from one account to the other. But the issue it within our own hosting account.

Take the above picture. Say the two sites that are not blurred out – BeingAJiLe.com and AdamJamesLamagna.com – say these sites were really important to me (they are), but let’s say those are the only two I cared about on my shared server. The other 4 sites that are blurred out, let’s say I don’t care about them. Let’s say I never update (I do, but for argument sake). That means that those sites are susceptible through software vulnerabilities, or weaknesses in the code. If one of those sites gets infected, it could infect all the other sites on my server through an activity called cross-site contamination. I wrote a post on it. But remember this — your web host / server is only as strong as its weakest link.

Your web host /server is only as strong as its weakest link

And that’s how hosting plays a roll in website security. People put development or test sites on the same server as production sites, and then forget about those sites. Take a count of how many sites you have on your server, and do a little cleanup if there are sites on there that you don’t care about.

What do we do to actively protect our sites??

This is the thing, there’s really only 1 thing you can do to protect your site. And that’s to install a firewall, specifically a website application firewall. A firewall is a catch-all phrase, right? There are network firewalls, server-level firewalls, local computer firewalls, they all protect different things. You can read up on the Differences in Security Firewalls, it’s a good post. But a website application firewall, also known as a WAF, will protect your site from malicious incoming web traffic. What it does is inspects packets of data and compares it to known vulnerabilities and known trusted sources. If it matches a trusted source, it passes through, if it matches a vulnerability, it doesn’t.

But Firewalls, as all security technologies, are not infallible. They make mistakes, not very often, but maybe there’s a new virus that it hasn’t seen yet. It won’t pick up on it and block it from your website. But that’s the reality and why having a good online posture comes in handy.

Understanding the security state of your websites…

Another technology you can use to get insight into what is going on already on your website is called a scanner, or monitoring device. There are a few free ones out there like these:

All pretty solid technologies, but again they’re fallible. They’ll check the source code and files and compare it to known vulnerabilities. If a vulnerability has not been discovered yet, it won’t pick up on it. But that’s just the way it is, so we have to be strong in our online posture to be able to react accordingly, and hopefully prevent infection from ever happening.

Essentials of good online posture for your website security..

A few things (and let me preface this by saying ‘I don’t want to tell you what you already know’) that I want to impress upon you that are essential to good online posture.

  1. Backups – this one should be pretty obvious. You need to backup the files and the database (both of these!!). If you don’t change your content all that often, backup once a month. If you blog everyday, backup daily. Now for each specific CMS, there will be tools you can use. For WordPress, I use BackUpWordPress – it lets me automate backups on a frequent basis. But, what it will end up doing is placing the .zip file and .sql backup on the server. Remember what I said earlier about servers. You need to remember that once your backups are complete, to remove them from your server. Put them in a safe place on your local computer or somewhere in the cloud. Otherwise, your backups could become corrupted if your website gets infected.
  2. Updates – another one that’s pretty obvious. You need to update your site. Along with cool new features also comes security patches. This is what we care about – security patches. Now WordPress has been really great at backwards compatibility, meaning that when you update, it’s rare that thing break on your site. Well…as long as it’s not super customized. For those sites that are super custom or other CMS’s that aren’t great at backwards compatibility (ehem…Drupal), then the only way to really protect against this is to get a website application firewall – what I talked about earlier. Most firewalls will stop those vulnerabilities at the edge before it even gets to your site. Known security patches will get written into a firewall’s ruleset to help protect. Otherwise, I would make plans on fixing your website to be able to do updates.
  3. Passwords – I believe people are getting much better about their passwords, I think… Use a password manager like LastPass or 1Password. I bought 1Password for $50 for my lifetime, it’s totally worth it. Password managers will generate strong passwords for you, you don’t have to memorize them (you only have to memorize one – the one that gets you into 1Password). It will open up a particular website and autofill for you, which is super nice! And you can also share passwords via vaults with team members through a service like DropBox or Google Drive.
  4. Access Control / User Access – this ones always a tricky one. You have a CMS, and other users need to be on for whatever reason. Maybe they put new products on the site, or write blog posts for you, or make updates to plugins. Whatever the reason, users need to get on your site, you can limit their access through things like user roles, which WordPress does really well. But the other piece is authentication. Authentication is huge in the CMS world. I wold strongly suggest enabling something called two-factor authentication. You can do this pretty easily in WordPress and I’m sure other CMS’s too. You need to download Google Authenticator in the App Store using your Android or iPhone. Then I used the Google Authenticator plugin. When you install the plugin and go to a User (you can have a different code for each user, which is ideal) it will ask you to enable it and a QR code will pop up. On your iPhone/Android, you just scan the QR code and then miraculously it’s synced up. Now, every time you go to log in, it will ask you to put in your 6-digit code from Google Authenticator. The system knows it’s YOU who is logging in, and not someone else coming through a Brute Force attack. Now, if you don’t have an iPhone or don’t want the hassle, you can always install CAPTCHA or ReCAPTCHA, which will authenticate that the user logging in is not a robot/bot by asking it to spell some hard to read text or doing a math problem. I prefer Google Authenticator, but CAPTCHA is at least another layer of security.

So, where do I start if I don’t know where to start…

You start with an asset inventory list:

  1. Create a list of all the sites you own or manage:
    1. Where are those sites hosted?
    2. What plugins, modules, extensions, themes, 3rd-party systems are on or integrated with my website? Are they necessary? If not, remove them.
    3. Make a list of all the people who are allowed access to your site. Evaluate their permission levels, stress strong passwords, and enable two-factor authentication.
  2. Make a backup of each site:
    1. Files and Database – remember to take them off your server and store them some place safe.
  3. Make sure your site is updated:
    1. Core files, plugins, themes, modules, extensions, etc.
  4. Scan your sites for malware:
    1. Use one of the free DIY tools offered by Sucuri or other companies.
    2. Or use a scanner specific to your CMS, see below.
  5. Actively protect your site using a Firewall or CMS specific technology.

Here are a few tools for you to put in your website tool DIY basket:

Platform Agnostic Scanners:

CMS specific scanners (HackTarget has got some cool tools):

CMS specific scanners will compare your install to a trutsted install of the specific CMS to see if things have changed much, etc. It’s good to see if files have been changed or if there’s something on your site that just shouldn’t be there.

Reasonably priced Firewalls:

If you absolutely can’t pay for a Firewall and need something free, then I’ll use a combination of Cloudflare’s free CDN service, and Wordfence (this is only for WordPress users) – they bill the plugin as the “most downloaded security plugin for WordPress” – I feel like I’ve heard that before. But either way, this combination works really well for my sites, but keep in mind, my sites aren’t super high traffic. I imagine if you have a super high traffic site, that you can pay for a reasonably priced firewall.

But if you can’t, the above combination works for me. I use Wordfence’s automated scanning and Firewall, in conjunction with Cloudflare’s free CDN network (which will speed your site up regardless) and their security features. I also have two-factor authentication on my site and I use Login Lockdown which will limit Brute Force attempts.

In closing…

I know this is all a lot to take in. Website security just isn’t one thing, it’s many. We were told that putting up a website is easy, and that’s true, it is easy. But managing and protecting and keeping your site/visitors secure on a daily basis is the hard part! It’s a constant battle, but I hope this brought a little clarity to securing your website and being a more responsible steward of the internet.

A few more resources if you’re interested..

If you have any questions, please feel free to reach out! Many thanks!

The Frustration with Website Security

People just expect their websites to be secure!

People just expect their sites to be safe, and I’ll admit, I did for the longest time too! But that’s a far cry from reality and one that’s hard to sell.

I work for Sucuri, one of the best website security companies on the market today (probably the best – and yes, I am biased!). But I sell web products to agencies and enterprise level clients. It’s not so difficult to sell them on our products. Sucuri’s products, they just work and very well at that! What I need to sell people on is website security as a whole, which is much more difficult than you may realize.

Let me break things down.

There are all these moving pieces to the web, correct? Yes, there are. Even more so at a granular level when you look at company’s servers or hosting environments, file structures and setups, their clients and others who have access to these sites, the sites themselves and all their vulnerabilities. Not to mention the hackers, who rarely leave a trace and rarely get caught and rarely get punished for it.

Let’s start with different environments. There’s a great analogy I use for shared hosting, VPS, and dedicated accounts.

  1. Shared hosting – this, essentially, means that you are sharing resources with everyone else in that environment, like CPU time or memory space. It’s like living in an apartment complex and sharing the pool, laundry, and parking lot with your neighbors. You still have your own place, but if the laundry is tied up, you’ve got to wait!
  2. VPS (Virtual Private Server) – this is like living in a condo, because you’re still sharing resources that are outside of your condo, like parking space, but you’re ultimately responsible for things inside your condo. So, in a VPS environment, there are still shared resources, but portions of those resources are dedicated to each individual VPS.
  3. Dedicated server – this is like owning your own home. You’re responsible for the upkeep, but you also have access to all the resources, and no one shares them with you.

So, this is a very simplified version of server environments. Nowadays, people use the term ‘server’ and the term ‘hosting’ in somewhat the same way. Years ago, when someone said we host internally, it usually meant that they had physical servers inside their offices where they would manage them and actually host their sites on those servers. And for those of you who don’t know, a server is just a computer, with a little different hardware on it (even though, a desktop computer could run a server) – I know, confusing!!!

Hosting is done by a number of different providers like WP Engine, 1and1, GoDaddy, Pantheon, and so on. They have the hardware and resources to handle many different types of platforms (or a specific one), and they also make things easy for people to manage their environments through something called a C-Panel or Control Panel. It’ll give you access to your domains (if you’ve pointed them from your registrar or used the hosting company to buy the domain) and let you change the directory path and DNS settings, things like that.

Now with most servers, there will be server-level firewalls set up with the infrastructure, but that means that it’ll still let in web traffic, which is what we need a lot of protection from. Port 80 (HTTP) and port 443 (HTTPS) traffic can let in a lot of different activity (good and bad).  This is how your visitors reach your site, through one of those two ports depending on whether or not you have an SSL certificate. So, there are many different ways a website can get compromised.

  • Software vulnerabilities
  • XSS (Cross-site scripting)
  • Backdoor Injections
  • SQL Injections
  • SEO Spam
  • DDoS (Distributed Denial of Service) Attacks
  • Brute Force Attempts

And the list goes on…and on…and on…

But you have to be aware of this stuff, and keep in mind that a lot of these attacks are automated. Some may be done manually by a bored teenager sitting at home in front of his computer. But for the most part, they’re automated attacks. And keep in mind there are attacks of opportunity (which we are all susceptible to) and targeted attacks, which are usually for the bigger brands and companies, but make no mistake if you engage in controversial content on your website (like religion or politics), you can very well be targeted too!

There are a few different reasons why someone would want to attack your site or gain access to it. It’s not just money, but that can be part of it.

  1. Revenue – and I’m not talking about people trying to steal credit card info (although, that happens all the time), but if you don’t do anything with e-commerce, hackers can still profit off of your website. Imagine a hacker injects your site with malware and then your mom visits your website. She unwittingly downloads something that your site told her to download (because she trusts you and what you put on your website) and then four hours later she has no money in her bank account. BOOM!! Oops… That’s what I’m talking about. And there’s also SEO spam. Hackers who use your site to redirect traffic to their pages to make money by inserting links, or keyword stuff your site (which will send your rankings through the floor – and it’s hard to recover from) to get better rankings in the short term and make money off of your audience.
  2. Resources – this is another big one. Maybe the hackers don’t want money, but they may want your resources. Things like bandwidth or CPU. They can build a network off of your system and lease it to others. Now hackers can take your resources and use them to attack other unknowing parties, without YOU (the website owner) even realizing it. Scary, right??
  3. Lulz – yup, that’s right, lulz!! What is that you ask? Well…it’s just for the hell of it! Fuck it, let’s try it! I want to see if I can do this. Again, it could be some bored teenager just sitting around chatting on the security forums. Someone tells them about a tool to drop scripts in a website via a contact form, and they want to see if they can do it and gain access. Then once they do, who knows what could happen!! Be careful of this, because this is really hard to mitigate against. Get a WAF (website application firewall).

We have to be careful of things like Ransomware (holding a website owner’s site hostage) or Malvertisements (malicious ads) and there’s no one right way to do this. It really starts with education, so if you’re reading this post, kudos!

Some thoughts on general security

In order to keep your site (and your visitors) safe, you’ll need to explore general website security. Starting with monitoring and a firewall. Sucuri offers an awesome monitor/firewall package, our Website Security Stack. But if you can’t afford that, then look at all the free stuff out there.

You can use our Sitecheck to see if there is malware on your site. But keep in mind this only scans remotely, it can’t check the database.

You can learn how to harden WordPress. Which is basically locking a few things down like access, having containment, certain configurations.

Or you can take a look at OWASP and ModSecurity – which are open source and free to use, you just have to configure the firewall yourself, and that can get confusing!!

The Frustration of Website Security

And this is the frustration of website security—is that there is no 100% solution out there. I don’t think there ever will be! Ever! The reality is is that the landscape of websites and their environments change so frequently that once a solution had been produced, hackers have already found a solution of their own to beat it. And that’s the continual cycle.

So educate yourself and the people around you. If you own a website, you not only have a responsibility to it, but to your audience, and the web in general.

More to come on this topic…..

The Cost of Doing Business with a Web Agency

I got asked a really great question last weekend and figure I would expand on it in a blog post. The question was “what’s the difference between a $2,500 project/website and a $15,000 project/website?” This, believe it or not, is one of the most probing questions I’ve ever been asked. Hence, the need to write a blog post on it.

So…what is the difference?

I’ll tell you as I see it, and I want to preface this by saying, my word is not absolute. This is completely my opinion and my thoughts that stem from the experiences I have working at a small agency and a larger one. The smaller agency charged anywhere from $2k – $20k per project and the larger agency charged anywhere from $50k – $250k per project. I would love to say that the difference is level of effort, but that’s not necessarily true. I think what we have to do first, is look at the variances of what we’re talking about. There are many, many variances in agency types or tiers, types of projects or websites, and variances within those projects.

So what kind of an agency is right for your business, what are the pro’s and con’s of each?

Types of Agencies

In the design and development world there are all types of designers and developers ranging from freelancers to mega-web agencies, small design shops to professional engineering firms. There are marketing agencies, social media agencies, and SEO agencies. For the sake of this post, I’m going to concentrate on the different types of website design/development agencies, the ones that do strategy, design, and development. This will be mostly for people or companies looking to get a website designed and built.

  1. Freelancers: These are the hardest ones to put in a category, because like agencies, freelancers can range a great deal. There are the novice freelancers, many of them do projects for next to nothing, sometimes they actually charge nothing. They’re just starting out and want to grow their portfolios. But then, there are other freelancers out there who are phenomenal. Usually these freelancers are expensive and don’t take on many projects because their plate is already full. You can usually find freelancers ranging from the novice to the expert on sites like Upwork or Elance, just make sure to check out their ratings and reviews.
    • Advantages: One person owns the project from start to finish (not being shuffled between people); Almost always less expensive than agencies; Can usually get the job done very quickly
    • Disadvantages: One person owns the project from start to finish (so, stability could be an issue depending on the freelancer), if they run into a speed bump that could mean the end of the project; Skill set is usually limited to one area like development or design, not both — unless you find that unicorn freelancer, they are out there!
  2. Small ‘Everywhere’ Web Agency (2 – 10 employees): These agencies are very common and popping up everywhere (hence, the ‘everywhere’), and like freelancers, they can range a great deal. Most small web agencies don’t have a focus in terms of industry. They’ll work with a lot of companies ranging from lawyers to restaurants to local businesses. The owners often times act as project/account managers and the staff is limited in their experience. That’s not to say that these agencies aren’t good, there are good ones out there, but they mostly do simple marketing redesigns, blogs, and brochure-style websites.
    • Advantages: Prices can range, but usually it’s within a small businesses’ budget. Often times you can get redesigns done for $2k to $10k; These agencies are friendly and will treat you like family, and they’ll go the extra mile to keep you as a client.
    • Disadvantages: They sometimes use templates for design, so you’ll see many clients that have the same navigation bar or search box style; Sometimes they’ll modify themes instead of making custom ones; And often times they don’t have an in-depth process when it comes to the strategy surrounding the project.
  3. Boutique Web Agency (5 – 25 employees): These agencies are the ones that usually have sharp focus in a niche industry, like “we only work with non-profits,” which makes them really great in that one (or two ) specific vertical(s). Their process is somewhat refined and they have a small team. They usually have top-tier talent (one or two rockstars) and project or account managers. They work with medium-sized business and most likely have a few enterprise level clients.
    • Advantages: Focused verticals, know the specific industry inside and out; Refined strategy processes; Top-tier development and/or design talent; Most likely have good project management skills
    • Disadvantages: They have small teams that are most likely working on a number of different projects; May push out the start date depending on workload; Often times rely on the top-tier talent to take the bulk of the projects
  4. Professional Web Firm (25 – 75 employees): These firms are the ones that have focus in a few different industries and market themselves that way, but they’ll also push their own boundaries and take on projects outside their industries (not all the time!). They usually have a sales department (or sales guy) and marketing team. They’ll have dedicated project teams and a handful of project managers. They’ll also have a solid leadership team to motivate and corral the team members when needed. They have processes set in place and incrementally improve them. They consider strategy a big part of the web game and use it to deliver solid projects. They have full day discovery workshops and probably do user testing to confirm hypotheses. They work with big companies and enterprise brands, but still have a few small to medium businesses that they got when they were starting out.
    • Advantages: Custom work, you’ll get a unique website that’s built for your users (hopefully!); There will be an outlined process; Roles and responsibilities will be defined; Strategic thinkers that will use data to make informed decisions; Will assign a dedicated project manager; Top-tier talent
    • Disadvantages: They’re expensive; And they’re not the quickest on project timelines, they plan and plan, and that takes time; Often times they overload their team because of client demands
  5. Mega Web Agency (100+ employees): These are the large agencies that take on a number of different verticals, they almost always have distributed teams and work on some really big projects. They’ll have every type of agency person including user experience designers, digital strategists, marketers, software engineers, strategy partners, and a large leadership team with dozens of years of combined experience. They usually don’t take on projects for less than $250k (I know some that start at $500k or even above!). They work with brand names (think Google) and they’ll do mostly (if not only) custom work.
    • Advantages: Super custom work tailored to your users; Strategy will be the biggest part of the project; They’ll usually work in sprints and test at the end of each sprint to verify concepts and prototypes; Quality Assurance will be meticulous
    • Disadvantages: You need to be a huge company to work with these guys, because they are expensive; There might be a waiting list to work with them; There will most likely be a number of people in on the project at different phases/stages of the project, so you’ll meet new people constantly

What about agencies with 75 to 100 employees?

Good question! Well, this is by no means a complete list. I’ve noticed the farther I go in web services (or just web in general) there are soooo many types of agencies out there. There’s also the Digital Body Shop which usually has anywhere from 50 – 100 employees, and they do a bunch of different projects in different verticals and work with a myriad of industries.

Just remember, this stems from my own experiences and the people I’ve talked with.

Let’s get into project type and what their average costs are with the different agencies.

Types of Projects / Types of Websites

Like agencies, there are definitely a myriad of different projects and websites that can be created, designed, and built. Some are simple, and some are super complex. So, I’ll list out the most common projects most people are likely to encounter and most agencies and/or freelancers would take on. To limit things (because this is already a long post!!), I’m going to just do pricing for the 3 web agencies in the middle: Small Agency, Boutique Agency, and Professional Agency. Please keep in mind, these are averages (prices all depend on the scope) and can realistically range from $1,000 to millions!

  1. Blog: This is perhaps the simplest type of site which mainly consists of a content management system (like WordPress) and updated content coming out on a regular basis.
    • Price:
      • Small: $1,000 – $5,000
      • Boutique: $3,000 – $15,000
      • Professional: $10,000 – $35,000
  2. Microsites: These can be deceiving. Just the term ‘microsite’ sounds small, but I assure you they can be the opposite of that! Microsites are usually when a company wants to promote an event or showcase a certain branch or department of their company. Often times there is video or images, CTA’s (calls-to-action) prompting the user to do something like signup for a service or check out certain resources. They can be cool ways to get more awareness.
    • Price:
      • Small: $2,000 – $8,000
      • Boutique: $5,000 – $25,000
      • Professional: $25,000 – $75,000
  3. Marketing Site: These are called different things, sometimes Informational sites, or Brochure-style sites, but essentially these sites just market your company or cause or whatever! They can be a little trickier than blogs because often times they require implementation of ad-serving, email newsletters, videos, or image galleries. I’ve seen these sites range anywhere from $5,000 to $80k, depending on what’s involved with them.
    • Price:
      • Small: $2,000 – $10,000
      • Boutique: $10,000 – $50,000
      • Professional: $35,000 – $100,000
  4. Site/Application Build: These are a little trickier to price because they almost always involve doing some type of integration with another system. Like integrating with a booking engine or an events registration system. These builds can be complex and should be handled by top-tier talent. Be careful to go with a price that’s too low (there is such a thing!) because they should be priced accordingly – they are hard projects to work on!
    • Price:
      • Small: $8,000 – $20,000
      • Boutique: $35,000 – $120,000
      • Professional: $75,000 – $250,000
  5. Membership Portals / Member-Based Sites: These can be fun projects and if done right can come out really well. With WordPress there are some default membership properties like Editor, Author, Subscriber, etc. But a good agency can do almost anything with these and other CMS’s, like Drupal, let you customize your user roles. But because the needs of a client can vary a great deal depending on what they want their membership site experience to be like can determine how much the project will cost.
    • Price:
      • Small: $5,000 – $25,000
      • Boutique: $30,000 – $150,000
      • Professional: $75,000 – $300,000
  6. Ongoing Support: Obviously this all depends on the size/scope/scale of your digital property and what your needs are, but usually prices start at the following amounts.
    • Price:
      • Small: starting at $100 per month
      • Boutique: starting at $500 per month
      • Professional: starting at $1,000 per month

Again, this is not a complete list. There really are multiple (sometimes endless) types of sites that you could potentially do. You could also have a hybrid of sites, like a Microsite within a Membership-Based Site, oh the possibilities!!

I guess that’s what I like about the web, the possibilities, they are endless!

But I hope this sheds a little light on what types of agencies are out there, what they typically charge for web projects, and what to expect from them if you ever need their services.

So, to answer the original question, I’m not sure what the difference between a $2,500 website and a $15,000 website is. I would say there are different types of agencies that price projects out differently depending on their market size, location, and client type. But with that being said, I really hope that a $100,000 project from a professional agency comes out better than a $10,000 project from a small agency,  but I tell people it’s like buying a car – “You can get a Hyundai Accent for $15k and you could get a Lamborghini for $250k (is the Lambo better? Maybe..) but they’ll both get you from point A to point B!”

Coffee’s For Closers

….but only if you have an established sales process.

I’ve given this talk a few times. It started out as a flash talk and turned into a full 30-45 minute presentation. I’d like to write out this presentation in long form, that way the next time I give the talk, I’ll be able to direct people to it afterwards.

Let’s begin

How many people here are familiar with the scene “Coffee’s for Closers” in the movie Glengarry Glen Ross? To give a backdrop, Glengarry Glen Ross was originally a play turned into a movie depicting the lives of real estate salesmen. “Coffee’s for Closers” is a scene in that movie where Blake, portrayed by Alec Baldwin, comes down to motivate the other salesmen.

“Put that coffee down! Coffee’s for closers, ONLY! You think I’m f*ck!ng with you? I am not…”

He’s basically saying that if you’re in a sales capacity at an organization and you’re not closing business, don’t drink the company’s coffee, let alone make the base salary that you’re making. And is that true? Should coffee be for closers? The answer it YES!! Absolutely! Coffee should be for closers….but only if you have an established sales process. Because if you don’t, then you can’t expect your sales people to close on a continually basis.

We need a sales process to integrate ourselves into. To focus on it, to make it a standard, and then finally to improve it.

Introductions

So, who am I? My name is Adam Lamagna, sounds like lasagna! Easy to remember!! I am a sales consultant for Sucuri, I help agencies pick the right solutions to secure their websites and their clients’ websites.

When I turned 18 and graduated high school, I flew out to Hollywood, California to become a rockstar, that dream was short-lived! I got into sales and I’ve done everything from cold calling, to door-to-door, inside sales, to high-pressured, hard selling. I got into technology about around 2012 and haven’t looked back since. I’ve worked for a small web agency and a large (enterprise-level) agency. I love business development and sales. I believe sales to be a noble profession!

History of Sales

The history of sales is super important, it gives us an overview of how sales has progressed and where the pivotal moments were. If anyone wants to read more about the sales process, you can always check out my blog post on the history of sales. Starting at the beginning of time, we had the bartering system. You give me this, I give you that — still relevant to this day. But when money was introduced, it turned the bartering system into markets and gave us a system to improve upon.

Fast forward to the Industrial Revolution, this is when the modern day salesman comes into play. He’s also known as the exaggerated salesman, the guy who would sell you snake oil. And from there up to the 1950’s, when we see the fast-talking salesmen come in, it’s really important to note that all the information in the sales process was owned by the seller. If a consumer wanted to know more about a product or service, they had to go to the seller to get that information.

Consumers finally got wise to this, so in the 70’s, 80’s, and 90’s, we see things like SPIN (Situation, Problem, Implication, Need) selling, and Solution selling, and Strategic selling. They were kind of variations of themselves, but they all aimed to bring the consumer into the process, and make them feel like they were making informed decisions based on data. When the 2000’s hit and information was readily accessible, it rocked the very foundation of the selling world. Sellers were no longer in control, it was the age of the buyer!!

Sales Process

What is a sales process? Simply put, it is your view of your customer’s buying journey. With all the tasks, steps, procedures, and resources it takes to effectively manage that buying journey. I separate the sales process into 3 areas: 1—Pre-sales, 2—Engagement, 3—Post-sales.

Pre-Sales

Pre-Sales is planning and preparing to effectively engage the right prospects at the right time with the right tools.

First off, you need to know your buyers. Who are you selling too? What verticals/industries are they in? What do they care about and what do they need to make a decision? You can do your own buyer personas with this link to a HubSpot template — http://offers.hubspot.com/free-template-creating-buyer-personas — this is a really easy way to figure out who your buyers are.

Next is the marketing collateral. What are you using in your ‘sales tool-bag’ to sell people with? Your marketing collateral should do two things. 1). Showcase your talents. 2). Answer your buyers’ questions. You can answer your buyers’ questions by writing blog posts. You probably get asked the same questions over and over again. Well, write a blog post about it! Then showcase your talents through case studies and portfolio pieces. You can also reach out to the giants like WordPress or WP Engine to see if they have any marketing collateral you might be able to use. They’ll have written white papers that are available to download and use. Check it out!

Engagement

Engagement is the fun part! It’s actively talking to your prospect and funneling them down the sales funnel. There are different stages in engagement and it’s important to know the essentials (my own terminology) of each stage:

  1. Requirement: What is the requirement for a prospect to be in or get into this particular stage?
  2. Purpose: What is the purpose of this stage? Or what am I trying to accomplish with this stage?
  3. Team Member: Who am I using in this stage? Is it just me or should I bring another team member in? If you are a freelancer, then what hat (cap) am I wearing?
  4. Resources: What collateral should I use for this stage? What’s appropriate?

Then you’ll want to grid out each essential for each stage.

Closing

How do you close on a continual basis successfully? That is a phenomenal question. One that I do not have an answer to! But I will say this — it revolves around value! I look at 3 different areas of value.

  1. Value Relevancy: Is the prospect’s challenge relevant to what I do? In other words, am I the right person to solve this prospect’s challenge? If not, refer them to someone who is. Do NOT chase a client who’s project isn’t relevant to what you do! Please!
  2. Value Perception: This is a really important thing to learn about, value perception. Understand what the prospect’s perceived value is. Ask questions like “have you ever done a project like this one for your company?” and really try to understand what they perceive your value to be. Because, make no mistake, the perception is the reality. If someone values your skill set to be below what it actually is, then that’ll make for a frustrating partnership and project. If someone comes to you with a budget of $15k, and you know it’ll only take you $5k to do, their perceived value of that project is already $15k. You’re going to need to educate your prospects and sometimes that can be really hard to do. Learn value perception and how big a role it can play in the sales process.
  3. Value Diagnosis: Focus on your prospect and what they need. Make them a collaborative partner. Remember, it’s about the observable symptoms of problems and how they can be solved within the parameters of the solution. Encourage things like ownership and have a mutual self-respect/mutual self-esteem with your prospect. This can ultimately make you stand out from the competition.

Post-Sales

Once you close business, you then become a client advocate. You need to do a proper handoff with your new client and the Project Manager. If you are a freelancer, then it’s time to switch roles and become that PM. Make sure you explain what’s going to take place over the next month or two, or 7! Make sure your client understands the role and responsibilities they have. And finally, check in with your new client after the project is in full swing. Ask them about the sales process, what did they like or dislike? Ask them if they’d recommend anyone for your services. Keep in touch and become that client advocate — it will lead to more business.

Quick Tips

In sales there are very few things that are within our control. These are the things you’ll want to keep in check:

  1. Listening: They say great salesmen listen 70% of the time and talk 30% of the time. That is not the case for me, I talk a lot more than that. I wish I could talk less, hehe! I don’t care how much you talk, but when you’re listening, make sure to actually listen. Respond with good feedback and answers.
  2. Time: If you are not a wealthy person, time is your next greatest commodity, spend it wisely!
  3. Attitude: The best sales people are the ones who can dust themselves off from a loss and go after the next deal with the same gusto and rigor as they did the very first deal they ever went after! People can hear when you are not smiling over the phone, believe me, they can!

Recap

The sales team and the marketing team work together. The sales process consists of Pre-sales, Engagement, and Post-sales. And doing all this will eventually lead to closing more business and drinking more coffee.


The Wonderful World of Hacking

I’ve always been fascinated by hackers ever since I saw the movie Hackers, which I now know does NOT accurately portray what being a hacker consists of. Hackers are an interesting bunch. Why? Because their reasons for doing what they do can vary the full length of the spectrum.

Let me explain

Back before computer systems and the internet got to be wildly popular, the term “hacker” was used to embody the tinkerers of software or electronic systems. These hackers enjoyed learning (and exploring) all they could about computers and the way they operated. In the beginning, hacker was a term that was used to describe a person who was really awesome at working with computers.

Now…it’s taken on a slightly different and somewhat complex meaning.

When you hear the term hacker, you automatically think of someone who tries to gain entry to a website or system to do something malicious, whether that be stealing information, defacing a website, etc. The term hacker now refers to someone who maliciously breaks into systems for personal gain. But the key phrase within that sentence is personal gain. What is personal gain? Well…it could be just about anything.

SOME OF THE REASONS WHY HACKERS HACK:
  1. Profit – this could be money or this could be web traffic.
  2. Notoriety – some hackers like to hack for the esteem it brings them in the hacking community.
  3. Hacktivism – hackers try to disseminate political or social messages and campaigns to raise awareness surrounding a certain issue or issues.
  4. Hobby – others do it because they want to see what they can break into, how hard it is, and so on.
  5. Because they can – yup, some do it just because they can.

Now, just like hackers hack for varied reasons, there are also several types of hackers out there and their motivations are varied as well.

TYPES OF HACKERS:
  1. Script Kiddies – these hackers are considered (in the hacking world) to be novices. They take advantage of hacker tools and upload scripts to different places (often times, without knowing what that script will do or how damaging it’ll be) for the fun of it. Hence the name, Script kiddies.
  2. Hackers for Hire – these hackers are the mercenaries of the cyber world. People will enlist their services for money.
  3. Cyberterrorists – usually they attack government networks or power/utility grids. These hackers will crash systems and steal government top secrets (aliens, UFO’s, stuff like that!). Very dangerous hackers, very dangerous!
  4. Criminal Hackers – often a part of an organization of hackers, they are very skilled in breaking into systems (often times, without a trace) and either stealing credit card info or personal identification information.
  5. Security Researchers – these guys are the good guys, the ones who find flaws in companies and organizations’ systems and bring them to light without causing harm. They’re also the ones who develop the tools to use against malicious hackers.

Now let’s talk a little bit about the different categories of hackers, they can all be described by colors. I know, pretty cool, huh?

CATEGORIES OF HACKERS:
  1. White Hat Hacker — the good guys!
  2. Black Hat Hacker — the bad guys!
  3. Grey Hat Hacker — kinda the in-betweeners, sometimes for good, other times, not so much.
  4. Blue Hat Hacker — the ones who get paid to uncover vulnerabilities (I feel like these guys should be called the green hat hackers, but that’s just me).

So, now that you have an idea of what types of hackers are out there, and before we get into what types of security threats are out there, let’s take a look at why it’s getting increasingly easier to hack systems and websites.

  • Networks, nowadays, are extremely widespread and we are all connected
  • Lots of hacking tools available
  • Many and many wifi networks that are open
  • Applications have complex codebases
  • Generations of our kids are getting super smart when it comes to computers
  • Anonymity

There are sooo many things that people should be concerned with if they are on the internet, have a website that they manage, pay for products online, or have personal identifiable information online. If you don’t participate in any of the preceding things, then you are a hermit and stop reading this post. Ha!

But hacking happens every single day. Every. Single. Day. Every. Single. Hour. Wrap your head around that! It does happen and if you have not been hacked, then you’re lucky, but it will eventually happen to you unless you take proper action, which I’ll write about in an upcoming post. But (and this list is by no means complete) here are different ways hackers can mess with you or your systems.

TYPES OF ATTACKS:
  1. Brute Force – these attacks are when a hacker keeps on trying to gain access to your login credentials on any number of password protected sites, by continually trying different password combinations. Almost like a guy trying to break down your door. When ramming his foot into it doesn’t work, he’ll try a battering ram, when that doesn’t work, maybe he’ll try to pick the lock. Hence, brute force. These happen on my WordPress sites everyday.
  2. DoS / DDoS – ahh, the infamous Denial of Service or Distributed Denial of Service. This is an attack that’s designed to flood a website or network with traffic overload to render it inoperable. The group Anonymous (which is a network of hackers that primarily hack to bring certain issues to light) is well-known for a series of public DDoS attacks. Interesting group and I would never want to do anything to upset them, that’s for sure!
  3. SQL Injection – SQL stands for Structured Query Language, which is used for communicating with databases. The injections are attacks that “inject” (obviously) malicious code into a database to gain access to that database.
  4. Cross-Site Scripting (XSS) – this is a vulnerability which allows hackers to insert client-side (meaning executed by a user’s web browser) scripts into pages on a website or application. Then they can go on and do anything malicious or see certain activity, etc.
  5. Cross-Site Contamination – this is when hackers gain access to a “secure” site by infiltrating it from a site that’s not secure, but on the same server. We see this a lot when people have outdated CMS installs on the same server they have the updated ones on.
  6. Phishing Emails – have you ever gotten an email asking you to update your profile on Facebook, but it looks a little off? That’s because it probably is! Phishing emails are exactly that, they’re when hackers are fishing for information. You’ll get an email that looks a lot like it came from Facebook (the good phishing emails are the ones where you can’t tell the difference) asking you to put in your password or personal information. Hackers are able to log what you do on these sites/emails, so don’t ever click anything in an email unless you absolutely trust the source, but even then you can’t be 100%, be careful!
  7. Social Engineering – this is a method many hackers use that relies on interacting with humans. It’s basically getting a person to be relaxed enough to offer up information they normally wouldn’t give out. So, if you’re ever on the phone with someone (a person you don’t know, like someone claiming to be from the post office or some other government agency) and they ask you what your mother’s maiden name is, don’t give it out unless you are absolutely positive you’re speaking to the proper person.

Again, this is by no means a complete list, but these are some of the common things hackers will try. The best way to protect yourself is by getting a service like Sucuri’s AntiVirus or Firewall plans, making sure to keep your systems updated, and by being informed. Make yourself aware when you’re online and be cognizant of what you are clicking on and activity in general. And luckily, you won’t be another statistic of getting hacked!

A History of Sales

I’m giving a presentation at WordCamp next weekend on establishing a sales process. The WordCamps that I’ve been to are heavily focused on developers and freelancers. So, I asked myself, where does a presentation about sales fit in to this event? My talk is geared towards several different types of people, either for a 100-person agency that has a dedicated sales team, a 10-person company that has one salesperson, but I really want to focus on freelancers who don’t have an established sales process to their business. So, I’ve been reading a lot about the history of sales and I’ve found some pretty interesting things. I’ll share it with you.

Before I begin I would like to say that I believe sales to be a noble profession. There is such a stigma associated with sales and I’m pretty sure being a car salesman classifies you as the least trusted professional out there, Congressmen rank a close second! But sales is the 2nd oldest profession in the world, next to the oldest profession in the world as the adage goes. Go ahead – google “the oldest profession”, but I would argue that there is an element of sales to “the oldest profession”, so sales is technically the oldest profession!

As time has progressed, the industry that changes the most is sales. Sales needs to adapt not only to the market, but the buyer as well. It’s a delicate feat to sell things. I don’t care what it is – cars, commodities, services, solutions, warranties, carbon fiber, umbrellas, whatever – it takes skill to continually do it well. There are so many moving parts to sales. There’s the market, this fluctuates quite regularly depending on what industry you’re in. There are the buyers, consumers, prospects – and they all have different personalities, different thresholds, different emotional triggers. Then there’s the company you work for – this fluctuates – new people come aboard, new features get added to your product or service. And then there’s you – the salesperson – who holds all that together, and still manages to close business month after month. Kudos!

So let’s look at the history of sales:

The Beginning of Time

At the beginning of time, there was the bartering system. You give me three cows and I’ll let you harvest an acre of my corn field – fair deal? Maybe. Maybe not. There has been some form of selling since the birth of mankind because the human instincts of wanting and needing have always been around. I doubt whoever made that first transaction of the acre of corn and those three cows knew they were making the first sales deal, but it created a system for improvement.

Before the Common Era:

We fast forward all these years later to right around BC(E) and money was born. Now money was really born well before this, I think somewhere around Mesopotamia and coinage had been introduced by the Greeks. But the Roman Empire and Roman currency, which consisted of gold, silver, bronze, and copper had their own system and it was quite sophisticated. They started minting coins and used it as a way to keep track of debts and sell items worth value. I don’t want to take any credit away from the Aztecs, the Egyptians, the Celts, the Chinese, and so on. The point that I want to make is that the invention and implementation of money developed the bartering system into markets and helped initialize sales.

The Industrial Revolution

Centuries later we move into the 1700’s and 1800’s, the Industrial Revolution is in full swing. This ushered in what we know today as the “modern day salesman” – the traveling salesmen (a.k.a. the snake-oil salesmen). Now for those of you who do not know what snake oil is, well, it’s the cure-all potion that turned you into a new person. Snake-oil started being used by the railroad workers who would lay track all across the country. Their bodies would hurt, their muscles were sore, and their bones would ache – so, they needed something to cure that pain. In comes snake-oil and the traveling or exaggerated salesmen. They were showmen, they made big, exaggerated claims, sold the snake-oil elixir, then would high-tail it outta town and move on to the next one.

To give you a little background on snake-oil, originally it had rattlesnake venom in it that would numb a worker’s body when he rubbed it on himself and claim to calm their pain. At that time, snake-oil soon became synonymous with miraculous healing powers, even though, often times the ingredients weren’t made public. Due to rival salesmen in the medicine profession there was a huge push to uncover the ingredients and a century later snake-oil became synonymous with hoaxes. And the snake-oil salesman was the equivalent to a charlatan, a hack, a fraud, etc.

But there were other salesman of this time period and they sold everything. The Industrial Revolution was a time of growth. Products were mass produced and manufactured – textiles, clothing, etc., and all these things didn’t sell themselves.

Time for tactics and techniques

How to Win Friends and Influence People – this book written in 1936 by Dale Carnegie was the first of its kind. It’s a self help book but naturally, salespeople gravitated towards it. It really started the techniques of selling – how to connect with people, how to persuade people, how to influence people. It talked about how to get people excited about things and have a winning attitude towards life and your job. And… it was all in lists – 12 ways for this, or 6 ways to do that. A great, easy read and most of what Carnegie writes is still quite relevant today.

But this sparked a movement in sales, you could actively use and improve your techniques to get people to buy your products or services. You, as a salesperson, could control the outcome of a consumer transaction by implementing psychological tactics. It wasn’t rocket science, but it was still pretty genius!

The Fast-Talking Salesman:

(hello, Kirby vacuum cleaners)
Also known as the Kirby Vacuum cleaner salesman, they were introduced in the 1940’s and 1950’s. These were the gentleman salesmen who would go door-to-door and invite themselves into the homes of housewives and put on a presentation of the benefits of their product. This really is the dawn of the retail age. And at this point in the sales industry, the seller held all the information. The consumer was only told what the seller wanted them to know. So, the seller could say whatever they wanted. If a consumer asked a question, the salesmen could lie or not tell the entire truth. It made for a one way street where salespeople held power over their customers and if a consumer was remotely interested in a product (such as a Kirby vacuum) the only information they could get on it was right from the salesman’s mouth.

This didn’t last very long because consumers got wise to the information exchange and their reactions to “The Fast-Talking Salesmen” changed (yet again) the face of the selling world.

The 1960’s

This was a time of cultural divide, opposition was growing for the war in Vietnam, racial tensions were stirring, class issues were starting to get noticed, and great music was born! But, selling was also taking a drastic turn. Instead of the salesman having all the information, we started to see this shift from “ask me a question and I’ll give you the answer” to “here’s some information, let’s figure out what you need” – and in comes Strategy Selling in the 1970’s – a salesman was trained to do an effective analysis of their consumers’ business or company and would make the consumer more a part of the process of selling, so the consumer would feel like they were making a sound decision with the help of their salesperson who knew about their business.

We see SPIN Selling – Situation, Problem, Implication, Need, then payoff! Or Consultative Selling in the 1980’s which was really about asking as many questions as you could (being a salesman), this would build rapport and uncover the true meaning of the consumer’s inquiry into your business (be it product or service). SPIN selling is an interesting methodology. Situation – understand the facts about the customer’s situation. Problem – focus the buyer on his actual, current problem. What is it now that we need to solve? Implication – discuss the implications of a). what happens if the customer stays with their current service or product, and b). what happens when they switch to your product or service. Then finally, Need – you want the customer to tell you about their needs, having them articulate their need is better than you articulating it for them! Remember that – people buy when you ask questions that get them to uncover their own needs, people resist when you tell them what they need. The 1980’s was when Glengarry Glen Ross (the play) came out and Always Be Closing started gaining popularity moving into the 1990’s. This is when we see a shift from uncovering the problems of the customer to being a well-liked salesman by building trust through connection, relationships, and your willingness to provide the right solution.

The 1990’s

In comes Solution Selling – the salesperson focuses on the consumer’s pain and addresses that particular pain point. But there is a huge element of connection with salespeople. They want to know about their consumers’ lives, they ask about their kids’ little league games, they ask about the extended family. Solution selling was about the solution, but it was also about the relationship. People do business with people they like – bottom line – still holds true to this very day! But the 1990’s brought with it the confident salesman, the detail-oriented salesman, the salesman that would build strong relationships with the buyers to encourage them to commit to buying, but also working with them side by side to understand all facets of the solutions and which one would be the most appropriate fit. The economy grew in the 90’s and it was a good decade for salesmen!!

Gordon Gekko – the ultimate solution seller (not really!)

The information age totally rocked the selling world:

And then the internet came and took with it the old school salesmen of the last 3 decades and a new breed of seller was born. This new breed of salesmen had their own way of doing things, it was all about acknowledgement and understanding that the buyer already had the information. Salesmen had to adapt literally overnight. I mean, if you think about, you can walk into a dealership tomorrow and say “Hey, that Hyundai Accent on the lot, well, I want for $12,000 because it says right here (holding up your smartphone) that I can get it for this price.” – Rock the boat a little more why don’t you. This is when I got into sales, we were right on that cusp of “old way” tactics to developing pitches and strategies that would let our customers see we were all about diagnosing the problem and working with them before any contracts were signed. Salesmen had to give up more of their commission because they spent more time in the life cycle of the sale.

Now, a great deal of effort goes into selling complex, big-dollar, high-stakes sales. That’s just the way it goes. In order for companies to compete in this landscape, they have to forfeit more time in the beginning to nurturing the relationship, diagnosing the problem (and essentially bringing more employees to the table) with their buyers, and having some type of deliverable before any contracts are signed.

But that’s how people win these days. They give something for nothing. Salesmen are generous and authentic. There’s a stigma because we still see cold calling, knocking on people’s doors, email blasts, Linkedin inmail messages piling up, solution after solution coming out, cloud-based SaaS products that people need (or don’t). But the bottom line is, in order to be a salesman in this game, you actually have to want to help people. The sales guys who are super slick are laughed out of the room these days. No one buys anymore from a pushy car salesmen, I wouldn’t. But I would buy from someone like me. I’m invested in getting people the right solution, even if that means it’s not from my company.

The face of the selling world has taken on many different looks over the years, and I guarantee that it will continue to evolve and change. I see the sales industry going in one of two directions. 1). Sales people will become more commoditized, and they’ll be ranked by number. The great sales people will be getting offered large salaries to come to work for the buyers of the industries to help vet other salesmen trying to sell them something. Or 2). The effort salespeople put in will continue to increase, the demands of the buyers will increase, and the information out there will increase, therefore turning the decision-making process into a lengthier lifecycle. Because either way, the market and the buyers now own the selling world. Information is there, people just need to take the time to sift through it. But great salesmen are like chameleons, they improvise and overcome, and trust me when I say – the last man standing on this earth will be a salesman!!

The Black Book of Web Terms

For those of you who are in the business of talking tech, you’re probably familiar with certain web terms like SEO, Full Stack Developer, Adwords, HTML, FTP, Above the Fold, CSS, etc. I’ve put together a list of the most common terms used when talking about everything tech from computer programming to open-source platforms to blogging. I’ve tried to make them as relatable as possible so you can explain these terms to your cyberspace-challenged family at the next Thanksgiving dinner and sound super tech savvy. Terms, acronyms, phrases, and slang are all in the mix, alphabetically ordered for your convenience. If you need more clarification, fill free to reach out!

A:

Above the Fold – this refers to anything that can be seen on a webpage without having to scroll down. It stems from the newspapers where anything in the top fold was considered prime real estate for content and ads.

Adwords – this is the most commonly used ad service powered by Google. It allows account holders to bid on certain keywords relevant to their website and create ads which appear on SERPs. It places ad copy usually at the top or to the right of the search engine result page (SERP). If you look closely at the first two or three results on your next search, you’ll see a little yellow box that says “ad” directly to the left of the link, that is if you use Google. Bing has its own ad service, surprisingly called Bing Ads.

Adsense – this is a little different than Adwords, but connects with it. Adsense allows bloggers and other webmasters to display ads on their sites which can generate income through a CPM (Cost per impression, aka PPM) and CPC (Cost per click, aka PPC). An account holder can get paid through Adsense by taking the ads from Adwords that companies create and pay for and displaying it on their websites. I know this is a little confusing, but all you need to know is Adwords costs money, Adsense can make you money.

Analytics – services that generate statistics about a website’s traffic, patterns, and has the ability to measure conversions. These tools basically track activity on a website.

API – Application Programming Interface – it’s a way for one technology to interact with another technology. Like a Twitter API let’s developers incorporate Twitter data into a website or application, same thing with a YouTube API. This maintains a level of cohesion in the building process.

B:

Back End – refers to everything on the “back-end” of a website, basically what goes on behind the curtain. Back end functionality are the inner workings of a website or application. Also known as server-side, back end is the stuff you don’t see when you look at the webpage. (EX: Have you ever filled out a contact form online? Where does that information go and how does it get there? That’s back end!!) Back end may also refer to a person, he’s a back end developer.

Bandwidth – is a resource in use. If a website has millions of users viewing the site, it will be using a lot of bandwidth. Bandwidth can also be used to describe someone’s availability – a developer just finished their project and has some “bandwidth” to help out on different projects.

Beta – we always hear this product is currently in beta – that means it’s the first “live” phase of a website or a platform. The product is ready for use but the kinks are still being worked out and it’ll improve.

Black-Hat – used to refer to malicious hacking or aggressive SEO strategies.

Blog – if you don’t know what this is, you’ve got problems. But just so you know, blogs started as sort of an online journal and now blogs have turned into complex inbound marketing tools. The internet is like an ocean and companies use pieces of bait called content (blogs) to reel people in with.

Bounce Rate – used in analytics to represent the percentage of visitors to a particular website who navigate away from that site after viewing only one page. This is when visitors come to a website and then “bounce” off never going to another page than the one they landed on – hence bounce rate – a low bounce rate is usually good, a high bounce rate is usually bad – usually!!

Browser – this one’s easy. A browser is an application we use to surf the web. (EX: Chrome, Firefox, Safari, Internet Explorer (do people still use that, ha!))

C:

Caching – this is when your computer stores a copy of a webpage you previously looked at so it can deliver that page to you faster the next time you view it.

CDN – Content Delivery Network – CDN’s are normally for websites that have lots and lots of images, videos, and rich media. CDN’s will store cached versions of the website on different servers at different locations around the world. This enables the site to be served up quicker when trying to view it. Depending on your location, the server closest to you will show you the website.

CMS – Content Management System – software that makes the management of a website easier for those who aren’t developers. A CMS can have a number of different users, usually called admins, that access the website through a login portal. The user interface opens into a dashboard where admins can publish, edit, and update the website’s content. Examples of CMS’s are WordPress and Drupal, both open source!

Cookie – stored in your web browser, a cookie comes from a website you visited. When you revisit the same website, the cookie will send data back to the server to notify the website of your previous activity.

CRO – Conversion Rate Optimization – the practice of creating great experiences for a website user with the goal of converting them to paying customers.

CSS – Cascading Style Sheets – this is a stylesheet for sprucing up your website pages and making things look pretty. With a .css extension and linked from an HTML (seen below) page, it is the decoration of a website.

D:

Deep Web – a part of the internet that is not indexed by regular search engines. The internet is an ocean as in 90% of its contents are below the surface. For every page a regular search engine indexes, there are many more that are not being indexed. See TOR – the software for trolling the deep web.

DNS – Domain Name System – a unique user-friendly name that identifies a website, like any domain.com and essentially converts the number of the IP address.

DOM – Document Object Model – let me preface this by saying this will be hard to understand! There are objects in an HTML page called elements, things like <title> and <header>, the DOM is basically a representation of the document (often times in the form of a tree) and determines how objects can be manipulated.  It can be considered kind of a theory, and it’s technically an interface. Told you it would be hard to understand. Google it – I dare ya!

Domain Authority – honestly, no one really knows what this is. It’s a secretive algorithm that measures how a website will perform in search engine rankings. Moz has the info you need on Domain Authority.

Drupal – free, open source content management system used to build websites and online communities leveraging modules for functionality.

E:

Element – the components in HTML, they represent content and are wrapped in tags EX:  <p>Paragraph tag</p>, <h1>Heading with the most weight</h1>, <h6>heading with the least weight</h6>, <img src=”this shows an image” />

F:

Favicon – these are the tiny little images and icons that are displayed in the tab of a window next to the title of the actually webpage.

FTP – File Transfer Protocol – a way for files from one computer (usually a personal computer) to be transferred to another computer (usually a server) to be viewed on the internet.

Framework – in development, a framework helps by having a defined collection of tools to pull from for creating websites and web apps. Common activities (e.g. – fixed layouts, responsive markup) are put together and available for use instead of building something from scratch.

Front End – development that involves everything a user sees on a website, sometimes called client-side. Also refers to a person, she’s a front-end developer.

Full Stack Developer – a developer who knows both front-end and back-end development, these developers are extremely skilled and demand a high salary!

G:

GIF – a format file type used most times for animated images and graphics.

Git – a version control system which enables developers to work on projects simultaneously from different computers and store revisions of development history. It’s really good for holding developers accountable!

H:

Hack – there’s two meanings for this. One – is the traditional meaning where your computer gets hacked by a hacker for profit, gain, or notoriety. The Second – is when files are customized by a programmer, but not coded properly. You’ll often hear, “the core files are so hacked we’d have to start from scratch.” – this could mean that the files were hacked by a hacker, but it probably means that some developer who had access to those files changed the code to get the website or program to run the way it needed to run, but they didn’t use best practices.

High-level – this is a business term which means very basic, an overview, not specific or detailed. Your boss comes to you and says, “I’d like a high-level overview of your department’s business objectives for Q4 this year, just something simple.”

HTML – Hyper Text Markup Language – one of the first languages in website building, it leverages components known as elements wrapped in tags (surrounded by angle brackets shown here – <title>My Website</title>) to render certain types of text and images in a file with the extension .html. When rendered on a webpage, the above example would only show My Website. It is the skeleton of pretty much any website and contains different types of content.

HTTP(S) – Hyper Text Transfer Protocol (Secure) – it’s basically a set of rules for transferring information over the internet between browsers and servers. HTTPS is the secure transfer over an encrypted connection.

I:

IP Address – Internet Protocol Address – this is the number associated with a web address or computer.

J:

JS – JavaScript – a scripting/programming language used to create dynamic websites. It can handle user events and movements, alter content, and make for an overall great user experience. JavaScript has become very popular these last few years.

jQuery – a JavaScript library to simplify creating animations and handling events. It’s the most widely used JavaScript library today, and it’s got a great API.

K:

Keyword – any term, phrase, or word typed into a search query in a search engine that shows results.

KPI– Key Performance Indicators – companies use KPI’s to gauge and compare performance, they usually come in the form of some type of data-driven metric like social media reach, profits, or analytics.

L:

Landing Page – a webpage built within a website for the purpose of being “landed” on, usually from email marketing or social media. A landing page is built in hopes of converting users into customers.

Link Bait – content on a website that other sites link to because they find it interesting, unique, funny, and want to link to it.

Link Building – getting other websites to link to your website in hopes of improving your own ranking in a search engine.

M:

Markup – another way to say code, HTML is a markup language. See also syntax.

Meta – often heard in line with the word data, metadata is literally data about data. It helps search engines read parts of your website to determine what type of data it is.

Microsite – this is an individual website with its own domain/subdomain and as its own entity, but often times associated with another larger website. A microsite is usually used to showcase some type of event or new product.

Mockup – a design that shows a user what a website will look like without having to build any of the functionality.

MVP – Minimum Viable Product – for a website, the MVP has just those core features that allow the site to be deployed live. It’s the absolute bare minimum a website can be and still be used.

N:

NAP Consistency – Name, Address, Phone Number – a company’s NAP should be the same across all different local listings and other listings. This will help with local SEO.

O:

OOP – Object Oriented Programming – is a fundamental of computer programming that centers around objects and the methods or functions that control them.

OS – Operating System – are you using a Mac, Windows, or Linux OS? The iPhone’s operating system is iOS, go figure!

P:

Panda – this was an update to Google’s algorithm that aimed at lowering the rank of low-quality sites aka “thin sites”, and return higher quality sites at the top of the SERP.

Penguin – this was another update to the Google algorithm that aimed at decreasing search engine rankings for those sites that were still practicing Black-Hat SEO tactics.

PHP – PHP Hypertext Preprocessor – what?!? yes that first P stands for PHP, it makes no sense, I guess HP was taken! This is a programming language that is normally used with a database like MySQL to build dynamic websites and web applications. Over 80% of the web is written in PHP.

Pogo-sticking – users who search for a keyword and click on the first result they see. Then they don’t find what they want and hit the back button to the results page and click on the second result they see. Then they don’t find what they want again, and this can go on and on, hence the pogo-stick.

Post – an article in a blog.

Q:

QA – Quality Assurance – the act of making sure something works properly. In development, massive regression testing, unit testing, browser testing, and cross-platform testing is usually done.

Query – any question, whether that’s searching in a search box or querying a database to get back info from that database, a query is simply a question.

R:

RFP – Request for Proposal – this is a business term, but it’s when companies contact a web agency in hopes of finding a solution to their web challenge. If a company wants to build a website or do a redesign, they’ll put together an RFP (which basically describes what they’re using now and what they’d like to change about it – high level stuff) and send it to a web firm to get a proposal.

Rich Media – this can be different things, a few examples are images, videos, and animations that usually involve some type of user interaction. Or it can be an image, video, or interactive advertisement.

River – on a blog, it’s the main section of blog posts, not the sidebar.

RSS – Really Simple Syndication, actually it’s Rich Site Summary – RSS feeds allow a webmaster to syndicate someone’s content from a blog or news source to their own site and link back to that blog or news source, the feed will automatically update with any new posts.

S:

Scope Creep – adding incrementally to a project plan or statement of work (SOW), and realizing that the project plan has gotten way too big! The creep refers to adding small things (features, functionality, etc.) to a project and then realizing that the scope (what the project entails) is way over budget or the timeline’s too short.

SEO – Search Engine Optimization – for lack of sounding obvious, this means optimizing a website for the search engine. It’s an organic (meaning free) process of affecting a website’s visibility in SERPs. The strategy for this is extensive and constantly changing, you can check out some of my previous posts on SEO and Search Engines to get a basic look.

SEM – Search Engine Marketing – increasing the visibility of your website through paid advertisements.

SERP – Search Engine Results Page – it’s the page that has all the results on it after you enter a search query and hit enter.

Server – simply put, a server is a computer, but it’s a big one that houses a bunch of different websites.

Sitemap – this is a list of all pages within a website that can be crawled by spiders or by users, normally showing the taxonomy of a website.

Spamdexing – slang term for the use of Black-Hat SEO strategies like invisible text (hiding text between the markup and rendering it invisible), keyword stuffing (stuffing a webpage full of the same keyword), and doorway pages (landing on a page and then suddenly being redirected to another page) for the purposes of high visibility in search engine rankings. This is a very bad thing to do and it’s like committing SEO suicide.

Spider – a program designed to crawl (read) web pages.

SOW – statement of work – a document that tells the client what you plan on doing for their project.

Syntax – properly structured code.

T:

Table – a slang term for putting something on hold. EX: “I’ve got a lot on my plate right now, so why don’t we table this month’s content strategy and circle back at a later date.” I hate this term!!

Taxonomy – this is the procedure of organizing and categorizing the different web pages on a website. A website’s hierarchy.

TOR – The Onion Router – this is a free software for online anonymity. It let’s users surf the web much like Google or Bing does, but with no threat of placing cookies on your computer or tracking your movements. TOR is often used to surf the Deep Web.

U:

UI/UX – User Interface / User Experience – UI is what we use when we’re doing some type of action online (e.g. – viewing a website, purchasing an online product). UX is the feeling we get from doing those actions.

URL – Uniform Resource Locater – URL’s are a website’s unique address so that it can be found online.

Usability – criteria that assesses how easy a user interface is to use including learnability, efficiency, memorability, errors, and satisfaction. The Nielsen Norman Group has a great post on this topic – Usability 101

User-friendly – this just means that something is easy for us humans to understand! EX: beingajile.com/blog is much easier for us to understand than beingajile.com/wp/13286-aXeS3.3428.php

V:

Virus – much like a cold virus or the flu, a computer virus is a malicious program that likes to harm and reproduce in other hosts (computers).

W:

Webmaster – any person who develops or controls a website.

Widget – a small piece of functionality in WordPress usually found in the sidebar or footer areas.

Wireframe – this is kind of like a blueprint for a website, often done with boxes, it represents a visual framework.

WordPress – an open source content management system designed for developers and non-developers. It has a vast community of developers/non-developers who regularly contribute to making it the best blogging platform out there. It utilizes plugins which are pieces of functionality that help the end user accomplish something (e.g. – embed a twitter feed). This is such an immense platform that the codex has got all the documentation you need to get started.

X:

XML – Extensible Markup Language – defines a set of rules for encoding documents in both human-readable and machine-readable format, it’s also designed to carry and store data.

Y:

Z:

I couldn’t find anything for Y and Z, but I’m sure this will be a constantly updated list. I literally keep a black book of web terms right next to my computer so that when I hear someone say a term I’m not familiar with, I write it down. Please feel free to reach out if you have any input or want to know something more about a certain term. Hope this was helpful.