Category Archives: Blog

Creating Good First Impressions with Page Experiences

In our previous blog, we introduced Google Search Console, a hub of tools that aim to help you improve your website as seen by Google. Last time, we focused on tools that optimized your site for use in Google Search, but Google Search Console has other powerful tools to explore. One such tool allows us to take a deeper look into how your page is being experienced by users. The first impressions of your site can be key to turning visitors into customers. Measuring how users are experiencing your pages can help you make your pages more attractive and friendly to both new and old users. Google measures website experience on a few factors, the most important aspect being Core Web Vitals.

Google’s Core Web Vitals

If Core Web Vitals sound like a familiar term, you may recall our past blog where we defined what Core Web Vitals are and some tools that we can use to measure them. Core Web Vitals are composed of three types of measurements that explore how fast your page is and feels.

Google’s Core Web Vitals.

Above are the three Core Web Vitals that Google focuses on. As defined in the photo, these vitals are measured by loading, interactivity, and visual stability. Let’s define these vitals by the questions they ask us:

  • Largest Contentful Paint (LCP): How fast does the largest piece of content on my site take to appear?
  • First Input Delay (FID): How long does it take for my site to respond to a click from a user?
  • Cumulative Layout Shift (CLS): How stable is my site when loading?

Determining the status of these vitals on your site can be done by comparing them to the ideal metrics as defined by Google. For LCP, the ideal time it should take to load the largest element on your page is 2.5 second or less. For FID, a response from your page after user input should occur in 100 milliseconds or less. Finally, for CLS, defined by how often elements shift around while your page is loading, should be 0.1 or less.

Page Experience & Core Web Vitals in Google Search Console

The user experience of your website can be measured with a variety of online tools that can offer both broad and specific feedback. If you are looking for an overview of how your site is doing, Google Search Console can help!

On the home screen of your Google Search Console account, on the left-hand side, is a tab called “Experience.” Under that tab should be “Page Experience” and “Core Web Vitals.”

Page Experience Tab on Google Search Console.

Clicking the “Page Experience” tab offers you an overview of how well your site is doing and breaks down how your site is being ranked. In “Page experience signals”, we can see that Google is not only looking at Core Web Vitals, but also at how well your site adapts over to mobile. The security of your site is also considered. Let’s look at what things we can learn about the Core Web Vitals of our sites.

Core Web Vitals Tab on Google Search Console.

Clicking on “Core Web Vitals” will bring you to the screen above. This report shows us how well your site is doing over time, dividing its findings between Desktop experience and Mobile experience. The graph focuses on your site’s ranking. Green notes pages that are good in comparison to Google’s ideal metrics. Yellow are pages that could use some work and red are pages that may need immediate attention.

Report Page of Mobile Core Web Vitals in Google Search Console.

Clicking on “Reports” will bring you to a more detailed look at what is looked at and what needs work. In the example above, we can see that issues marked in yellow and red are tagged with the that vital is being judged. This allows us to identify which URLs need work and in what aspects, offering us both direction and validation. As you fix pages marked as problematic in Google Search Console, you can see your site improve as those pages go from being ranked “Poor” to “Good.”

Improving the Experience of my Website

Using tools like Google Search Console can offer avenues for improvement, but if you want further help with your site, BCSE is always here for you! Carrie’s upcoming course “The Converting Website” will also dive deeper into improving your site experience. Join the waitlist today to stay up to date about the course’s release!

How Google Sees Your Business

Google is one of the most popular search engines in the world, helping users find the answers to all sorts of inquiries. For businesses, Google is a powerful tool that can lead customers to your website. However, how do you know if customers are reaching your site via Google? Are these customers the audience you are desiring? Is the content Google highlights relevant information about your company and products? One way to find the answers to these questions is by using Google Search Console.

What is Google Search Console?

Discussed in module one of Carrie Saunders’ upcoming course, “The Converting Website,” Google Search Console (formerly known as Google Webmaster) is a search engine optimization (SEO) tool that focuses specifically on how Google finds, interprets, and shares your site to users. Google Search Console helps visualize the activities that take place on your website, as well as offer ways to compare certain metrics to see where you can improve your site’s searchability, presentation, and reach on Google.

Using Google Search Console

One of the main features Google Search Console offers is Performance Reports. A Performance Report is a visual graph that keeps track of four main metrics:

  • Impressions – The number of times your site appeared in a Google search result.
  • Clicks – The number of times users clicked on your site via a Google search result.
  • Average Click Through Rate (CTR) – The percentage of impressions that resulted in a click.
  • Average Position – The average position of your site in Google search results.

These graphed metrics help give you a snapshot of how your site is doing in terms of searchability and site traffic. For example, impressions can help you figure out if the keywords that Google is associating with your business are resulting in relevant search results. Clicks can help establish how well your site summary attracts possible customers, and Average CTR and Average Position help illustrate how well your site is competing with other possible businesses customers are presented.

Performance reports are also defined by dimensions, which are specific attributes of your data. Attributes such as country, page, device, and many others are presented in a table below the metrics graph, identifying the “who” and “where” of your site traffic.

With Google Search Console, you can further analyze just how the collected data can help evaluate your site by using the built-in filtering tool. This tool can be used to pick and choose which metrics you want to compare on the performance report graph, and can be pushed further to relate to specific dimension data collected. For example, you can compare the Average CTR of devices such as desktops and phones, helping you define just how well your site is presented on different platforms and if that impacts user interaction. Other filters, such as time, can also be applied as well, allowing you to visualize your desired data during specific dates. This single tool amongst the many Google Search Console has to offer can quickly help point out aspects of your sites that can be further optimized for Google’s search engine, helping you attract more customers!

Getting started with Google Search Console

Google Search Console can vary in difficulty when it comes to getting started. One of the first steps required is to add a property to Google Search Console. This property can either be a Domain Prefix or a URL Prefix. Once you choose one, you will be required to verify that this property is indeed yours.

Here are the seven of ways you can verify a property:

  • DNS Record
  • HTML File Upload
  • HTML Tag
  • Google Analytics
  • Google Tag Manager Container Snippet
  • Google Sites
  • Blogger

One of the most important methods on this list is DNS Records, for it is the only way to verify a Domain Prefix. Below, we will dive into how you would go about getting started with Google Search Console via a Domain Prefix.

1. First, you will need to create a property with Google Search Console here, where you will arrive on the screen below.

2. On the screen, you will be asked to add a Domain Prefix or a URL Prefix. Add your Domain Prefix under the highlighted “Domain” box and click “Continue.”

3. Next you will be asked to choose your method of verification. Here instructions will vary per domain provider. Click the drop-down menu next to “Any DNS Provider” and see if you DNS provider is listed. If so, click your provider for provider specific instructions, where you will most likely be required to log into your domain for verification. If your provider isn’t listed, follow the instructions under “Any DNS provider.” Once you have completed the instructions, click “Verify.”

Note that depending on your provider, the verification process may not be instant. If you are not verified immediately, check again in a few hours.

Can I get Further Guidance?

Carrie’s upcoming course “The Converting Website” will dive into further detail about Google Search Console as well as other useful tools and techniques for your business. Join the waitlist today to stay up to date about the course’s release!

The Power of Google Analytics 4

A mobile device with Google Analytics open on screen, with overlaid text 'The Power of Google Analytics!'

One of the most stressful aspects of maintaining a website is determining if your website is working for your business. The experiences and retention of your customers on your website can sometimes be hard to calculate, leaving you unsure of what is successful and what needs adjusted. On top of that, while there are many tools and methods to quantify the effectiveness of your website, sorting through them all and determining which one works best for you can be overwhelming as well as discouraging.

How do I make my website work for me?

In her upcoming course, “The Converting Website”, BCS Engineering founder and principal engineer Carrie Saunders aims to help businesses approach the challenge of creating and quantifying a successful website. This five-week course will explore the tools and tactics to convert visitors into customers, module one of the course diving into the services you can use to evaluate and test your website.

What is Google Analytics 4?

Google Analytics 4 (GA4) is one of the tools discussed in module one of Carrie’s upcoming course. GA4 is an analytics service that helps you track the traffic engagement of your platform across both your sites and apps . The improved service offers more granularity than its predecessor, Universal Analytics, by not only noting when a customer was on your site, but also collecting data about what a customer does while there. The advancement of this tool has led it to be pushed as the default Google Analytics service by July 2023, when Universal Analytics will be fully replaced by GA4. Thus, the switch to GA4 is strongly encouraged.

The highlight of GA4 is its variety of reports. Visuals of data concerning where customers are coming from and what pages draw their interest are detailed on the home page of GA4. Other reporting options such as real-time reports illustrate the impact of changes to the website, such as the addition of media or a new product, in real-time, offering transparent feedback about the successfulness of your adjustments. Furthermore,  life cycle reporting, a report detailing how visitors convert to customers, and what those customers do once they have converted, are also featured. Overall, GA4 offers valuable data concerning how your site acquires, engages, monetizes, and retains customers, and is a powerful tool that can be started today!

Switching to GA4

In a few simple steps, you can get started with GA4.

If you are new to Google Analytics, you will need to make a Google Analytics account, creating a profile and your first property. After filling out the form, you will already be on your way to using Google Analytics 4.

For those who have been using Google Analytics in the past via Universal Analytics, the setup is just as simple.

1. Once logged into your GA account, go the “Properties” column, and click “GA4 upgrade Assistant.”

2. From there you will be reminded that you are currently using Universal Analytics and asked to switch. Click “Get Started” to create a Google Analytics 4 Property.

3. A window will pop up explaining what will happen next. Click “Create Property”.

4. Your property will now be GA4 enabled.

An important thing to note is that whether you are new to GA4 or are switching to GA4, your property will fall into a default tag of gtag.js, which may not work with your type of platform. To adjust the tag for your GA4 property, complete the following:

1. Click the gear titled “admin” in the lower left-hand corner.

2. Next, make sure you are on the right property by clicking  the down arrow under the property column. Once on the right property. Click “Data Streams.”

3. Under Data streams, click the website you desire to work with.

4. This will take you to Web Stream Details. Under “add-new on-page tag”, expand “Global Site Tag (gtag.js)”.

Depending on the platform your website is on, follow the instruction you find below and find your platform specific instructions by clicking the highlighted “these instructions.” This will take you to a list of providers and will offer you further support per provider.

Can I Get Further Guidance?

Carrie’s upcoming course “The Converting Website” will dive into further detail about GA4 as well as other useful tools and techniques for your business. Join the waitlist today to stay up to date about the course’s release!

Holistic / Natural SEO

Our modules and the way we structure websites lend towards natural SEO and helps your site rank better.

At BCSE, we have always had the philosophy that natural, or holistic, SEO (Search Engine Optimization) is the way to go. Our modules and the way we structure websites lend towards natural SEO and helps your site rank better.

What is holistic / natural SEO?

Holistic / Natural SEO is simply improving all aspects of your website with the end user in mind. When you provide a great user experience, you will naturally check quite a few SEO boxes. Some of the areas to focus on are:

  • Clean, easy to read website
  • Proper use of headings
  • Quality writing content
  • Having a secure site and using https always
  • Fast website

How does a clean website help SEO?

A clean website not only makes it easy for your readers to focus and stay engaged, but it also boosts search engine rankings when the search engines see readers lingering, or staying longer on your website. When you have clean and focused content readers won’t bounce out of your site so fast. A confusing and hard to read website will lose a potential customer very quickly, and search engines recognize this.

How does proper use of headings help SEO?

Search engines need to know what is important. Using headings not only helps search engines see what you are emphasizing on the website, but also helps your potential customers skim the page to see if the content is relevant to them. Search engines recognize that headings make it easier for the consumer to read as well. So it will be looking for properly placed headings.

How does quality of writing help SEO?

Very similar to the above points, if your text is hard to read and follow, users will leave quickly. The goal is to not confuse or frustrate readers. When you write well, and have your writing flow, it builds trust and confidence. When you build trust, confidence and have well thought-out content, your readers will stay engaged and stay on your website longer. Again search engines look at how long customers say on pages and the longer they stay, the higher that page will rank.

Why is having a secure website important to SEO?

In the past several years, search engines have recognized that websites secured with an SSL certificate, provide higher quality content. By having an SSL certificate, search engines know that you as a business owner care more about your customers than those who do not secure the customer’s data.

Search engines also keep track of what websites have been reported to have spyware or other malicious content. When you keep your site secure with any security updates your software needs, then you are further protecting your SEO rankings. Search engines are all about customer experience and security.

How does having a fast website help with SEO?

For several years, Google and other search engines have recognized that a quality website also means a fast website. Consumers get frustrated if a website takes too long to load and leave pretty quickly. Search engines punish websites that are too slow or not consistently fast. We recommend using several tools to test your site to get different perspectives:

I think I need help with SEO, now what?

At BCSE, we have always taken a natural and holistic approach to SEO. We work with you to help enable you to learn how to write and populate your content in a way that is SEO friendly. We also will help from a structure standpoint, make sure your site is constructed in the back-end to be naturally SEO friendly. Contact Us today to see if we are good fit for your project!

What is Structured Data?

Structured data is a way to convey information to search engines.  In simple terms, it makes your website easier to understand for Google, Bing and the other major search engines.

Structured data is a way to convey information to search engines. In simple terms, it makes your website easier to understand for Google, Bing and the other major search engines.

For example, when searching for “World’s Best Cookies” here is today’s top result:

If you were to visit this cookie recipe page, you would have a large amount of text to wade though. This is what the major search engines would have to use to decide on what is most important to show you when you search. However, if you have structured data, you can help the search engines decide what to show.

For example, on this site they chose to feature some of the main ingredients, rating, number of votes and how long it will take you. Much more useful than the first few paragraphs of the site:

Why is Structured Data important for SEO?

Structured data helps search engines understand your website better. The better you ‘talk’ to google, bing, etc, the better your search engine results will be. Not only that, but also the snip of information shown in a search result will be more optimized for your customers.

Rather than the first few sentences of your page being shown, search engines will prefer to show your more specific condensed information you have in your structured data. Making it easier for them to see what the page is about.

The less barrier to clicking on your link, the more potential customers will click, and the more likely your SEO rankings will go up for that page too!

Which Structured Data format should I use?

Currently, all of the search engines recognize‘s approach to structured data. There are others out there the search engines support too.

The most popular method is to use’s JSON-LD format. This uses JavaScript to insert all of your markup into the head of the page, which is many times a cleaner and simpler solution to implement.

Previously’s microdata was the way to go, however major search engines now support the JSON-LD format much better.

How do I know if I already have Structured Data?

Both Google and provide testing tools to review the structured data on your site. We recommending using one or both of those tools listed at this link:

Evaluate some of your key landing pages first to see how your site does.

I don’t have Structured data or don’t know if it’s correct, Now what?

If you don’t have structured data or aren’t sure if it is correctly conveying the information you want on your website, we can do an evaluation for you! Just Contact Us and we’ll be happy to send you a quote to evaluate your site.

Three Core Web Vitals: LCP, FID & CLS

If you are a business owner, marketer or web developer, Core Web Vitals can help you quantify the experience of your website and identify areas to improve.

In the summer of 2021, Google rolled out a new page experience update powered by Core Web Vitals. The intention for these new measurable quality signals is to rank sites that give users a great experience higher. Allowing Google and other search engines to deliver better websites to the top.

When you first think if Page Experience, you may be thinking of general website speed. However, speed isn’t the only part of the equation when factoring in page experience. Not only does your site need to be fast, it must also feel fast.

Optimizing for great user experience is key to long-term success of your website. If you are a business owner, marketer or web developer, Core Web Vitals can help you quantify the experience of your website and identify areas to improve.

What makes a website feel fast?

OK so what makes a site actually feel fast? Currently Google is focused on three specific points:

  • Visual stability
  • Loading
  • Interactivity

These focal points will likely change over time and/or more points will be added to measure a website’s perceived speed and experience. However currently Google uses these to help evaluate your website.

So what are the Three Core Web Vitals?

Largest Contentful Paint threshold recommendations First Input Delay threshold recommendations Cumulative Layout Shift threshold recommendations

These core vitals don’t simply look at how fast items on the page load, they also look at how read those elements are for display and/or use! When websites shift, large chunks of content get delayed in displaying or when you click on something and it doesn’t respond right away, you have a bad experience with that website. Could be as simple as clicking the wrong link if elements shift suddenly.

Where do you stand on these core vitals?

When analyzing a site for speed and user experience, we always use at least these tools together to get a good idea of the improvements needed:

One thing to caution, when you run these metrics many variables come into play and you will not get the exact same results each time. It will depend on where the test is being performed from (which server is connecting to yours) as well as what your server is doing at the time (i.e. is it already busy)? Getting wildly different results though each time could be an indication that web server optimization is needed. You should get about the same results each time if your server is healthy and not overloaded.

What should I do next?

First off, we recommend using one or all of the tools above to see where your website stands. Look through the recommendations and decide which ones you want to fix/look into. Once you’ve made some changes, retest! This is best done as an iterative process so you can figure out what adjustments helped and what didn’t.

Need help optimizing your site?

We love a good challenge and website optimization can certainly be one of them! If you are stuck, or overwhelmed with optimizing your site, Contact Us today and let us help guide your site to a better user experience!

First Input Delay (FID)

Good fid values are below 100 milliseconds, poor values are greater than 300 milliseconds and anything in between needs improvement.

What is FID?

First Input Delay (FID) is a Core Web Vitals metric that site owners and developers can use to assess user experience. It measures the time it takes for the browser to respond to the user’s first interaction. For example, clicking on a button, link, etc. The faster the browser reactions, the faster your site will appear to the end user.

Why is First Input Delay (FID) Important?

While a page may appear to load quickly, if the user clicks on an item or tries to interact with the page when it appears loaded, it will be very frustrating if that interaction is not immediately responded to.

Input delay happens if the browser is busy in the background finishing up tasks and cannot respond to the user’s request. One of the common reasons this can happen is if the browser is busy parsing and executing large JavasScript code. While it is finishing that, it cannot run any event listeners because the JavaScript code being parsed and executed might tell the event listener to do something else.

Google, as well as other search engines, look at this FID element to gain insight on user experience. If the user experiences fast responses to input requests, then it will perceive the site as being fast. It is a major website quality indicator.

What is a good FID time?

Now that you understand what First Input Delay is, knowing what a good load time for FID is important as well as how to optimize it.

According to Google, you should aim for the FID to be 100 milliseconds or less. Anything between 100ms and 300ms needs improvement. Anything above 300ms is considered to be poor.

Good fid values are below 100 milliseconds, poor values are greater than 300 milliseconds and anything in between needs improvement
(Source: Google)

How to measure First Input Delay (FID)

The easiest way to measure FID is using Page Speed Insights. In Page Speed Insights, you simply put in the page you want to evaluate and have it analyze that page. You will see results similar to the below.

How to improve FID

Review your Total Blocking Time (TBT) score that also can be found on the Page Speed Insights tool. Many times improving the TBT score will also help your FID score. FID is a bit more of a complex metric to optimize.

In general you should:

  • Break up long tasks
  • Optimize your page to be ready for input
  • Reduce JavaScript execution time

Need help with your Website Speed?

Contact us today to see how we can help!

Largest Contentful Paint (LCP)

According to Google, you should aim for the LCP to load within 2.5 seconds or less of the page loading.

What is LCP?

Largest Contentful Paint is a Core Web Vitals metric that site owners and developers can use to assess user experience.  Put simply, it measures how long it takes for the largest piece of content to appear on the screen.  Typically, your largest piece of content is an image, but it could also be a block of text. 

A good grade on this metric means your site has a feeling of loading fast.  Whereas a site with a bad LCP grade will appear slow to the user, causing frustration.

Why is Largest Contentful Paint (LCP) Important?

In the past, there were simpler metrics for measuring page speed and performance.  It was found that waiting on a large piece of content to load hinders the user’s experience even if the first content of the page loads fast.  LCP measures when your most important part of your site loads by looking at the largest content. 

Google, as well as other search engines, now look at your perceived largest content from a user’s perspective.  The goal is to have a measurement of site speed that the user perceives.  Search engines are constantly on the look out for ways to optimize their search results and give users the best quality websites first.  Perceived site speed is one major quality indicator.

What is a good LCP time?

Now that you understand what Largest Contentful Paint is, knowing what a good load time for LCP is important as well as how to optimize it.

According to Google, you should aim for the LCP to load within 2.5 seconds or less of the page loading.  Anything between 4 seconds and 2.5 seconds needs improvement.  Anything above 4 is considered to be poorly performing.

According to Google, you should aim for the LCP to load within 2.5 seconds or less of the page loading.
(Source: Google)

How to measure Largest Contentful Paint (LCP)

The easiest way to measure LCP is using existing tools like:

In Page Speed Insights, you simply put in the page you want to evaluate and have it analyze that page.  The results will look similar to the image below and you can click on the LCP link to see what elements are affecting your speed for that Core Web Vital.

How to improve LCP

According to Google, LCP is primarily affected by four factors:

  • Slow server response times
  • Render-blocking JavaScript and CSS
  • Resource load times
  • Client-side rendering

Slow server response times is usually one of the easier factors to adjust.  You can contact your host to see what optimizations they can do on your server.  Sometimes it is a good idea to contact someone like us to evaluate if you need a larger server/hosting plan.

The other three factors generally need a developer to help with.  If you do not have a preferred developer, you are welcome to contact us to see if we are a good fit.

Google also provides some guidelines on their website here:

Need help with your Website Speed?

Contact us today to see how we can help!

PSD2 SCA Requirements for eCommerce

PSD2 SCA Requirements for eCommerce

What is PSD2 SCA?

PSD2 stands for Payment Services Directive 2 and is a new EU regulation that originally was proposed to go into effect on September 14, 2019. The new rules from the PSD2 are referred to as SCA, Strong Customer Authentication. The new rules are intended to enhance the security of payments and limit fraud during this new authentication process. The requirements apply to customer-initiated online payments and online banking transactions made within Europe.

Does SCA apply to me?

Strong authentication is required for customer initiated online payments within Europe. For online card payments, SCA applies if both your business’s bank and the card-holder’s bank are located in the EEA (European Economic Area).

There are some areas where transactions fall outside the scope of SCA, or are an exemption if the customer bank approves.

What is Strong Customer Authentication?

SCA means authentication based on the use of two or more elements that are independent from each other. Being independent from each other means that if there is a breach of one element, it does not compromise the reliability of the other element. i.e. the other element can not be obtained from breach of one of the elements. The customer has to provide at least two of the three elements:

  • Something the customer knows (like a PIN or password)
  • Something the customer has (like a mobile phone or hardware token)
  • Something the customer is (like facial recognition or their fingerprint)

When will SCA be required?

The SCA requirements were originally to be in effect by September 14th, 2019, however the enforcement has been delayed. The initial delay was to allow time for technology to catch up and be ready and a second delay came out due to COVID-19.

  • If your business’s bank and your customer’s bank are in the EEA, you must be ready by December 31st, 2020.
  • If your business’s bank and your customer’s bank are in the UK, gradual enforcement started in June of 2021. Full enforcement is expected by March 14th, 2022.

We recommend you start supporting SDA as soon as possible to be ready for the appropriate deadline.

How do I know if I’m SCA compliant?

Most main merchants support 3DS2 (3D Secure 2) which is the new authentication solution that complies with the SCA regulations. Your first step is to ask your merchant bank if they support 3DS2. Your next step would be to contact your developer or contact us to make sure your eCommerce platform is using a modern version of your merchant’s payment gateway that supports 3DS2.

Help! I’m not compliant!

Worried you aren’t compliant? Just drop us an email and we will help get you straightened out!

GoDaddy Breach November 2021

GoDady Breach - 1.2 Million WP accounts at risk!

Up to 1.2 Million WordPress Accounts At Risk in Latest Breach

GoDaddy has announced in a filing with the Securities and Exchange Commission (SEC) that up to 1.2 million managed WordPress accounts are at risk.

An unauthorized attacker managed to breach a “legacy” WordPress management tool still in use at GoDaddy.

The attacker used a compromised password on September 6, 2021 to access the tool. However, the breach wasn’t discovered by GoDaddy’s internal security team until November 17, 2021.

Over the six-week period of unauthorized access up to 1.2 million active and inactive managed WordPress customers had their email address and customer number exposed to the attackers.

Additionally, major customer credentials and secrets have been exposed:

  • Customers’ original WordPress Admin password (set at the time of account provisioning)
  • Customers’ FTP and database usernames and (plaintext) passwords
  • And, for a subset of these customers, their SSL private keys.

Immediate Consequences of the GoDaddy Breach

GoDaddy has implemented a series of changes to remediate the effects of the breach, including resetting any potentially compromised passwords.

While GoDaddy is still investigating the causes of the compromised accounts they are also reaching out to impacted customers to issue appropriate advice regarding resetting passwords.

They’re also attempting to raise awareness of the compromise of their users’ email addresses, so that those users can be conscious of phishing scams.

It is unclear whether GoDaddy has fully accounted for all potentially exposed private keys.

Long-term Consequences of the GoDaddy Breach

The attackers were able to gain access to raw passwords for sFTP and database accounts. It would therefore appear likely that at the very least GoDaddy was storing FTP credentials in a majorly insecure manner.

This is a huge security practice failure on GoDaddy’s part.

Storing passwords in plaintext is a major no-no. It’s unclear at this point why GoDaddy didn’t remediate this relatively basic flaw with their “legacy” managed WordPress service. This service – which makes up a sizeable portion of GoDaddy’s income – was fundamentally insecure.

It’s unclear what GoDaddy means by “legacy” and whether GoDaddy intended to move these customers off of this platform eventually. However it is clear that they did not do so soon enough.

GoDaddy is also keen to point out “best practices” for securing WordPress instances in a (long) series of posts. However, GoDaddy’s own mistakes here have lead to a massive customer exposure.

That does little to instill a sense of trust in GoDaddy who will need to do some reputation management in the coming months.

What should you do?

If you’re a GoDaddy Worpress user you should immediately reset all passwords associated with your account. Note: don’t re-use passwords, ever!

Users should also look to their email for notification from GoDaddy as to the status of their SSL certificates. At the time of this writing GoDaddy was still “in the process of issuing and installing new certificates for those customers.”

And it never hurts to consider alternatives when looking for WordPress hosting. We offer a low-cost basic hosting package that’s more than suitable for hosting a small WordPress site / blog. We also offer a wide variety of larger hosting packages that would perfectly suit the needs of a higher-trafficked site.