Secure Your Site

Back in the dark ages of 2012, I posted about the benefits of encrypted web traffic, but https was a pain to implement for small websites and frankly, there was no incentive to be ahead of the curve when only 5% of websites were secure.

Times have changed, and a majority of websites are now using https. Google’s choice in 2016 to flag http-based websites as insecure in their popular Chrome browser had its intended effect. What started with sites containing password forms and credit cards has now become the status quo.

So what about small websites? Well, you can get a free SSL certificate from Let’s Encrypt and many hosts are installing them automatically. From there, it’s just a matter of enforcing https throughout the site, so even legacy links (e.g., my old theme pointed to its CSS file using an http link) are transformed to their secure equivalents. On WordPress, if you don’t want to touch your config files, you can get a plugin to do this for you.

There’s now no excuse to put your site’s visitors at risk. But some of the biggest sites in the world still do. If you use one of the 100 insecure sites listed at, you can first be appalled, then move your traffic elsewhere.


Fix Your Copyright Line

You’ve got a nice looking website with fresh content.  But the footer says 2011.  Here’s how to fix that – and keep it fixed.


Responsive Design

What happens to your site’s cool layout when it’s viewed on a small screen like a phone or tablet?  In the old days (a few years ago) we used to code two different versions of a site – you’d do a bit of detection and then send mobile users to something like instead of the main view.  The downside is obvious:  every time you redesign your site’s look, you have to do twice the work.  And now that mobile accounts for 10% of all web traffic, this problem is not going away, it’s getting worse.

Enter Responsive design.  The idea is to build a site from the ground up with different screen sizes in mind.  This usually goes hand in hand with a Mobile-first approach, where the basic common elements of the site – headers, colors, fonts, etc., are coded first in the smallest view.  Then if the screen size is larger, elements can expand, take up multiple columns, and generally unfold into a spacious layout.  When we build a site this way, it takes much less time and effort than doing a separate mobile view and also takes into account newer sizes in between, like tablets.  I’m glad to know my site looks good on a laptop, phone, and the recently revealed screen size of the new iPad!


Auto-Posting to Facebook and Twitter

Once you add a blog post, you have to go publicize it on Facebook, Twitter, and other social media. This little routine can get tiresome, especially if you’re on several different networks. has a nifty little feature called Publicize that makes all of that automatic. Just hook up your site to your Facebook & Twitter accounts and when you post to the site, it alerts your friends & followers.

This is such a good time-saving idea that other platforms are picking it up. If you have a self-hosted WordPress site, check out plugins like Twitter Tools. If you’re on Drupal, a module like Drupal for Facebook will take care of it. Set it up once and cross an item off your daily to-do list.


How to Choose a CMS

Update: the days of needing a CMS for every website are over. You’re likely better off with a site building service.

Content management systems are the foundation of the modern web. Instead of manually organizing your pages, menus, and images, install a CMS to handle that part of the job.   The following options are great for personal or business sites, blogs, and portfolios – all free and open-source:

WordPress – The overwhelming choice for basic personal or business sites.  Includes built-in blog functionality, a super easy administrative interface, and a thriving community of developers.

Drupal – More flexible but also a steeper learning curve.  As they put it, “Drupal is like a Lego kit.”  If you want to do something non-standard (outside the realm of normal pages & blogs) look here.

Joomla – Particularly well-suited for membership sites, with user management, profiles, and members-only areas.  More flexible with modular content & menus than WordPress, but arguably easier to manage than Drupal.

All of these systems can be ‘skinned’ to look how you want.  Choose the one that has the functions, plugins, and flexibility you need.  Bear in mind that if you need to write an app from scratch, you might be better off with a framework like Django.  Knowing the scope of your project will allow you to make the nuts & bolts decisions down the road, so do this groundwork before setting up hosting!



When you go to pay for something online, or put in your password, it’s a good idea to make sure you’re using encryption.  Most of us know to look for https at the beginning of a web address when entering sensitive information – regular unencrypted http connections are like a postcard that anyone can read.  But for most web surfing, it doesn’t matter… right?

We are already being profiled – mostly by advertisers, but increasingly by anyone who is interested – based on our participation on Facebook and our searches on Google.  Even if your name is hidden, you can be identified by your surfing behavior.  In this environment, even if you have nothing to hide, you might want to make your web traffic less easily accessible to prying eyes, and one way is using encryption.  (This article is about encrypting your traffic, not completely hiding it, which requires stronger measures like Tor.)

As Cory Doctorow so vividly illustrated in his novel Little Brother, if the only people using encryption are ‘troublemakers,’ then, even if the content of their traffic is unreadable, authorities can identify them by focusing scrutiny on those users who pass large amounts of encrypted data.  In some parts of the world, having your communications monitored can not only lose you a job prospect or a loan, but can land you in jail.  The more people use https, the less obvious it is who is a political dissident and who is just a reasonably cautious web surfer.

Internet liberty activist group EFF promote a browser plugin called HTTPS Everywhere that makes encrypted browsing easy.  If you use Chrome, try HTTPS Enforcer.   It’s as simple and sensible as sealing the envelope on a letter you’re mailing.  And the increased demand for fully encrypted versions of your favorite sites will drive them to support safer browsing for everyone.

The only current downside of using the https version of a site is that it will tend to load slightly slower than otherwise.  Part of the delay is that your browser checks whether the SSL certificate – the guarantee that an encrypted site is who it claims to be – is valid.  All the encryption in the world won’t keep your traffic safe if it is being directed to the wrong destination.  Unfortunately, the system in place to check the certificates isn’t secure.

SSL critics have long complained that the revocation checks are mostly useless. Attackers who have the ability to spoof the websites and certificates of Gmail and other trusted websites typically have the ability to replace warnings that the credential is no longer valid with a response that says the server is temporarily down.

So when the check is necessary, it’s useless, and when it’s unnecessary, it wastes time:  “The median time for a successful OCSP check is ~300ms and the mean is nearly a second.” [Imperial Violet]

As Ars reports, the Google Chrome team is removing this check and implementing its own list of bad SSL certificates.  This will go a long way to making https as convenient as http, and I hope other browser makers will follow suit.  Until then, you can consider the slightly longer loading times of secure sites your contribution to making the web more private for everyone.


Web Widgets

Read/Write Web posts a good survey piece on web widgets. They’re mini-applications that add functionality to your site from another site.

Traditionally, if you needed a particular tool, you’d download it and run it on your PC. Then the web came along, and now you can edit images, cut video, and of course work on your documents and spreadsheets all within your web browser. Great! But all those functions are on different sites. What if you want to use some of those advanced functions on your own site (like your blog)?

Enter widgets. They allow your blog to call up functions (and possibly content) from another web site using standard web code. That’s what allows YouTube clips to appear in blog posts. But that’s just the beginning, as Read/Write Web explains.

At the other end of the spectrum from widgets is SaaS. Enterprise applications are now being delivered not in a shrink-wrapped box for you to install on your big local server, but in real time over the web. Of course you pay big bucks for this, but it can actually be cheaper than maintaining the software and local server. As these services mature, it makes more and more sense from an engineering perspective — why solve a problem every time it occurs when you can solve it once, centrally?

As computing power gets cheaper, it becomes more efficient for medium and large web apps to provide widget-like integration with users’ own sites. You probably wouldn’t want mission-critical data out on a free server (although a lot of people are putting sensitive files up on Google Apps). But what if you could invoke another site’s enterprise-level functionality, apply it to your local data, and mash it together on your web site?

Why would anyone give away such critical software? The same reason that sites give away widget functionality now: because user participation (and the resultant market share) is more valuable than license sales. Just as “You’re a Nobody Unless Your Name Googles Well,” your web app is a nobody unless users can access it freely, as in freedom and as in beer. (See my previous post; same concept, different context.)

While the paid SaaS model makes sense as a transition from the buying-software-in-a-box model, license fees and proprietary APIs only hinder the success of web services. We may end up with something that much more closely resembles YouTube when the widgets grow up.