CarmaBlog

 Version française disponible

WordPress is one of the most popular CMS (Content Management System). That popularity also means that it is a target of choice for hackers.
In this article, I will give you some tips to keep your website secure and avoid being attacked.

1. Use latest versions

This is true for WordPress itself but also for all your extensions. There are new versions available regularly. If a plugin has not been updated for a while, it is probably not maintained anymore and you might need to remove or replace it. This is also applicable for your theme.
The version of PHP is also important, check with your hosting provider that you are running the latest version of PHP (7.X), especially the versions 5.X won’t be supported by the end of the year.
Also, note that the more extensions you have installed, the more risk you are taking, as your WordPress configuration will rely on more 3rd party code. You should only keep the plugins that you really need. If a plugin is disabled, don’t keep its source code and remove all its associated files.

2. Use secure login details

Never use the default admin user. If you do, disable this account and create your own account with a personalized username.
Choose a strong password. If several users are managing your website, make sure the permissions are valid and avoid giving the admin permission to everyone.

3. Scan your website

This is an easy and quick way to find vulnerabilities and see if one of your plugins is vulnerable or not. You can use these 2 online tools:

• WordPress Security Scan (my favourite with a detailed report)
• WPScans

4. Use .htaccess files to protect your directories

The .htaccess file is a server configuration file. It allows you to define rules for your server to follow.

For example, in /wp-content/uploads, I have created the following .htaccess:

# Deny access to everything by default
Order deny,allow
Deny from all

# Allow access to media files
<FilesMatch "\.(jpg|jpeg|png|gif|bmp|zip|rar|pdf)$">
    Allow from all
</FilesMatch>

This config ensures only media files are accessible from the browser, any JavaScript, PHP files will be discarded. It is not 100% bulletproof as only the extension is checked, but it is better than nothing.

To avoid execution of malicious PHP in some folder (e.g. in /wp-includes), you can create another .htaccess file with the following content:

<Files *.php>
Order allow,deny
Deny from all
</Files>

5. Review file and directory permission

Make sure the critical files (wp-config.php, php.ini…) are not writable publicly, only readable. Only owners should be able to write.

6. Use security headers

You can check which security headers you currently use with this online tool.

At the root folder, update the .htaccess file and add:

# Extra Security Headers
<IfModule mod_headers.c>
	Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
	Header set X-XSS-Protection "1; mode=block"
	Header set X-Frame-Options "sameorigin"
	Header set X-Content-Type-Options "nosniff"
	Header unset Server
	Header always unset X-Powered-By
	Header unset X-Powered-By
	Header unset X-CF-Powered-By
	Header unset X-Mod-Pagespeed
	Header unset X-Pingback
</IfModule>

In wp-config.php, add:

/** Extra Security */
header('X-Frame-Options: SAMEORIGIN');
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
header('Strict-Transport-Security:max-age=31536000; includeSubdomains; preload');
header('Referrer-Policy: no-referrer-when-downgrade');
header_remove('X-Powered-By');
header_remove('Server');
header_remove('X-CF-Powered-By');
header_remove('X-Mod-Pagespeed');
header_remove('X-Pingback');
@ini_set('session.cookie_httponly', true);
@ini_set('session.cookie_secure', true);
@ini_set('session.use_only_cookies', true);

7. Do not expose too much information

At the root folder of your website, in php.ini, add the line:

expose_php = Off

Your current version of PHP will not be exposed.

8. Backup your website regularly

Last but not least! You don’t need a particular software or extra plugin to achieve this.

• With your favourite FTP tool (e.g. Filezilla), save all the files available on your server.
• For the database, use the available MySQL backup feature. Many hosting companies provide access to phpMyAdmin, an online tool.

I recommend doing a backup every month, and keep the history of the last 6 backups somewhere safe. Of course, it depends on the volume of articles you are writing and how critical is your data.

That’s it! If you have done all the above, your website should be more resilient to attacks. In the worst case, you should be able to recover easily.

Happy safe blogging!

 Version française disponible

For this first article of the year 2018, I will present 3 financial services proven and used by myself for several months, even years. They allow me to make significant savings on my foreign currency transactions by avoiding the high fees of traditional banks. This article is in no way sponsored, but I have allowed myself to include some referral links.

For those who know me or follow me, it’s been a while since I live in England, 3 years already! I also travel abroad to discover new countries, new cultures and incidentally escape from the London Fog…

After arriving in England, I quickly needed to open a local bank account where the currency is, of course, not the Euro, but the Pound Sterling.

To deposit money into this account (while waiting for my first pay), I had to transfer money from my French account to my English account. In the pre-Brexit era when the Pound was very strong, it was a little painful… And like if it was not enough, my bank would also take its share with a rather exorbitant fee on my transfer. To avoid being ripped off twice, I looked on the Internet and browsed some forums looking for advice. I quickly decided to choose TransferWise.

The principle is simple and based on common sense. British people sometimes need euros, for example when they travel in Europe; conversely, European people need pounds when they come to England. TransferWise allows you to link these requests by acting as an intermediary. The company has accounts in different currencies and distributes the amounts between people. For example, for a transfer of 1000 euros to a British account (so about 900 pounds at the moment), the system may need 2 people (one person who wants to convert 400 pounds in euros and another who wants to convert 500 pounds in euros) or 3 people (who want to convert 300 pounds in euros each) or 9 people (who want to convert 100 pounds each). I guess you understand how the system works!

Once the account of TransferWise is registered with your traditional bank (this may take some time depending on your bank) and the transfer has been made from your original account, you will receive the money quickly in your destination account (usually in 1 day).

You will not be charged because your original account and the TransferWise account are using the same currency. It’s not a big surprise that TransferWise will charge a fee, but almost insignificant (e.g. 5 euros for a transfer of 1000 euros). You can do a simulation on their site, the fee is proportional to the amount transferred.

More recently, TransferWise has set up the borderless account. With this “multi-account” you can receive transfers in different currencies in a transparent way, you just need a click to activate a currency and get your corresponding local bank details (IBAN / BIC) that you can then forward to to the person who owes you money. Since April 2018, you will receive a debit card so you can use it to pay anywhere with your borderless account.

It is important to note that the transfer is executed at the market rate. Since you decide when you want to make the transfer, it is wise to do it when the rate is the most advantageous for you. In my case, it was much more interesting to make pound-to-euro transfers before Brexit.

Also in my example, I mentioned the Pound and Euro exchange, but many currencies are supported: the Swiss Franc, the US Dollar, the Japanese Yen, etc.

Feel free to look for yourself and use my referral link to open your account (and your first transfer will be free).

If you can use TransferWise for money transfers between accounts, how can you manage your expenses on the spot when you are travelling around the world? Who has not already paid a high fee when withdrawing abroad or when paying the bill at a restaurant? Who has not already made a large withdrawal at an ATM to avoid fixed costs, taking the risk to walk around with a large amount of money?

Opening a Revolut account makes perfect sense. It’s an online bank, which means that you won’t find any physical offices, you manage everything yourself from the application on your smartphone: from changing the PIN code to the deactivation of the card, or the change of your address. Revolut is free, you just have to pay a small fee (5 euros) to receive your multi-currency debit card at home.

You can convert currencies in advance from the application to ensure your exchange rate (advanced use) or it will be automatically calculated in the country according to the current rate and usage of your card (personally, I find it sufficient). The exchange rate is very low and matches the interbank rate (it is therefore a very low rate close to the real one without extra fee).

Revolut strongly advises its customer to keep an account in a traditional bank in case the card is not accepted, it is a Mastercard so it should not be a problem, but you will probably be happy to have your good old Visa card on hand, just in case.

The mobile application is well made with a breakdown of your expenses by category, an instant notification on your smartphone for each expense (useful for a contactless payment to verify the amount), the possibility of refunding another person instantly or share an expense easily.

I take the example of trips abroad, but nothing prevents you from using it every day by topping up your card regularly. You will be able to see your expenses by category, month after month, and refine your budget.

Wondering where is the scam? Well, it’s like TransferWise, there is not really a catch! But there are withdrawal and card payment limits (daily, weekly and monthly). Frankly, unless you travel for 6 months a year or you are really bad at spreading out your expenses, it should be enough for you. It is still possible to subscribe to the premium option to increase the limits and access additional services.

Revolut is a young, fast-growing company available in several countries. New features are added every month (cryptocurrency exchange, insurance, credit, etc.).

Again, feel free to have a look for yourself and use my referral link to open your account. There is very little chance for you to regret it.

Last but not least, Monzo is also an online bank. It provides a very similar service to Revolut, so you will receive a Mastercard card to make payments in different currencies at the interbank rate.

I must say that I use it for longer and more regularly than Revolut. Unfortunately at that time, the service is only available in UK. Unlike Revolut, there is no charge to receive the card, there is no premium option available, and it’s totally free. However, there is a waiting list to open an account (a few weeks at most).

They are still in a beta test phase, but it’s been a year since I am with them, I had no problem. It’s a bit like Gmail which has been in beta for years… However, it is possible that Monzo change its business model and start charging its users when their customer database will be big enough, hard to say, but as long as the service is free, you may just try it!

Unlike Revolut, Monzo focuses exclusively on the multi-currency expenses and reporting aspect, you won’t find any insurance, crypto exchange or other services. But what it does, it does it very well! Personally I find the smartphone app a little more convenient. They have limits too, but higher than on Revolut.

In my case, using both services and having 2 debit cards indirectly raise the limits. Also, it is possible that a Revolut card does not work in a place abroad, while it works with Monzo, and vice versa.

Once is not custom, I did not look at the technical side, but the post is still about new technologies in the banking system, I hope you’ve found the reading interesting. It also shows that small startups (Fintech) can move the lines of the banking landscape and shape our future. It is critical for traditional banks to constantly innovate to stay in the race, not sure they have all made the shift in time, and the customers of yesterday are no longer the young people of today.

And perhaps you will embrace online banking through your smartphone and even save some money… At least I don’t see any reason not to try!

 Version française disponible

The article Using Google Forms / Drive / Docs to create an online survey regularly receives comments. I realized that people come across similar issues, so I decided to write this article as a FAQ. I do not consider myself a Google Forms expert and Google can evolve the product at any time, making my articles outdated. However, you can probably find the answer to your question in this FAQ (hopefully).

When a user wants to respond to the form, he / she has to connect to Google first, is it normal?

You must disable the option “Only allow one response per person” that forces people to connect to their Google account. Be aware that without this option on, people can potentially answer the form several times.

How to prevent a person to answer the survey several times?

To have more confidence in the results, you can enable the option “Only allow one response per person”. Note that users will be asked to log in to their Google Account to view and complete the form, but the actual user name will not be recorded.

I don’t want to force users to have a Google account, is there an alternative?

If you do not want to force your users to have a Google account, an alternative is to use pre-populate the form.

For example, here are links to pre-populate the field “name” in a sample survey:

• https://docs.google.com/forms/d/e/1FAIpQLSeC8fIptm9xY8Ai1dADB8JxqbzDbQFv4vULOq_vGCK10NWsUw/viewform?entry.1000000=Fabian
• https://docs.google.com/forms/d/e/1FAIpQLSeC8fIptm9xY8Ai1dADB8JxqbzDbQFv4vULOq_vGCK10NWsUw/viewform?entry.1000000=Caroline

You will notice that the URL changes at the end with an additional parameter. Only one field is pre-populated, but it is very easy to pre-populate several fields (such as name or email). Generate the link from the menu to get the syntax of the parameters and then you can manually change them before sending the link. If you have many links to send, it will take you some time, but it will work.

However, note that it does not prevent the person to modify the pre-populated information (directly from the form, or by changing the URL) or submit the survey multiple times.

It is not possible to hide fields, but there is a workaround! You can add fields you want to hide on a specific section of your form that will never be displayed. You have to use sections in your form and change the navigation to never show the section that contains the hidden fields and go to the next one directly. Read pages Add content to your form to know how to add a section and especially this page Control navigation to sections of a form.
Again, this will not prevent the user to manually change the URL, but many will not pay attention, especially if you use a URL shortener tool.

Is it possible to include the form in my website?

Yes, it is possible to include the form in your website as an iFrame. The option is available from the “File” menu. The menu generates an HTML code snippet that you can then copy / paste into a page of your site. You can also write the code manually, for example:

<iframe src="https://docs.google.com/forms/d/1SEu1y1TvOyPUwkUHcwgC-ky0LIVZXCjjr5ARH_E3mK0/viewform?embedded=true" width="760" height="500" frameborder="0" marginheight="0" marginwidth="0">Loading...</iframe>

You can change the size of the iFrame and the URL to fit your form.

Is it possible to include the form directly in an email?

Yes, it is possible. When sending the email (via the “Send form” menu), make sure the checkbox “Include form in email” is checked.

I would like to get the IP address of each participant. Is it possible?

No, it is not possible to trace the IP address. You can force the users to authenticate before they can respond to the form, but this requires users to log in with their Google Account.

Is it possible to change the answers after having submitted the form?

When building the form, there is an option on the confirmation page settings, “Edit their response: Allows respondents to change their answers to your form”. If this option is checked, after submitting the form the person will have the confirmation page with a unique link to edit his / her answers. This link is displayed only one time, if the person closes the window, he / she will no longer be able to change his / her answers. You can find more information on the official documentation Send your form to respondents.

Is there a maximum number of responses?

There is no particular limit. However, a spreadsheet has a limit of 2 million cells.

Is it possible to redirect the users to another site once the form is submitted?

No, that’s not possible. A good idea may be to change the confirmation page message at the end of your form. Instead of the classic “Your response has been recorded”, replace with another sentence inviting the user to click on a link to continue.

Is it possible to not accept new responses after a specific date?

There is no such feature. But nothing prevents you from adding a free text section at the top of the form to indicate that it will be available until yyyy-mm-dd. And on that date, you close the form. This will have the same effect.

To prevent new answers to be submitted, click the Accepting responses in the toolbar. The button will show “The answers are no longer accepted” To reactivate it, click the button again.
When a form is no longer accepting response, users who visit are informed by a message that their answers will not be collected. To customize this message, change the text that appears under the title “The form has been disabled” in the top of the form.

Is it possible to create a multilingual survey?

It is not possible, but there are some workarounds that can more or less suit your needs.

You can create different forms, the link will be different, so as the summary of responses. It will be impossible to merge the results automatically, you will have to rework the table of responses with a spreadsheet tool like Excel (to consolidate the responses).

You can also add a first question that asks the user his/her language, then you can display the relevant sections in the selected language. Compare to the first solution, the link will be identical for everyone (no risk of error). The downside is that the question in French and the one in English will be on different columns (one cell will be always empty), so the summary of responses won’t match your expectations. Again, you will have to consolidate the responses manually.

Is it possible that a person starts to respond to a form and wants to resume it later?

No, that’s not possible. All responses are recorded once when submitting the form.