Starting a business is fun, although it can be tempting to go for broke because you are confident that your product will be a huge success. However, according to CBInsights, of the top 20 reasons why startups fail, cash shortages come second on the list (29%), right after the lack of market demand (42%). How do you make sure your tech startup can save money and survive? Here are six tips for startups to reduce their software product development costs.

Building software that works on a tight budget is the biggest challenge most innovative startups are facing today. On average, every sixth project runs over budget by a whopping 200%.

Speaking about the main reasons for budget overruns, high costs of local tech talent, poor planning, lack of communication within the team, technical incompetence or unrealistic requirements top the list.

Is there a way to successfully build your startup product without losing all your money? Absolutely!

Here are some tips for managing product development expenses on a shoestring budget that I’d like to share with you.

Build a cost-effective product development team.

People are the most important part of any software development project. When you have experienced and motivated people with excellent technical and communication skills, you are halfway to deliver a successful product.

It takes time and money to build a development team that will deliver above your expectations. You need to find talented people, pay for onboarding, adaptation, and training, as well as equipment, workstations, software licenses, etc.

Also, if you are building a new team from scratch, it will take a while for people to get to know your business, technology, and the product they are developing.

If you work remotely, hire wisely. If you run a distributed software development team, you need to make sure you are hiring the right people for team roles, and you’re paying a fair price for them.

Tips for building a cost-effective yet highly qualified team

1. Consider building a smaller team first

The larger the team, the more difficult it is to manage it and bring it up to speed. The rule of thumb, according to Jeff Bezos, is – if you can’t feed your team with two large pizzas in a meeting, you’re in trouble.

Having too many people on your team means more disagreement, more communication gaps and issues, higher resistance to change, and ultimately lower productivity.

It is best if you build your core team before starting the project. If you constantly shuffle people in your team throughout the development process, you will most likely reduce the productivity and delay the progress of the project.

2. Distribute your team across several locations

In the world of globalization, it makes no sense to be bound by any physical boundaries. You need to stay cost-conscious and eliminate any spending unless it’s really crucial for your project success.

If you can’t attract or afford to hire a mature solutions architect within your home country, hire one overseas and integrate them into your in-house team smoothly with the help of video conferencing, project management tools, messengers, shared dashboards and team-building activities.

One of the leading fintech startups in the UK couldn’t find and hire the right skill sets locally (due to talent shortage and high rates) and it risked delaying product delivery and losing traction.

To solve this issue, the company hired a local tech consultancy with an R&D Center in Ukraine, Europe’s leading hub for outsourced software development, and the largest tech talent pool.

The consultancy helped them build a distributed software team across three locations: the UK, Spain, and Ukraine. DevOps, business analysis, and security functions stayed in the UK, while most developer roles (.Net, AngularJS), QA, solutions architect, and scrum master were hired in Ukraine and Spain.

Because Ukrainian and Spanish resources were way cheaper than those in the UK, the startup could save significant costs and build their MVP fast enough to attract £1 million from VC funds and private investors.

Many startups begin as a “one-man show” or as a team of two or three people. But as you elaborate on your MVP and build more features, you’ll need to scale your product and, thus, hire more employees to join your team.

Consider going remote

The Covid-19 pandemic has shown that we no longer need to rent an office space to build and deliver great products. In fact, more and more organizations all over the world are choosing to work entirely remotely.

By using remote teams and collaboration tools like Skype, Slack, and Trello, you can save tons of money by ditching the brick-and-mortar office space.

One study found that if a company allowed an employee to work from home half the time, it could save an average of $11,000 per employee per month.

Going remote also allows you to move to a less expensive part of the country to save costs or even to migrate to lower-cost yet resource-rich countries like Ukraine or Portugal.

More and more startups are abandoning the hustle and bustle of metropolitan areas in favor of cheaper cities with populations between 20,000 and 100,000. As technology advances, nothing prevents you from running a successful technology company from a home office in, say, Leicester, UK (where I live and work).

Start with fewer features

Every feature you build will cost you money.

Before you release a full-fledged product, your startup won’t know what features will be important to your users. For instance, your team might spend a lot of time and money developing a feature only to find out later that your users find it useless.

The smarter choice is to build a solid MVP first with the most in-demand features only. Once your MVP is released, you can collect valuable feedback from users to find out exactly what features they like and want to see in your app. Then, as you attract more funds, you can build features that will further enhance your product.

Your goal should be to build and market a product with minimum features that can help you onboard the first paying customers and start making money or attracting new funds.

Start testing early

To avoid delivering a glitchy product to the market, you should start testing it early in the software development process. By doing regular tests throughout the development lifecycle, you will discover and fix issues before moving on to other parts of the project.

If bugs pile up and you get to the end of the development process, you will need to go back and rework it. Making changes takes time and money. It will also push the release date back. You will be left with a low-quality product, wasted money, and psychological stress.

There are ways to reduce defects, but there is no way you can catch them all.

That is why bug tracking is really an important step towards reducing your product development costs.

The worst thing you can do is build your software in such a way that your users cannot use it. If you want to change something after the release, brace yourself for overheads and additional payments. Poor project planning typically results in overblown budgets.

Early user acceptance testing (UAT) can be used to minimize development costs down the road. UAT should be done after unit testing and functional testing, but it can also be done during the prototyping phase. All you need to do is create test scenarios based on your user journey or personas and have an industry or customer experience expert run the tests.

This approach will also help you reduce turnaround time and identify defects that can be fixed promptly to avoid overheads.

The same refers to security: penetration testing should be embedded in your entire product development lifecycle as early as possible to avoid overheads at a post-release stage and unhappy clients.

One study found out that developers spent up to 50% of their time fixing bugs that could have been avoided earlier in the process. At the same time, the cost of fixing errors after development was up to 100 times higher.

Choose the right tech stack

Choosing a tech stack for your project development is similar to choosing a car to buy. As a future owner, you need to take into account the cost of your car maintenance after the purchase, as high maintenance costs will add up to your total cost of car ownership.

According to Colette Wyatt, CEO of a UK-based software house Evolve, the cost of technology you are going to use for your project will directly affect the cost of your product development. What tools will you use? What framework will you work with? How large is the available pool of developers skilled in this or that stack? These are questions you need to answer in the first place.

Choosing the wrong technology stack can be costly, and it may bring you the following problems:

• A new stack will take additional time to accept, so your build time will be longer than expected;
• Some of the latest tech stacks have frequent update cycles that will require frequent changes to keep the application running with the latest codebase;
• You may have trouble finding experienced developers;
• The technology stack can be hard to sustain.

Go to Cloud

If you’re a startup specialized in data analytics or data science, ignoring Cloud migration equals shooting in your own leg. Even if data isn’t your core business, you still should consider taking advantage of Cloud opportunities and streamline all of your data-intensive processes by migrating your eCommerce or customer analytics to Cloud.

Cloud computing can be extremely cost-effective for startups due to the increased productivity they gain. Deploying cloud-based software is significantly faster than a conventional setup.

While a typical company-wide installation takes weeks or months to complete, cloud software deployments can happen in hours. It means your employees will spend less time waiting and more time working.

What other benefits does Cloud-native architecture offer?

Greater flexibility

Cloud solutions are available on a pay-as-you-go basis. This format provides savings and flexibility in several ways. First of all, your startup doesn’t have to pay for software that isn’t in use. Unlike upfront licenses, in cloud computing, you typically pay per user. Plus, pay-as-you-go software can be canceled at any time, reducing the financial risk associated with any software that doesn’t work.

Finally, the initial cost of the Cloud is lower than on-prem solutions. For companies that need top-tier products but don’t have a lot of budgets, cloud solutions offer fantastic flexibility.

Save on hardware

For high-growth companies, new equipment can be cumbersome, expensive, and inconvenient. Cloud computing solves these issues thanks to resources that can be obtained quickly and easily. Moreover, you eliminate the cost of repairing or replacing equipment.

In addition to the purchase cost, external equipment reduces internal power costs and saves space. Large data centers can take up valuable office space and generate a lot of heat. Moving to cloud-based applications or storage can help maximize space and significantly reduce energy costs and utility bills.

Pay less with Cloud credits

One company boasts being able to reduce its AWS costs from $55k to $20k per month and accomplish more than $500k yearly savings.

To replicate their success, here’re some tips:

• Applying for Cloud credits can reduce your annual development costs by as much as $100k (however, you need to check first if you’re eligible to apply).
• Utilizing spot instances can save you up to 90% of costs;
• Purchasing reserved instances in the Cloud marketplace can help save up to 75% of all Cloud expenses, etc.

Conclusion

Wrapping up, to reduce your software product development costs, you need to do the following:

• Build a great team, either in-house or distributed across locations;
• Start testing as early as possible;
• Focus on the main features that will help you onboard first clients and monetize your solution fast;
• Leverage Cloud computing.

A mix of the right people on the team, proper communication, the right tech stack, Cloud-native architecture, and a reliable tech partner is a significant prerequisite of successful product development.

Image Credit: Scott Graham

The post Six Tips for Startups to Reduce Their Software Product Development Costs appeared first on ReadWrite.

In recent years, the fundamental insecurity of the internet has driven many to seek ways of protecting themselves and their data online. Businesses have pushed many of them in an attempt to help customers stay secure. There have been browser plugins to help force users to take advantage of SSL encryption on websites where it’s available.

The latest IoT devices are turning to short-range Z-Wave encrypted radio technology to keep attackers out. And email providers have increasingly adopted TLS encryption to protect email while it transits the internet.

For individual users, though, the latest internet security method of choice uses a virtual private network (VPN). Subscriptions for them are now available from countless commercial providers all around the world.

A VPN creates an encrypted tunnel that protects internet traffic between a user’s device and an endpoint server located elsewhere, where it exits onto the public internet. That grants the user a measure of security and privacy and some valuable extra benefits, such as the ability to watch any country’s Netflix library.

That doesn’t mean, however, that commercial VPNs are the only option. It’s becoming increasingly common for internet users (who are tech-savvy or have an adventurous spirit) to set up and operate their own VPN servers for private use. Doing so gives them greater control over where their data goes, who might have access to it, and exactly how it’s secured en route to its destination.

For those interested in setting up their own VPN server, here’s a basic rundown on the steps involved to make the process as user-friendly as possible.

First, Consider the Limitations

Before deciding to set up a personal VPN server, it’s essential to consider how you plan to use it and what you need it to do. If the primary purpose is to enhance your online security and keep your ISP (or another local network operator) from spying on you, a personal VPN is a good fit.

If you are looking for a VPN to anonymize your traffic or allow you to use services like BitTorrent without anyone tracing the activity back to you, a commercial VPN provider is a better option. With that out of the way — here’s what you need to do to get a VPN server up and running:

Choose a Cloud Hosting Provider

To operate a VPN server, you’ll need a machine to run it on that’s available from anywhere you might travel, and that has sufficient bandwidth to handle whatever traffic you send its way. For most people, that means choosing one of the many major cloud providers like Google GCP, Amazon AWS, or Microsoft Azure.

Any of those would make a good fit for a VPN server, but it’s important to look at the pricing details to see how much the traffic you expect to generate will cost you each month. If you’re planning to use your VPN to protect all of your web traffic, it might be worth looking into an unmetered VPS solution instead.

Choose a VPN Server Platform and Install

With a cloud provider lined up, the next decision to make is which VPN server type to deploy. Today, most commercial VPN providers rely on software called OpenVPN, which is freely available and open-source. Besides, many major cloud providers have ready-built OpenVPN server instances available, which make deploying one a snap.

It’s also among the fastest VPN protocols available so that it won’t slow down the internet connections of anyone using it. For all-around use, OpenVPN makes a good choice.

There are other options available, too. One is called SoftEther, another open-source project that acts as something of a Swiss Army knife for VPN provisioning. It supports connections using any major current VPN protocols, including OpenVPN, IPsec, MS-SSTP, and L2TPv3.

That means it’s capable of supporting connections from almost every internet-connected device imaginable, which makes it ideal if you need to protect a house full of devices.

By far, though, the best current solution for anyone deploying their own VPN server is Algo. It’s an easy-to-set-up VPN system that supports every cloud provider imaginable and has a step-by-step install process that makes getting it up and running easy enough for a novice to handle.

Better still, it supports connections using the WireGuard protocol, which is a highly-secure and blazing fast protocol that most people expect to be the eventual successor to the widely-used OpenVPN.

The great thing about WireGuard works very well with mobile devices, negotiating unstable wireless signals with ease. That’s something that other VPN systems like OpenVPN struggle with. In many cases, a mobile device with a weak signal can be a nightmare to use with a VPN, with frequent disconnections and pauses for re-authentication.

WireGuard, by contrast, takes less than a second to reconnect when there’s a signal issue, providing a stable and seamless VPN experience no matter where you use it.

Configure and Connect Clients

With the VPN server up and running, the next step is to collect the information needed to connect devices to it. In the case of OpenVPN, the server installation process will have also created a client configuration file that may be used on any device with a native OpenVPN client available.

In those cases, all that’s required is to copy that file to the device and tell the client software where to find it. Then simply provide the username and password selected during the server installation, and the connection should complete with no issues.

For a SoftEther server, connecting a client can be a little more complicated. The server can generate configuration files for OpenVPN and IPsec clients, so if those are in use, the generated files should be all that’s needed on the client (besides the username and password you’ve set).

If the server is configured to use the native SoftEther protocol, nothing more than the server’s external IP address and the login information is necessary to get up and running.

If the server’s running Algo, the installer will have created configuration files for any device capable of running either the WireGuard client or an IPsec-compatible client. The server’s installer will specify where the files reside, and they’re all that’s needed to connect. Best of all, Algo will even generate a QR code with the required configuration information that makes connecting mobile devices as easy as snapping a picture.

Check for Leaks

Once the necessary clients are connected, the last step is to check to ensure that all of the device traffic is being appropriately routed through the new VPN server.

The simplest way to do this is to visit a testing site that can scan your connection information. If the results reveal the device’s actual IP address or geographic location, something’s not working correctly. If everything’s right, the test should show the VPN server’s IP address and location and the DNS server information used during the server setup process.

In the case of an issue, retrace the setup steps on the server and client to ensure nothing’s been missed. Chances are; however, everything will work on the first try.

Safe and Secure

If all went well, the result should be a fast, secure personal VPN server that is capable of protecting as many devices as you need (as long as you’re willing to pay for sufficient bandwidth).

Best of all, the setup is entirely disposable, which means it can be terminated or moved to a new hosting provider at any time. After getting through the setup once, it should be easy for just about anyone to repeat the process as many times as they need or want to.

The best part of all is that everything about the setup is under the direct control of its owner – meaning there’s no third-party to trust. And for the security-minded, there can be no more significant asset.

The post How to Install and Run Your Own Private VPN Server for Extra Security Online appeared first on ReadWrite.

Situated in Menlo Park, south of San Francisco, is a 59 acre of land adjacent to the Facebook campus, this piece of land is proposed to be a fully self-contained and functional city called Willow Village. Here is why big tech companies are building cities, and why many are worried.

However, there is one notable thing about Willow Village that makes it different from other communities in the US; it is owned and being developed by American social media giant, Facebook Inc. Proposed Plan for Willow Village, source: menlopark.org

The Facebook Village

In a few years’ time, Facebook employees will be able to work, live, and sleep without leaving the property of the 5th most valuable tech company in the world. This city is proposed to have more than 1500 homes, a pharmacy, a grocery store, office buildings, conference spaces, a 193 room hotel, and a public park.

Recently, there has been a trend of big tech getting involved in large construction projects with Alphabet Inc., Google’s parent company, investing One Billion Dollars in its plans to build 20000 homes in Mountain View and Apple finishing one of the world’s most expensive buildings; Apple Park estimated at Five Billion Dollars.

Privately Owned Cities

The future will surely see employees of large tech companies living luxury lives in private owned cities, rent-free, and with many benefits in the comfort of the property owned by the company they work for.

The financial crisis of 2008 ushered in a dramatic change in the way individuals choose college degrees. While the total number of available jobs took a downward turn during the recession, college students were far more likely to stay in school or go back and apply for a more marketable major. More people applied to majors that were more marketable or could provide better jobs rather than majors that interested them. 

According to a 2005 study, unemployment rates have an effect on the way people choose college majors, this can be seen in the way majors related to healthcare, engineering and computer science exploded after the great recession while the number of applicants in education, philosophy, and religious studies saw a decline. 

With the average salary of a US computer and information technology worker being $88,240 — which is $39,810 more than the average salary of all other occupations — it is easy to see why high school graduates are flocking to these majors in large numbers. 

Computer science students

With the influx of computer science students, many people wonder why the market is not saturated. Students are picking college majors according to their career prospects, getting a degree in computer science is easy to obtain and salaries are exceptionally high, which means the market should be flooded with computer scientists.

The problem is that demand for computer scientists has increased tremendously, however, the market is not flooded because universities have a hard time producing computer science professors, which in turn reduces the number of computer science graduates.

Rather than having to wait at least nine years to get a bachelor’s, masters, and then a doctorate, CS graduates would rather enter the job market and get paid the same salary they would have if they worked as a college teacher or even more because of the extra five years experience.

Why Are Tech Companies Building Cities?

The shortage of computer science professors has put universities in a tight spot, they can either choose to accept a particular amount of high school graduates applying for computer science majors, or they can increase class sizes to increase the number of CS graduates and risk hitting the staff to student ratio and lowering the schools ranking.

New shortage in grads

Today, there is a shortage of computer science graduates, so tech companies or organizations that wish to employ these graduates have to go the extra mile to please them with high salaries, stock options, bonuses, and many more benefits or, risk losing them to other nearby tech companies, leaving employees with an advantage.

Due to the fact that tech companies are so concentrated in certain areas like Silicon Valley, changing jobs is especially easy with huge tech companies like Google, Facebook, and Apple; being just a couple of miles from one another, Tech companies have a hard time retaining their employees as employees do not even have to change homes if they decide to switch jobs. Tech companies, therefore, have especially low turnover rates.

Average stay of employee in one company

The average employee at Google or Apple stays a little less than 2 years before calling it quits. The low retention rates of tech companies pose a huge problem and many are striving to remedy it.

Ways to garner retention of employees

With the low retention rate of employees, companies have to find new ways to retain their employees thus employers have to go the extra mile to make workers happy, with gym memberships, cell phones, fitness, and wellness programs, wifi equipped busses and subsidized uber rides.

A very good and effective way of keeping employees though is to involve themselves in every aspect of their lives. This is where company-owned homes come in, It is much harder to leave a company if that same company owns your home and that of your friends and family. 

By increasing employees’ dependence on the company, we can surely expect to see the average lifespan of employees increase, Companies have been trying to do this by building homes, with Facebook, even going as much as paying a $10000 bonus to employees who live close to the office.

Why Many Other Businesses (and People) are Worried

All the many benefits employees get from companies trying to keep them, surely increase employees’ well-being and retention rates, which is beneficial to both staff and organizations but might come at the expense of society.

Companies try to make commuting to work more enjoyable and living with the ultimate goal of increasing employees’ retention rates by providing transport like wifi equipped buses, cab rides and houses for employees, but by doing so, they use public infrastructure like bus stops without improving the quality of public transportation.

Affordable housing

Because of the tech boom and the concentration of tech companies in tech hubs like New York and San Francisco, housing has been made less affordable as there has been an increase in the average rent of these cities.

There have been a lot of concerns about the fact that as big tech companies expand their physical presence, the line between public and private is blurred.

Not only are the lines blurred, but local governments find themselves not governing but being governed by these companies.

Take for example; in 2014, facebook funded a police station next to its campus along with offering to pay an officer $200000 as a yearly salary. It is time for the country to reevaluate the power companies have over the government.

Please add your opinion in the comments. I’d like to know.

The post Why Big Tech Companies are Building Cities, and Why Many are Worried appeared first on ReadWrite.

Every veteran entrepreneur knows that there’s a long journey from a business idea to its execution. Not even the brightest minds out there can ever predict all the potential roadblocks, the ever-changing market trends, and the hidden growth opportunities. However, the good news is that they don’t need to. Here is why you shouldn’t use Statista to make business decisions.

Develop the correct insights for your business

While we can debate the importance of gut feeling, the truth is that when it comes to business, having the right insights at your disposal is priceless. Let’s take a look at Starbucks, for example. The coffeehouse tycoon has taken an everyday beverage and turned it into an experience.

With tasty drinks, stylish interiors, and other attractive aspects like free wifi, it has built a buzzing community of over 24,000 stores.

But the company didn’t shoot in the dark: It managed to find out exactly what consumers wanted and how much they would be willing to pay for it. Would Starbucks be able to achieve such impressive growth by studying generic information on hospitality industry trends? Unlikely.

When you utilize advanced market research in your business strategy, you invariably outperform syndicated research platforms. Here’s why.

You need quality third-party insights

Businesses don’t exist in a vacuum.

While being data-driven has predominantly become a slogan that is pushed to sequestered sections of websites, the truth is that running a successful company requires having a long-term vision that enables leaders to make optimal decisions.

To power strategic business direction – whether that’s launching a new product or revamping a website – it’s key to generate strategic knowledge based on both internal business intelligence and actual market data.

The strategic knowledge should be provided by external sources – and there are various reasons for that.

Let’s say that a company like Unilever wants to conduct a study on the most preferred soap globally. Coming from an inherently subjective background, the company will struggle to secure a neutral perspective.

Not only will the results be distorted, but respondents might fail to give honest feedback, and there’s more pressure for further disbalances when presenting the results to the company’s structures.

Outsourcing research is key when looking to acquire market data as well.

If you were to call up a distributor of Procter and Gamble and Johnson & Johnson on behalf of Unilever to inquire about the data, it’s likely you wouldn’t get very far.

Independent market research can, on the other hand, work within the broader guidelines from ESOMAR – the world’s leading market research house.

These guidelines include an agreement that enables data collection in an integrated but anonymized manner, allowing market research agencies to display trends without giving out any sensitive information.

Market research agencies often have powerful capabilities at their disposal.

Anyone can pick up the phone and make a call, but the right agencies know how to judge who to call, who to avoid, how best to approach preferred leads, and how to carry out research in the most effective ways.

Agencies also have access to databases, expertise, and tools to carry out the analysis – something that many in-house teams lack.

However, one must be picky with external sources too. Syndicated market research is to insights as Wikipedia is to knowledge. It might be useful as a springboard to help you orient in a topic, but can’t really work to build strong foundations for an argument.

Even if the statistics are correct, there’s no actual validation of the data, meaning that it can’t be considered credible. The sources are not known, the names of the analysts aren’t disclosed, and there is no information about the methodology – which is fundamental to every research project.

From traditional market research to platforms

There is, in fact, an even more important reason why syndicated research just won’t do anymore.

Our data capabilities have developed immensely over the last 15 years, and with that, the demands too. Two decades ago, generalized sources would provide valuable information, but companies now are looking toward more targeted insights that are specific to their unique business needs.

The parameters that market research has covered in the past are now freely available on the internet – so there’s a need to dive much deeper into the real business problem.

Simply said, intelligence starts with business-specific studies.

While the traditional model has businesses paying tens of thousands of dollars for hundreds of statistics, it’s obvious that we are moving toward a more hybrid and dynamic market research landscape.

The new market research landscape is one that still provides high-quality insights but often with a focus on your specific niche.

Rather than comprehensive reports with thousands of samples, businesses can get similar results by running a Twitter analysis for only a fragment of the price.

In fact, technology has enabled new sources of knowledge, further diversifying market research to be even more accurate and integrated: Apart from social media analysis, we’re seeing increased use of sentiment analysis, video analysis, consumer engagement monitoring, and much more.

Analysts are no longer focused on one domain, they are ramping up their experience in diverse, platform-oriented research fields. Platforms are brimming with experts that can help answer tough business questions by running a specific analysis at prices starting at just a few tens of dollars.

Targeted insights – immediately

Back in the mid-2000s, it was common to spend up to 3 months waiting for an external research assignment – after all, you were probably going to get “something good”. Ten years later, the waiting time has reduced to a maximum of 20 days, but today, even that doesn’t suffice.

Thanks to platforms, expertise, and capable analysts, today, we can have insights at our fingertips in real-time.

The need for real-time insights has proven particularly important during the current COVID-19 crisis. In fact, 49% of companies are now using data analytics more than before the pandemic, and both the quality and the delivery of data plays a key role.

No one will wait for a survey to be carried out in 60 countries – industries are dynamics and market conditions change constantly. However, syndicated research sites might fall behind due to its inability to deliver in short time-frames.

Businesses are now looking to get answers to their unique questions.

Staying up to date with the latest developments isn’t just a differentiator anymore — it’s a vital aspect of business decision-making.

Whether looking to launch a product, find when things will go back to the pre-COVID level, or understand the real impact of the crisis, the answers can’t be found with internal data only.

A bad decision is going to cost you much more than the cost of a market research report.

Image Credit: Ketut Subiyanto; Pexels

The post Why You Shouldn’t Use Statista to Make Business Decisions appeared first on ReadWrite.

WordPress dominates the global market of content management systems (CMS). Its tremendous popularity makes it a lure for malicious actors. The WordPress Core in its current state is fairly secure by design, which explains the relatively small number of hacks exploiting it. Here is a guide to WordPress security fundamentals.

Cybercriminals are increasingly adept at piggybacking on flaws related to WP plugins, themes, hosting providers, and website owner’s security hygiene.

Who is Targeting WordPress and Why?

Most incursions zeroing in on WordPress sites are orchestrated through the use of automated tools such as crawlers and bots.

These entities are constantly scouring the Internet for crudely secured websites. If they pinpoint a documented vulnerability, they take advantage of it in a snap.

Spam

Here’s a little bit of wiki information: spam accounts for roughly 50% of all emails sent.

Malefactors may gain a foothold in your server via a security loophole in a plugin or an outdated version of the WordPress engine to repurpose the server for generating spam.

Siphoning Off Server Resources

Cybercrooks may infiltrate poorly secured WordPress sites, access the underlying servers, and harness their processing power to perform coin mining surreptitiously.

Black Hat SEO

One of the growingly common WordPress hack scenarios is to gain unauthorized access to a website’s database and furtively embed keywords and hyperlinks related to another site.

Embedding keywords and hyperlinks is a shortcut to hijacking and boosting the rankings of an attacker’s site on search engines.

Info-Stealing Foul Play

Seasoned hackers know the true value of data, especially in such areas as e-commerce and user behavior patterns. Felons can rake in hefty profits by retrieving this information and selling it to interested parties on the Dark Web.

Your Top Priority 

WordPress security should be every webmaster’s top priority as remediating a hacked WordPress site is easier said than done. You have to assess every single line of code to spot dodgy content, eliminate it, and re-enter valid strings.

Another thing on your to-do list is to change all authentication details, including database and server passwords.

Another facet of the issue is that the search rankings of a compromised website may deteriorate dramatically down the road, which translates to fewer visitors and lower monetization.

An extra thing to consider is that people won’t go to a site unless they trust it. A breach will most likely impact your reputation, which takes a lot of time and effort to restore.

WordPress Security: The CIA Triad

In information security terms, the CIA acronym stands for “confidentiality, integrity, and availability.” This CIA model is the stronghold of every digital security initiative. When it comes to WordPress, the anatomy of CIA is as follows:

Area 1: Confidentiality

• Sensitive Data

WP plugins, themes, and global variables are a Pandora’s box filled with confidential information or breadcrumbs leading to such data. If you slip up by setting the value of WP_DEBUG parameter to “true” rather than “false,” this will unveil the path to your websites’ root directory. You don’t want that.

Author pages can also be verbose in this context because they often include usernames and email addresses. An attacker may try to guess or brute-force an author’s password. If it isn’t strong enough, a site compromise is imminent.

• User Credentials

To its credit, the WordPress platform takes password strength seriously, helping users avoid the scourge of weak credentials. However, these efforts might not be enough.

An additional technique that can make an attacker’s life harder is to enable two-factor authentication. Restricting the number of failed sign-in attempts is worthwhile, too.

Area 2: Integrity

• Data Verification

WordPress is committed to handling data securely and does a lot to ensure this. But, these mechanisms don’t work beyond its core, so web developers should get the hang of validating the rest of the code.

Using a site’s database directly could be a less secure approach than leveraging features like “update_post_meta.” The latter can fend off SQL injection, a sketchy tactic aimed at executing harmful code via forms embedded in a web page.

The harmful code tactic can become a launchpad for depositing dangerous strains of Windows and Mac malware onto visitors’ computers.

To thwart SQL injection raids when running a complex query or when handling a custom table, it’s best to apply the WPDB class combined with the “Prepare” function for all queries.

• Query Sanitation

Queries related to WordPress site management are generally secure as long as SSL is turned on and you resort to trustworthy hosting services. But not all hosting services are trustworthy, so this isn’t a bulletproof ecosystem.

It’s in your best interest to monitor user intentions and ascertain that an incoming query comes from a registered user.

WordPress employs what’s called nonces to verify actions initiated by users. These security tokens are formed alongside every user-originated request. Since nonces are paired with specific URLs, they are subject to mandatory inspection on the receiving side before the request is executed.

• Third-Party Code

Most WordPress compromise incidents revolve around vulnerable plugins, themes, and unpatched versions of the WordPress engine. In other words, the less third-party code the smaller the attack surface.

In case you can’t do without a specific WP component of that sort, be sure to do your homework and scrutinize it first. The things you should pay attention to include the user feedback, the date its latest build was released, and the PHP version it supports.

Additionally, check expert reviews on well-established security resources such as Wordfence.

Area 3: Availability

• Updates

As far as the WordPress engine is concerned, it gets security updates automatically. However, the process isn’t as hassle-free with themes and plugins. You may have to check for updates and install them manually.

Furthermore, it might be a bumpy road because you can’t be sure that these third-party entities work flawlessly until they are tested extensively. Users often go through a lot of trial and error with them.

• User Roles and Privileges

Sensitive data should be safe as long as it’s in the right hands. Therefore, you need to diversify access permissions to ascertain that each user can’t access more information than they actually need. A great way to manage privileges is to create user roles. The user roll technique will also prevent third-party components from tweaking the WordPress Core files.

• Email

WordPress works with email at the level of the server it’s installed on. To protect it from snoops, you should consider using the SMTP communication protocol.

There are numerous plugins that facilitate the process of sending emails via a tamper-proof SMTP connection.

You will need to add a new Sender Policy Framework (SPF) record, which requires access to the domain name’s DNS settings. The above-mentioned record is tasked with ensuring that the domain allows the SMTP service to send emails.

• Auditing

The importance of keeping tabs on data integrity stems from the fact that attackers will be able to modify the code if they manage to access the server.

Thankfully, this issue can be addressed by means of specially crafted plugins. For example, the security plugin by Sucuri is a good choice. It checks your entire file database for a plethora of harmful code samples.

• Backups

If you’re using a trusted hosting provider, it most likely performs the whole backup routine for you.

Even if your provider doesn’t offer an automatic backup feature for your site, there are plenty of alternative options to choose from. For instance, some services can back it up to cloud storage like Amazon S3 or Dropbox.

• Hosting services

Low-quality hosting services are a common source for adverse scenarios where WordPress websites run obsolete PHP versions. There tends to be a big gap between managed hosting and one that simply provides a directory with database access.

You would always be better off finding a reputable managed hosting for your WordPress site. Although this could be a pricey option, you can rest assured that the security will be at a decent level.

Summary

The WordPress engine itself is getting regular updates that deliver patches and improvements, and the ecosystem around it isn’t nearly as secure.

The good news is, if you follow safe practices when installing themes and plugins, adding new user roles, and writing new code, your website should be on the safe side.

The post WordPress Security Fundamentals appeared first on ReadWrite.

Back in 2011, Apple engineers masterminded an awesome feature called AirDrop. It’s intended to facilitate file transfers among supported devices. The process is amazingly simple and doesn’t require device pairing at all — it works out of the box and only takes a few clicks or taps to complete a file exchange. Here is the curious case of using Airdrop as a Tinder alternative.

AirDrop uses a combo of Wi-Fi and Bluetooth protocols so the data transfer speeds are huge.

Interestingly, some tricks may allow you to extend the use of this feature beyond simply sending files.

For example, you can find out the phone number of another person who is in the same subway car with you. I’ve been recently using this feature to meet new people on my way to work, in public transport, and all kinds of diners.

Sometimes I walk out of the subway with a new friend. Intrigued? Here are ins and outs I’ve found of using the unorthodox way of using AirDrop.

How AirDrop works

AirDrop is a service for data transfers within a peer-to-peer network. It can function via a classic local network and over the air between any Apple devices. I’m going to dwell on the latter scenario, where two nearby devices don’t have to be connected to the same network.

For instance, two people are riding the subway and their smartphones aren’t connected to the same public Wi-Fi.

To start a data transfer session via AirDrop, the sender’s smartphone broadcasts a BLE (Bluetooth low energy) advertising packet that contains hashed information about the sender’s iCloud account and telephone number.

The packet then requests a connection via AWDL (Apple Wireless Direct Link), which is reminiscent of Android’s Wi-Fi Direct.

On the receiving side, the status of the AirDrop feature can be one of the following:

• Receiving Off — the device cannot be detected at all.
• Contacts Only — it can only receive files from the user’s contacts. For the record, a contact is a phone number or email tied to your iCloud account.
• Everyone — the device can receive files from any users nearby.

Depending on the privacy preferences, the phone will either accept the AWDL connection or it will simply ignore the BLE advertising packet.

If the “Everyone” option is selected in your privacy settings — then the devices will get connected via AWDS at the next stage. Then, they will form an IPv6 network connection with each other.

AirDrop will be operating within this network as an applied protocol using mDNS (multicast DNS) via standard IP communication.

How to meet new people using AirDrop

You’ve had enough of boring theory, so let’s now move on to practice. Although online dating is very popular, you can grab your smartphone and go hook up with someone offline using modern technology. But first, keep the following nuances in mind:

• The trick only works if the receiving smartphone is unlocked at the moment.

  Ideally, your target should be gazing at their device. People are mostly looking at their devices places where they are bored — like the subway — or any other place you have to sit there and wait.

• Take your time.

  A successful “conversion” usually occurs after you send a couple of pics, therefore you need to stay at the same spot for at least five minutes.

  I think of a successful “conversion” as a moment when you negotiate over AirDrop to continue chatting in the messenger. The connection is sometimes hard to do on the go because it could be problematic to figure out right away who has accepted your payload.

  Your target may walk away before you get the chance to settle on further communication.

• Personalized files work better

  The best payload seems to be an eye-catching piece of media content you’re sending via AirDrop. A vanilla image with a meme in it probably won’t do the trick.

  The content should be aligned with the situation and imply a clear-cut call to action.

The classic method – nothing but the smartphone

This one is suitable for everyone who owns an iPhone, and it doesn’t require any particular skills except the ability to socialize. Turn on the “Everyone” mode in AirDrop settings and head to the subway.

According to my observations, almost all iDevices broadcast the owner’s name, which allows you to easily determine their gender and prep the appropriate payload.

The payload

As previously mentioned, a unique payload is more effective. Ideally, the pic should include the owner’s name. The fun part is that this image used to be shown right on the victim’s display without any extra actions on their end.

The person didn’t even have to tap “Accept” or anything like that, so you could instantly see the reaction.

I mostly created these images using the graphics editing component built into the Notes app, plus a crude version of the mobile Photoshop tool. As a result, I would often have to walk out of the subway car before the right image was ready.

While I was refining my drawing skills, iOS 13 was released. One of the changes introduced in this version is that images received from unfamiliar users are no longer displayed on the screen. Instead of the graphical preview, the person only sees the sender’s name.

In other words, the only way to address the target by name in iOS 13 onward is to specify it in your iPhone settings. For instance, you can rename your device as “Hi Emily!” Speaking of which, here’s a quick tip: you can include emoji in your gadget’s name.

Of course, this technique isn’t nearly as impressive as sending a custom image, but it still increases the odds of the target tapping the “Accept” button.

Further actions are a matter of your creativity and sense of humor. There’s one thing I can say for sure: those who join this game and start replying with images or send you notes are usually very easy-going and interesting people.

On the other hand, those who don’t reply or simply reject your message tend to be snobs who think too highly of themselves. Also, the fear factor plays a role in some cases: shy and oversensitive people are afraid to interact with a pushy stranger.

The bottom line

Your new Airdrop hobby is the perfect way to have fun in the subway. It’s got a wow effect that lures curious people. I bet some of your new acquaintances won’t mind playing along.

Some people might even change their plans and exit the subway at your station to have a coffee together. I’ve met a lot of new people in a year’s time and continue to communicate with some of them.

Unfortunately, not all tricks targeting Apple devices are as harmless as this one. Malicious actors are increasingly infecting Mac computers and iPhones with malware these days, and many of these campaigns also have a flavor of social engineering.

An example is the ongoing adware distribution stratagem that relies on deceptive pop-up alerts stating that your Adobe Flash Player is out of date. Instead of installing the purported update, though, these ads promote browser hijackers and scareware.

To keep your Apple devices safe, avoid application bundles that may conceal malicious code under the guise of benign software. Be sure to keep your operating system and third-party apps up to date – this will address all recently discovered vulnerabilities and harden the overall security of your iOS or macOS device.

Furthermore, refrain from clicking on links received from strangers as they might lead to malware downloads and phishing sites.

It’s a good idea to audit the privacy settings of your most-used apps. In particular, make sure they don’t have access to sensitive data such as your location unless they really need it to work right. Also, keep your devices locked when not in use and specify strong passwords to prevent unauthorized access.

The post The Curious Case of Using Airdrop as a Tinder Alternative appeared first on ReadWrite.