Skip to content

Digital marketing, startups, and platforms Posts

My website go hacked — here’s what I learned

My friend Vignesh alerted me earlier this week that my site has been hacked and is forwarding to some malware site.

At first, I called GoDaddy to ask for help. That was useless. It turns out their tech support consists of sales reps trying to sell you shit — no help for cleaning the site. They could it for me for 200 pounds, which I didn’t feel like paying, especially since they advertise their contact number as support, not sales.

So, I started googling and learning how to fix the site myself.

Here are the lessons I learned

  • Only install plugins and themes you really need and use. Every theme and plugin is a potential security risk. Most likely, hackers utilized one of my plugins to enter the website. I had tons of plugins and themes I didn’t use and although I did update them every now and then, the plugin creators are not necessarily fixing the vulnerabilities that quickly if at all.
  • Keep WordPress core, themes, and plugins updated. As I mentioned, I updated the themes and plugins every now and then. It’s important to do that as frequently as updates roll in. However, my WordPress core is automatically updated by GoDaddy. That’s why I think an outdated plugin was probably the root cause for the hack.
  • Don’t use GoDaddy — in the process, I learned their tech support is useless. In addition, I read WP Engine is safer than GoDaddy – they block some plugins altogether, and actually fix your site for free if it’s been hacked. GoDaddy also doesn’t let you change your database password after being hacked (talking about their Managed WordPress hosting which I’m using), so even though I cleaned the website, it’s still potentially vulnerable.

Here are the steps I did for the cleaning. Also including some useful links to start from in case your WordPress gets hacked.

  • To GoDaddy’s credit, I could find a message where they listed infected files on my website. I started by manually removing these 15 files.
  • .htaccess was infected. I replaced its content with default content (code in [1], also includes additional code that blocks external connections [2])
  • Removed all plugins and themes apart from the theme I’m using and CloudFlare CDN plugin which I need. Everything else could go.
  • Downloaded a fresh copy and reinstalled my theme from scratch (removed the whole folder and replaced with a clean one).
  • Installed the free Anti-Malware Security and Brute-Force Firewall and ran the analysis. It couldn’t find any more infected files, but suggested potentially vulnerable files. I went through these files manually one by one. They contained no suspicious code and their edits dates did not differ from those of clean WP installation, so they were not compromised.
  • Changed WP security tokens to log out every user.
  • Removed a spam user and changed other users’ passwords to new, strong passwords.
  • Manually checked WP core files for malicious code but couldn’t find (also comparing Last Modified times to those in a clean WP directory helps).
  • Set up a .htaccess script that blocks php files in Upload folder [3]
  • Finally, made sure that WP + theme + plugins that remain are up-to-date.

The only things I didn’t do are (1) reinstalling WP core (used a virus scanner + manual check instead) and (2) changing SQL password (GoDaddy doesn’t let you do that — another reason to avoid them). Moreover, (3) raw usage logs could also be viewed via Cpanel in order to find IPs of the hackers but, again, GoDaddy doesn’t give you Cpanel access in the plan I’m using.

Useful links I used

https://sucuri.net/guides/how-to-clean-hacked-wordpress

10 Steps to Remove Malware from Your WordPress Site

https://codex.wordpress.org/FAQ_My_site_was_hacked

https://www.killersites.com/community/index.php?/topic/22255-i-think-my-wordpress-site-was-hacked/

Footnotes

[1] # BEGIN WordPress

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^index\.php$ – [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

[2]

# Block WordPress xmlrpc.php requests

<Files xmlrpc.php>

order deny,allow

deny from all

allow from 123.123.123.123

</Files>

</IfModule>

# END WordPress

[3]

<Files *.php>

deny from all

</Files>

Myynti on resurssien tuhlausta – ajatuksia myynnin hyödyllisyydestä isossa kuvassa

Kansantaloudessa käytetään merkittävä määrä resursseja myyntiin, joka ei tuota tuloksia tai ole tarpeellista.

Myynti on tarpeellista silloin, kun asiakkaalla on tarve, jonka hän joko tiedostaa tai ei tiedosta. Kummassakin tapauksessa myyjästä on asiakkaalle hyötyä — myyjä toimii informaation välittäjänä ja tehostaa näin markkinoiden toimintaa. Logiikka on sama kuin informatiivisen mainonnan teoriassa.

Mutta silloin kuin myydään tuotetta, joka ei ole tarpeellinen tai haluttu, on kyseessä puhdas resurssien tuhlaus (olettaen, että resurssi eli ihmistyövoima voitaisiin käyttää johonkin oikeasti hyödylliseen hommaan, mikä välttämättä aina ei ole totta).

Aitoa kohtaantoa ei tällöin ole, ja tuloksena sekä myyjä että ostaja tuhlaavat aikaansa. Myynti voi jopa olla haitallista – silloin kun ns. huijataan ihminen ostamaan jotain mitä hän ei halunnutkaan ainoastaan tyrkyttämällä.

Näistä syistä myyjiin suhtaudutaan yleensä nuivasti – aika on kallisarvoista, ja kun ei ole tarvetta, pitää vuorovaikutukseen menevä hukka-aika minimoida. Kokemuksesta tiedän, että päällikkötason henkilöllä kuluu paljon aikaa myyjien kanssa asiointiin, ja monet myyjät eivät usko, ettei oikeaa tarvetta ole, vaan koittavat väkisin tyrkyttää.

Nuiva suhtautuminen voi kuitenkin olla ongelma ostajalle silloin kun myyjä tarjoaisi jotain oikeasti hyödyllistä, mutta siihen ei koskaan päästä koska ei anneta tämän mahdollisuuden ilmetä. Ostajan paras strategia onkin kuunnella perusajatus, ja sitten vetää johtopäätös kiinnostaako vaiko ei. Pohjimmiltaan kyse on arvostelukyvystä.

On kuitenkin myös ns. kohteliaita ostajia, jotka eivät syystä tai toisesta sano, ettei kiinnosta tai etteivät pysty ostamaan mitään. Tällöin ongelma kääntyy toisinpäin, ja myyjä hukkaakin aikaansa.

Ostajan kieltäytyminen voidaan jakaa seuraaviin pääluokkiin:

  • aito kieltäytyminen = ei ole tarvetta, eikä lisäsuostuttelu tässä nyt auta. Tällöin optimiratkaisu sekä myyjän että ostajan kannalta on siirtyä eteenpäin.
  • epäaito kieltäytyminen = on tarve, mutta sitä ei tiedosteta / suostuta kuuntelemaan. Tällöin optimiratkaisu olisi lisäsuostuttelu, joka hyödyttää molempia osapuolia.
  • aito hyväksyminen = ostetaan, koska on tarve. Tämä on molemmille osapuolille optimi.
    epäaito hyväksyminen 1 = ostetaan, vaikka ei ole tarvetta, esim. pakkomyynnin tai tietämättömyyden seurauksena. Tässä pelissä ostaja häviää.
  • epäaito hyväksyminen 2 = ei osteta, mutta annetaan ymmärtää, että voidaan ostaa. Tietyt ostajat käyttävät myyjiä esim. oman asiantuntijuuden kasvattamiseksi ilman tarkoitusta ostaa. Tällöin ostaja saa hyötyä myyjän kustannuksella; myyjä häviää turhaan aikaa. Epäaitoon hyväksyntään voi myös johtaa yleinen kohteliaisuus, joka tulkitaan väärin ostosignaaliksi myyjän toimesta; taikka firman imagon ylläpitäminen, jossa kaikkia myyjiä kuunnellaan reilusti.

Kansantalouden kannalta tehoton myynti on sekä mikro- että makrotason ongelma. Mikrotason, koska pahimmillaan se kaataa myyvän organisaation – etenkin startupeilta puuttuu taloudellinen puskuri pitkien ja turhien myyntineuvottelujen käymiseksi. Makrotasolla taas optimi saavutetaan, kun ihmiset tekevät tuottavaa työtä.

Johtopäätöksenä aidot ei-realisoituvat suhteet ovat ok, mutta epäaidot hyväksynnät saavat aikaan tehottomuutta.

Myyjän kannattaa miettiä seuraavia asioita:

  1. miten voi tunnistaa epäaidon kieltäytymisen?
  2. mikä on oikea strategia suhtautua epäaitoihin kieltäytymisiin?
  3. miten voi tunnistaa epäaidon hyväksymisen?
  4. mikä on oikea strategia suhtautua epäaitoihin hyväksymisiin?

Kaikkien kannalta olisi parasta “iskeä kortit pöytään” ja selvittää mahdollisimman nopeasti:

  • mikä on myydyn palvelun tarkoitus?
  • onko asiakkaalla sille aitoa tarvetta?
  • voiko asiakas tehdä ostoksen nyt? jos ei, milloin?

Viime kädessä myynnin tehottomuusongelmat voidaan laskea kommunikaatiovirheiksi.

Digital analytics maturity model

Digital analytics maturity model:

  1. Concepts — here, focus on is on buzzwords and realization that “we should do something”.
  2. Tools — here, focus is on tools, i.e. “Let’s use this shiny new technology and it will solve all our problems.”
  3. Value — here, we finally focus on what matters: how will the tools and technologies serve and integrate with our core competitive advantage, i.e. “Guys, what’s the point?”.

Applies to almost any booming technology.

Problem of continuous value in SaaS business

A major challenge for many SaaS businesses is to provide continuous value, so that the users are compelled to continue using the service.

There’s a risk of opportunism if the user can achieve his goals with one-time use; he then either uses the free trial version, or only subscribes for one month.

For example, some SEO tools enable data download, so why should I stick around after downloading the data?

This is especially pertinent if my decision making cycle is not frequent, so I don’t really need monthly data.

Potential ways to counter this effect:

  1. develop automatic insights that continuously tell the user something they didn’t know, without him having to log into a system
  2. include different tiers for one-time users (e.g., one-time report feature with the cost of xxxx USD)
  3. understand the decision making cycles of different users, and make sure your business model is adapted to them
  4. put previously free features behind a subscription plan
  5. raise the monthly price so increase CLV even for those users that drop after a month

The latter I’ve seen applied by many startups, e.g. SurveyMonkey that raised its prices substantially. At the same time, though, they lost me as a customer – that’s the risk, and it can only work if they have more high-value customers not to care about my business.

Number four was applied by Trello that decreased the number of PoweUps to one – essentially forcing you to pay if you want to use any of them (because “Calendar” is already a PowerUp). Often, the application of these upselling tactics take place after the startup has been sold or there are new investors that wish to capture a larger share of value produced by the service. Obviously, this comes at the cost of free users who previously had a great deal (=large share of value provided by the startup), now reduced to “good” or “decent” deal depending on their tolerance level.

Identifying opportunities that Google and Facebook can’t handle

It’s almost impossible to beat Facebook’s or Google’s algorithms in ad optimization, because they have access to individual-level data whereas the advertiser only gets aggregates, and even their supply is limited. But, there are two opportunities I see which Google and Facebook don’t handle:

1. Use of CRM data

Especially purchase history (=lifetime value), product margins (=profitability), and other customer information that can be used for user modelling or machine learning as features. But, don’t use Google Analytics for linking this data to website analytics — Google Analytics sucks, because Google keeps individual-level information (=click-stream data) for itself and only shares, again, aggregates. Use Piwik instead.

2. Use of cross-platform data

Google doesn’t have access to Facebook’s data or vice versa, but the advertiser has. Thus, you can create more comprehensive optimization models for bidding and budgeting.

Grassblade model of startup acquisition

Grassblade model of startup acquisition = an incumbent is waiting until an upstart rival exceeds a KPI threshold x (e.g., 1 million users).

Observations:

  1. ‘x’ needs to be defined so that it is big enough to prove the momentum, yet small enough to give a decent valuation — let the startup grow long enough, it can a serious competitor
  2. the process involve challenges for defining industry-specific KPIs to pick the winners (need to think what are the strategic assets).
  3. there is an assimilation cost to consider — in “soft” things like organizational cultures, committing the key people, aligning the infrastructure, and ensuring continuity of user experience.

Determining the point of acquisition is important since some startups are too early to be potential targets while others are too advanced to accept deals.

Edelläkävijän kirous

Edelläkävijän kirous = edelläkävijä missaa bisnesmahdollisuuksia, koska kuvittelee että “se on jo tehty”.

Ratkaisut tähän:

1. täydellinen ajoitus on mahdotonta: luovu sellaisen odottamisesta

2. mikään ongelma ei ole ratkaistu, ennen kuin kilpailijasi on ns. household brand (eikä sittenkään ole mahdotonta disruptoida, kuten Facebook => MySpace ja Google => Yahoo osoittavat)

Aallolla ratsastaja tekee parhaimmat tuotot, ja aaltoon pääsee mukaan vähän myöhemminkin. Esim. Bitcoin on “wanha juttu”, mutta jos siihen olisi aloittanut sijoittamaan vasta tämän vuoden alussa, olisi voittanut maailman kaikki indeksirahastot kirkkaasti.

Idea: Verkkokaupan showroom

= kerää verkkokauppojen tuotteita fyysiseen tilaan.

“Myymälän rooli nähdään nyt ‘’entertainment hubina’’ ja sillä tulee olemaan tärkeä rooli asiakaskokemuksen luojana – ei niinkään ostospaikkana.”

On mahdollista tehdä tavaratalo, jossa tuotteita voi kokeilla ja katsoa, mutta ne tilataan netin kautta. Näin ei tarvitse olla paikallista varastoa. Haasteena on, että asiakas voi haluta tuotteen heti matkaansa.

Managing business development of an ad platform

Here’s a great example of a business development program of an ad platform:

Google provides similar service through its AdWords Partner program. Facebook and Google are offering the free 1-on-1 help for one simple reason:

It improves the quality of ads.

Because of this, two positive effects take place:

a) the users are happier. As two-sided markets, FB and Google need to constantly monitor and improve the experience for both sides, users and advertisers. Particularly, they need to curb the potential negative indirect network effect resulting from bad ads.

b) the results are better. Most of FB’s +2M advertisers are small businesses and lack expertise – with expert guidance, they will use the funtionalities of the ad platform better and will see better results. This prompts an increased investment in the ads, which increases the platform’s revenues.

Thus, this program is an example of a win-win-win business development program of a platform. The users are shown better ads, the advertiser gets better results and the platform increases its revenue. Given that FB and Google conduct some “lead scoring” to choose the advertisers with the most growth potential, the ROI of these efforts is almost certainly positive.

Conclusion

With these programs, FB and Google are once again beating the traditional media industry that has very weak support in managing online advertising. Basically, no interest in the client after getting the money. To do better in competition, traditional publishers need to help their clients optimize and increase the quality of their ads, as well as improve their core technology to close the gap between them and FB and Google.

How to reach B2B audiences online? That’s the question.

Introduction

It *is* indeed the question – most often focus of B2B digital marketing is on lead generation and marketing automation. Much less has been written about targeting.

Yet, B2B targeting is far from having been solved. The typical conversation between decision makers and agencies goes something like this.

Client: “All this online advertising is great – but I don’t want to reach regular people on Facebook. How can I reach managers who are interested in buying my products?”

So far the agency’s answer has been something like: “Well Sir, even the managers are using Facebook!”

Which, although true, remains as a quite shallow answer to a serious concern. Especially because the chance of finding the managers is in proportion to their prevalence in the general Facebook audience – that is, very tiny. Unless we solve the problem of targeting.

Solving the B2B targeting problem

Now, I’ve been interested in this question for a while. So far, I can see four tactics for reaching B2B audiences with digital marketing:

  1. Keyword targeting
  2. Manual display placements
  3. Advanced targeting criteria
  4. Audience looping process

Let’s explore each of these.

First, obviously we can opt for intent-based search marketing. When there is search volume, search advertising tends to outperform other digital marketing channels in terms of cost-efficiency. That’s because people are actively seeking for the products and services that show in the ads. However, the problem is that the industrial search volumes tend to be small in many verticals, leaving the impact on revenue very minimal. As such, the B2B marketer needs to look elsewhere to increase the number of leads.

Second, to get extra traffic we can go and buy media from known business press (e.g., Forbes, Wall Street Journal; you get the picture). The downsides of this approach are at least three:

a) CPM prices are often high in these venues, resulting typically in poor ROI – this is partly because the way ad space is priced relies on archaic methods, such as selling impressions, instead of modern approaches like click auctions

b) display advertising generally suffers from multiple problems, including banner blindness, ad clutter, and ad blockers. If you haven’t noticed, people don’t really like banner ads, or at least they seem to like them a lot less than text ads and Facebook Ads which are often better targeted and less intrusive

c) uncertainty – how can we know that the people of our industry are reading this publication? There may be other publications that they read, but those might not always be available to display advertisers.

Third, we can use various targeting parameters available in online platforms. For example, in Facebook and GDN you can find people by income level (e.g., top 10% of income earners) and net worth. However, here we assume that more rich people have better jobs, which is true in statistical sense but does not narrow the audience down enough to reach the B2B decision makers in our industry. Thus, it is better if we can get into direct targeting criteria, such as job position and company. And, we can.

For example, here is Facebook targeting for people who for Kone, the Finnish elevator company.

Figure 1 Targeting company employees on Facebook

In a similar vein, we can target a) industries and b) job titles on Facebook. Below are examples of both.

A. The current industries on Facebook Ads

  • Work > Industries > Management
  • Work > Industries > Administrative
  • Work > Industries > Sales
  • Work > Industries > Production
  • Work > Industries > Personal Care
  • Work > Industries > Education and Library
  • Work > Industries > Arts, Entertainment, Sports and Media
  • Work > Industries > Healthcare and Medical
  • Work > Industries > Transportation and Moving

B. Job Titles with search query ‘manager’:

  • Manager
  • Manager Employers
  • Talent manager
  • Manager (baseball)
  • Manager (association football)
  • Hotel manager
  • Sales Manager
  • Business Manager
  • Branch Manager
  • Relationship Manager
  • Marketing Manager
  • Finance Manager
  • Store Manager

For example, we could target people who work for ‘Kone’ and are ‘managers’. While this might work for corporations, targeting smaller companies is not possible because they are missing from Facebook’s database. We could also try and find the physical addresses of the corporations, and use geo-targeting to reach them – although without IP targeting (not available e.g. in Google and FB but can be purchased with big money elsewhere) it’s a shotgun approach, unless the company is located in the middle of nowhere. Overall, the problems of using targeting criteria include validation, sparsity and availability. I discuss these in the following.

a) validation – the accuracy of this data is not guaranteed, and we have no way of knowing that the ad platforms correctly classifies people. For example, I’ve seen people who most certainly don’t work for Facebook write Facebook as their employer.

b) sparsity – secondly, not that many people declare their workplace in Facebook, so the data is sparse and we don’t end up making a great number of qualified matches.

c) availability – all data is not available in all locations – e.g., Finland is missing the income level targeting.

Therein comes LinkedIn. As you can see from the following figure, LinkedIn provides several different targeting options that make it the most potential B2B marketing platform in the world.

Figure 2 LinkedIn targeting options

For example, we are likely to reach the proper Kone employees in different sub-companies, as visible from the following figure.

Figure 3 Company targeting on LinkedIn

While people may be careless about providing the correct job information on Facebook, on LinkedIn it is very rare that people would fake their job positions. Such behavior is easily captured and reported.

The downsides of LinkedIn are that a) the ad platform is less developed than those of Google and Facebook. If you’d like to rank them, ‘Google > Facebook > LinkedIn’ is the order from best to worst in terms of functionalities, although LinkedIn is rapidly catching up. Addtionally, b) the prices are considerably higher on LinkedIn than on Facebook or Google.

In the attempt to combine some of the good parts of each technique, I’ve created a simple process whereby we obtain leads through effective LinkedIn advertising and build segmented audiences for retargeting. This process is illustrated in the following figure.

Figure 4 Audience looping process

In particular, the idea is to create special landing pages that have a unique pixel configuration that corresponds to that audience — for example, you can “Managers from Mid-West US” who are targeted to a specific landing page that has unique Google and Facebook pixels with the proper description installed.

Managers from Mid-West -> Landing page A <–> Pixel A

Managers from upstate NY -> Landing page B <–> Pixel B

This way, you can segment your B2B audience further, and in retargeting through GDN, Facebook and potential other networks such as AdRoll, address them with highly tailored communication. In a similar vein, you want to cross-target to visitors you reach from those channels also on LinkedIn – see the figure.

Figure 5 Cross-retargeting

If you already have an email database (CRM, newsletter lists), you should obviously use that to build custom audiences, and then use lookalike audiences to maximize reach (called ‘Audience expansion’ on LinkedIn).

Since all the platforms provide the same metrics (CPC, clicks, conversions), the allocation of your budget can be elastically applied to where it provides the best return. This is aligned with optimization best practices. To identify the proper companies and job roles, you can do investigative lead research work by using tools such as Leadfeeder, LinkedIn Sales Navigator, Ghostery, and Vainu.io.

Conclusion

There are many targeting options for B2B digital marketing. For example,

  • income
  • net worth
  • IP address
  • industry
  • company
  • job title

Each has some strength and weaknesses. Ideally, the B2B digital marketing process captures the best parts of each platforms. Because we use LinkedIn, we can be sure that the seed audience is of high quality and accuracy. Then, we use the other platform’s superior reach and cheaper prices to re-address this audience with what I call ‘continued information’ (=not the same we told them already, but something more). We can also use GDN to narrow down the placement, thereby including only specific venues in retargeting.

Targeting or discovery?

Finally, I wanted to discuss an important matter. That is, some proponents of digital marketing suggest to foresake the notion of targeting altogether and focus on ‘inbound marketing’. The theory goes so that being present in social media venues where the industry folks participate, e.g. by answering their questions, one can build a reputation of opinion leader and therefore gain organic leads. Moreover, the inbound tactics entail the publication of free knowledge resources, such as ebooks, webinar and blog posts, all intended to attract organic traffic from social media and search engines to the company’s website. I’ve previously described inbound marketing as a paradigm that defines people as rational agents actively engaged in information retrieval activities, a view which contrasts seeing them as passive “targets” of advertising. Depending on which paradigm you subscribe to as a marketer, you might want to either maximize your targeting or your discoverability.

To many, it makes sense to view people as active information seekers. However, in the flipside I’ve observed inbound marketing is often uncertain and time-consuming process. In addition, companies engaged in struggle to measure their efforts effectively and actually deliver a credible ROI figure for inbound. Finally, the capabilities needed for that correspond to those needed for running a magazine publication, i.e. are not readily available in most organizations. The content game is fiercely competitive, and when you normalize the cost, e.g. CPM prices can be higher than for advertising. Or, the reach is very low, meaning that you really don’t get the impact you’re after. In my opinion, it makes no sense to foresake advertising – advertising should be the primary element in the marketing mix, and should you want to try out inbound marketing, its results should be transformed to conmensurable metrics that enable comparison between advertising and inbound marketing.

Please share if you have further ideas!

Further reading

Using Facebook Ads for B2B Targeting: http://www.practicalecommerce.com/Using-Facebook-Ads-for-B2B-Targeting

Google AdWords for B2B Organizations: 8 Questions Leadership Should Ask: https://komarketing.com/blog/google-adwords-for-b2b-organizations/

15 Audiences You Should Be Targeting with B2B Facebook Ads: https://komarketing.com/blog/15-audiences-you-should-be-targeting-with-b2b-facebook-ads/