Category: Web Development

My website has been hacked! How do I fix it?

No matter which platform you’re using, and what anybody may tell you, any website can be hacked! Hacking essentially means someone has gained unauthorised access to your website server. However, people often use the word to mean any situation where your website has been inappropriately interfered with.

WordPress is the world’s most popular CMS platform with approximately 28% of all websites built using it. Purely as a result of the sheer volume of WordPress websites out there, it’s the most hacked CMS. That’s one of many reasons why it’s so important to learn to keep your site secure and prevent it being hacked.

Suppose we find ourselves in a worst-case scenario and someone has gained access to your WordPress website. What now?

Do not worry! All’s not lost, it’s not the time to shut up shop and go and live in a cave. You will be able to bounce back. Every day, hundreds of sites face the same dilemma, and most are able to get back to their original glory. All you need to do is follow the below steps:

Step 1: Take a deep breath & relax

Having your WordPress website hacked isn’t the end of the world. You won’t be the first and certainly, you won’t be the last. Being stressed or angry will do you no good and it takes your concentration and efforts away from recovering your website.

Step 2: Scan your local machine

Update all antivirus and malware tools you have, then do a complete system scan to see if your machine is compromised. This will eliminate your machine as a possible cause of the hack.

Step 3: Have you actually been hacked?

Go through this quick list of questions.

  • Are you able to log in to your WordPress Admin Panel (
  • Is your website displaying something other than you would expect (Images, Content)
  • Is your website redirecting you to any other website?
  • Does your WordPress website contain any illegal material usually something will be displayed on the homepage?
  • Has Google already marked your website as insecure?

Record your answers to each question and make sure that you’ve noted everything for the next step below.

Step 4: Contact your hosting company

Most hosting companies are very helpful in times like this. They have faced these issues before so should well be equipped to help you. If your website is hosted on a shared server, your hosting provider should be able to provide you with answers like how the hack was started and how it spread. Also, there’s a good chance they can tell you where the backdoor to your website is, from where the hackers found their way in.

Step 5: Change all your passwords and usernames

Log in to your hosting account. While you’re in there, change all of your backend passwords (Cpanel, Email, FTP /MySQL) and the usernames and passwords for everyone who has access to your site. Make sure to delete any you no longer need.

Step 6: Restore the website to a previous version

In an ideal world, you’ve recently backed up your site a few days before and can quickly walk through a simple restoration. An important point to remember when you restore an old backup of your site, your entire website will revert back to that version. Any content that you published, images you added to a gallery or general changes you made to the website will be lost. However, that’s a small sacrifice to pay to gain a clean website and your business back on track. After you successfully restore the old version of your website, remember that it’s still vulnerable to attack!

Step 7: Time to update everything

Make sure you are using the latest version of PHP, WordPress, and all plugins and themes are up-to- date. Plugin and theme developers release updates for two main reasons – to improve functionality and to patch security flaws. You should always keep your themes and plugins up-to-date. Even if a plugin or theme is deactivated, it’s files could still allow someone to gain access to your site. Get rid of anything you don’t use. Be sure to take the appropriate steps to upgrade your theme safely so you don’t lose your customisations.

Step 8: Back up the site

At this point, you should now have a clean website again. Although you may have lost some content depending on when you last updated, it’s a small price to pay to know you have a clean site. Plugins like Backup Buddy or Updraft Plus can be great for this and a cool feature of the pro versions is that it can schedule backups automatically or as often as you want. Make sure you have a copy of the backup stored off-line in case this happens again.

Step 9: Change your passwords again

Yes, you changed the passwords at the start. Now do it again! Just to be safe. You need to update your WordPress password, Cpanel / Email / FTP / MySQL passwords, make sure it’s completely different to your old one and has a mix of letters, numbers, and characters for example. W£B51T£_P455W0RD is much harder to guess than if you used WEBSITE_PASSWORD.

Step 10: Install security software on your site:

There are some great WordPress security tools out there like Scurri and Wordfence. These can help you massively in avoiding being hacked again.

A redirect has been placed on my website – what should I do?

If your website has been hacked there is a good chance that attackers have inserted malicious code that redirects your website to another website to grab traffic, that’s just adding insult to injury – and can really damage your website reputation.

If your site is redirecting visitors to phishing or a malware site, you will possibly get blacklisted by Google! Google isn’t going to take any chances with its reputation, if your webpage(s) smell even the slightest bit fishy, it’s going blacklist you.

In most of the cases, malicious redirects are made by hacking the .htaccess file. Also, after cleaning up the .htaccess file the malicious code is being added back to the file within 30 minutes. This is being done with “backdoor(s)” the hackers have placed on the website files.

Here is a step-by-step guide on how to discover and remove these malicious redirects:

1. Detect the symptoms:

  • Your site has a malware warning screen
  • Your site turns to blank page
  • Your site gets redirected to some domain that is not your site
  • Your site can’t be accessed from Google search
  • Your site redirects you back to Google
  • Your .htaccess file is infected
  • Your .htaccess file keeps getting infected no matter if you edit it back. What these means is that someone hacked your site and modified your .htaccess file to redirect users coming from Google to a malware-infested site. Because of that, you end up blacklisted and losing users that can’t reach your site.

2. Detect the malware type

If you have the symptoms described above in most cases, it’s Blackmuscats or Conditional redirects malware. To confirm what malware infected your site, check the .htaccess files under the document root and perform a malware scan on the website files.

3. How to detect the malicious file?

It’s a good idea to check your website access logs. Check every folder for suspicious files and scan website files using a malware scanner.

How to fix it?

Fixing this redirection is very simple, you just need to delete these entries from your .htaccess file (you can have more than one, so check all your directories) and you are set. However, you still have to verify that you don’t have anything else hidden in there, so do a full scan of your website to make sure you are clean.

In addition to that, you still need to fix the problem that allowed you to get hacked. Most of the time it means updating your web application (WordPress, Joomla, etc), changing your passwords and cleaning your desktop.

Keeping Your Site Secure

In order to keep your site, secure you need to follow theses guidelines:

  • Have your WordPress site core files been updated?
  • Have your themes and plugins been updated?
  • Use a Safe Secure WordPress Hosting Service, if possible choose one which can Manage your WordPress Site instead of just Hosting it.
  • Remove any inactive themes or plugins you don’t plan to use on your site.
  • Review your WordPress plugins and themes and check all of them are recently updated by its developers, if not you should seek alternatives and remove them from your WordPress Site.
  • Never install nulled themes or plugins.
  • Keep one or two admin accounts, downgrade the rest of your admin users to an author/editor.
  • Remove all dev/demo setups of your WordPress installation outside your public directory.


Major hacks in 2017

2017 was a crazy year for critical infrastructure attacks, insecure databases, hacks, breaches, and leaks of unprecedented scale impacted institutions around the world—along with the billions of people who trust them with their data.


The WannaCry malware that infiltrated the UK’s National Health Service essentially locked down the entire NHS network, preventing workers from accessing their computers and delaying vital medical procedures. Fortunately, a flaw in its mechanism allowed experts to create a kill switch. One of the reasons for the hack was that NHS trusts had not acted on critical alerts from NHS Digital and a warning from the Department of Health and the Cabinet Office in 2014 to patch or migrate away from vulnerable older software. You can read more here.

This one of the key examples why keeping your systems up-to-date. The more out of date they become, the more vulnerable you are to attack.


Taxi start-up Uber disclosed that it was subject to a massive data hack in 2016. Two individuals hacked the user data stored on a third-party cloud service. They managed to access the information of 50m Uber riders as well as 7m drivers across the world. The company attempted to cover it up by offering the hackers $100,000 not to release the information.

The start-up is currently being sued for negligence in a complaint representing the Uber drivers and customers in the US whose data was implicated. The company is currently doing damage control across the world as regulators launch investigations into what went wrong.

AS GDPR comes into effect in May 2018 if we look at Uber’s finances with a turnover of $6.5 Billion, the potential full fine could have been $ $1,300,000,000 – 20% of its annual revenue.

Final Thoughts

Security is one of the most important aspects of running a website. Not fixing a hacked website as soon as possible can cause a major disruption for you and your visitors and can put everyone who visits your site at risk. Knowing the warning signs, however, will help you catch the hack early and fix it as soon as possible.

Getting your website hacked is one of the worst things that can happen to your business in the modern online world. The age of file cabinets and paper documents is long gone, and now virtually all-important information is being shared and even stored online. However, it’s not the end of the world and can be fixed fairly easily and quickly using the steps above. WordPress is a great platform to use and it doesn’t look like it’s going away anytime soon, so you should definitely know how to protect it and what to do if the unthinkable happens.


Next steps:

If you need some more advice on how to protect your website from hacking, contact us today to arrange a call.

If you would like to work at CandidSky and develop your career prospects, take a look at our Careers website for available roles and find out what is like to work here.

And finally, take a look at our other blog posts to see what else we have been up to.


Choosing the right website solution for you

Never rush your website solution.

Before you commit to a particular framework or content management system (CMS), always make sure you ask yourself the following questions:

  • Will a WordPress website offer sufficient security?
  • What levels of support are included in a bespoke framework build?
  • Can I manage all aspects of the site without a website development team constantly on hand?

This leaves us with one fundamental thing to consider, the big question behind all of these thoughts…

Which platform is the best fit for my website needs and how should I utilise it?

Used by over a quarter of all websites, WordPress is the first choice for a lot of businesses out there. It certainly allows for an attractive turnaround time, access to thousands of plugins, large pool of developers that can work with the code base and no licensing costs (thank you, open-source). Consult reliable designers near you, as they will help you tailor the entire solution to fit your communication goals, brand guidelines and target audience.

However, we shouldn’t overlook the constant inflow of hacked sites running WordPress. Sucuri’s 2016 report states that “over 78% of all websites the security company has worked with used WordPress.” This leads us to the conclusion that other platforms are more secure. However there is more at play in these numbers. Sucuri also say that “in all instances, regardless of platform, the leading cause of infection could be traced to the exploitation of software vulnerabilities in the platform’s extensible components, not its core.”

Let’s take a look at a few other options.

A number of the websites we have built at CandidSky utilise our in-house framework, Ebb.

With Ebb, there is no plugin directory and only a small group of developers are skilled in using every aspect. There is also an absence of malicious code that targets the framework and no vulnerable core or extensible components. Expert knowledge of 100% of the code base, in-house, offers a higher level of security, support and updates.

Numbers of Drupal vulnerabilities and affected websites is quite low, however only around 2% of websites use Drupal, and the ecosystem is similar to that of WordPress, although it requires more advanced knowledge to use than its alternatives. Sucuri reports that “81% of infected Drupal sites were outdated”, which is definitely an important metric.

It goes to show how critical website maintenance is, and that focus should lie not just in the development of a site but also its post-launch life.

More functions = more support

Some businesses require functionality that goes far beyond managing content, or the buying and selling process needed for online shop.

Another viable solution for more complex uses is Umbraco, an open source CMS which uses Microsoft’s .NET software framework. Umbraco runs on MS Windows, as opposed to more commonly used Linux solutions. It is regarded as a more secure option when compared to WordPress and Drupal, largely due to the relatively closed environment. However, this does not mean that vulnerabilities are sparse.

Human error

One of the key takeaways from our many years of experience in offering digital services, backed by many other reputable sources and research, is that the number one reason for the majority of security breaches does not lie in the code base, but rather in humans.

Our tendency to use memorable (weak) passwords, overlooking the importance of developers looking after your site once it’s launched, plus a lack of time and money dedicated to regular updates, all contribute to issues further down the line.

WordPress is a fantastic choice for anything from a one-person business site, to e-commence shops and sophisticated multi-site solutions. “Who” builds the solution and “how” that solution is maintained is the most important decision to make. Our team are experts in making the most of a platform, creating beautiful themes and secure, functional features that help businesses to flourish online.

But we also recognise the shortcomings of WordPress and fill the needs of more advanced projects with our in-house framework, ebb, which allows for a custom solution that is secure, scalable and well supported. In order to minimise the human error and prevent security breaches, we advise you to invest in regular maintenance, ensuring that professionals are there to run checks, apply updates and ensure that the administrators and users are kept secure.

Final thought

Combined with an effective SEO & content strategy, the online world is your oyster. We would love to speak to you about your website needs and offer our advice, feel free to drop us a message if you still have any questions regarding which solution is best for your business, or pop in for a coffee and a chat about all things digital.

Web Development Best Practice: Site Speed

Getting your website to its optimal load speed and maintaining it is crucial to maximising profit.

A recent Wall Street Journal study announced that sales at Amazon increase by 1% for every 100ms they shave off page load time. In this blog we share 5 development tips you can apply to speed up your website and improve page load time.

1. Get the right server

You can do everything to improve the speed of your website, but if your hosting isn’t up to scratch, your hard work will go to waste. People sometimes pick their server package based on price, the cheapest package is not always the best value decision. Choose your package based on the amount of traffic your site is likely to serve otherwise you may lose out on a lot of revenue when your site can’t cope with the traffic levels.

Another consideration is the server location. The closer the location of the server to your customers, the faster your site will be. This is down to latency; your customers have to make a connection to your server, if the majority of your customers are UK based and connect to a data centre in the US the interval between the response connection is far greater than to another UK based server.


2. Make sure to load webfonts asynchronously

Have you ever visited a page (especially on your phone) and it appears to have loaded slightly? You scroll but there’s no content. What feels like an eternity later (if you haven’t given up) the text appears. It’s because webfonts are blocking the content from showing.

Webfonts can be a huge burden on page load speed.

To avoid this you can load fonts asynchronously. This, in most instances, will have a big impact on site speed. Be aware, this can result in  a ‘flash’ effect as the fallback font loads before the page fetches the defined font. Usually, with a little work, this can be prevented.

By loading fonts in this way, your users will not be left twiddling their thumbs waiting for your content to appear.

3. Carefully consider your tracking scripts

While tracking is very important there is a balance to strike. It’s crucial to be able to understand what your customers are doing on your website but badly executed scripts can be incredibly detrimental to site speed. A lot of tracking scripts are Javascript heavy which can impact site performance on less powerful devices. Many tracking scripts do take speed and performance seriously, by properly researching before implementation you should be able to find a suitable solution that does not make your site lag.

4. HTTP/2

A newer version of the HTTP protocol has recently been released (which will change web development best practice – more on this in the near future). The benefits of adopting a HTTP/2 enabled server right now are relatively small but this will change over time and become very beneficial in the long term. HTTP/2 can load more assets without the restrictions of HTTP/1.1 protocol which can only load a set amount of assets at any one time. Note: All recent browsers require an SSL certificate to use HTTP/2.

5. Enable browser caching and gzip (or brotli)

Enabling caching has two main benefits; quicker page loads and less burden on your server. Enabling browser caching will greatly improve user experience for returning visitors; users download assets on their first visit to the site so do not need to download them again on (most) future visits.

Enabling gzip/brotli ensures the smallest possible file is sent to the user so assets reach them in the quickest time possible. A no brainer really.


Final thought

By getting these fundamentals right you form strong foundations for your site. These tips can be implemented quickly, and will not have a huge impact on your/your developers work flow. However, they will have a noticeable impact on your site speed and user experience which, as we’ve seen with Amazon, can be great for improving conversions.

7 tips for dealing with an inherited codebase

What can you do if you’re faced with a codebase like spaghetti junction?

If comments are thin on the ground or the versioning system consists solely of files and folders labelled .old?

Taking on clients with existing websites is something we do regularly at CandidSky – whether they need a design makeover, additional website development, or if they’re in need of some SEO it’s usually quite a straightforward task getting to work on making the improvements. Every now and then however – us devs aren’t entirely prepared for what we encounter.

These pointers will give you a bit of help in getting to grips with inheriting a new codebase – whether you should make-do with what you’ve got, refactor, or take the plunge and go for a complete rewrite.

1. Have a thorough investigation period

It’s important when you first get to view the codebase to take your time to size it up. Ask yourself a few questions while going through the code:

  • Is it well commented?
  • Is it well structured?
  • How legible is the code?
  • Does it make sense?

The quality of the code that you’re going to be making changes to will have a direct relationship on how long it will take to complete new tasks once you start developing.

Going through bad, undocumented code can be very time consuming so it’s important that you give yourself enough time when estimating a job. Code that has little or no comments can be pretty treacherous to navigate and a good amount of time can be spent just making your own.

During this time try to document what you’re finding out as much as possible – there’s nothing worse than having to cover old ground because you haven’t taken notes.

Hopefully after spending a few hours with the code you can get a good feel for how long you think further development will take.


2. Set reasonable development targets

When setting development goals, it’s essential to focus on the biggest or most pressing issues first. If you feel that the codebase is particularly bad or there are inherent problems with it, it might be an idea to remove any enhancements or nice-to-haves from the development list entirely so that you can focus on getting the project to at least a stable condition.

If the codebase has no pressing issues, setting one or two smaller goals as proof-of-concept targets can be a great way to start. Give yourself plenty of time on these, using the occasion to improve your knowledge of how the system works and to make as many notes and comments as possible to help out with future tasks. Once these have been completed – you can use this development sprint as a yardstick for estimating the other jobs.

If, in your proof-of-concept sprint you start to come up against real barriers that mean even the simplest of tasks are taking too long or are even impossible – you’ll have to start asking yourself if the entire codebase needs to be reviewed or revised before any of changes can be attempted. At this point you might be a candidate for our ‘should we start again’ section below, but keep reading on in the meantime just to make sure.

3. Don’t be afraid to tell the client

If the codebase is going to cause you problems, don’t be afraid to tell the client. Telling the client early on in the project, although isn’t the best of news for them – puts them into the mindset that delays might be inevitable.

4. Have a plan and stick to it

You should now have a list of changes that the client is expecting and in order to maximise your efficiency in completing these tasks and to help to avoid some of the pitfalls associated with bad code – it’s usually wise to not try to do everything at once. Take on tasks one at a time – if you’re going to be flummoxed by the codebase – it’s best to be confused in one place at a time. Baby steps is the name of the game.

It’s often tempting when going through a codebase to make quick fixes and changes to bits of messy code as and when you see them. As enticing as this is, you can’t always be 100% sure that your changes won’t affect something else down the line and if the part you’re working on isn’t related to that area, it can take some considerable time before any problems that you might have caused start to manifest themselves.

The same rule applies for areas of code that you assume can’t possibly be needed so you can remove them without worry – DON’T! Not unless you’re absolutely certain it’s not in use. Your code editor or IDE’s search function can be pretty invaluable in this situation but not completely fool-proof – there may be variable variables at play, calling classes from strings or other such techniques that will often slip under the radar of ctrl-f.


5. Version control it

If the project is lacking a form of version control you really need to implement it straight away. Using version control allows you to keep track of changes (especially if you’re cavalier and decide against my no quick fixes rule!), it also allows several people to work on the code at once but stops things that can be already complicated getting way out of hand.

Versioning also lets you easily set up code reviews with fellow developers so that you can get several pairs of eyes on the codebase. This can help eliminate any potential bugs – they might notice something you haven’t or can shed light on a section you just can’t seem to fathom.

Ultimately, with version control, if the worst comes to the worst and one of your changes does break something you can always roll-back the commit, work out exactly what caused things to wrong and start again.

6. Test test test

A no-brainer really, of course you’ll be testing – but because of the sheer amount of unknowns that you can come across with someone else’s code you’ll need to ensure you test everything and test it thoroughly.

It’s a good idea to set up a parallel testing environment with the live site that is kept as up to date as possible. As you’ll be quite new to the site and won’t know all of its layouts and functionality at first glance of the pages – it will allow you to compare the two sites side by side to ensure that nothing strange is now happening and that the site is still fully functional.

7. Should we start again?

Although it might seem contradictory to start the project from scratch – it can sometimes be the best option – especially when there is to be continued development for the foreseeable future on the project. It’s a good idea to weigh up the time you think it will take for the rebuild vs. the amount of time, stress and potential problems that can occur trying to keep up a bad codebase. Use your judgement – with what you’ve got, can you manage what the client is expecting without compromising on the quality of work?

While it can seem like a simple decision to rebuild – convincing the client may be a pretty tough battle – especially if to all intents and purposes they have a working site. It’s usually good to explain how much quicker continued development will be, and the improved maintainability and stability of the site.

Remember to create a mirror of the original site when starting from scratch so that you and the client have an exact copy of the old site with which to compare the new. Its quite a predicament trying explain that something was already broken when you have no way to prove it.

Use it as a positive – learn from the code

Viewing other people’s code is a huge part of learning and keeping up your skills in programming. If you’ve inherited code, try to learn it inside out – you might see an interesting new technique, or a way of doing something you’d never thought of before, even if it is one of the nastier examples of codebase.

You can always strive to make your own code better; that bit more legible, variable names more descriptive or comments more informative.

Nobody sets out to write bad code, be patient, look for the gems and keep methodically working through the project to make it the best it can be.


Google Brotli: The benefits of switching to a HTTPS domain

Google recently announced plans to upgrade their Chrome browser with Brotli, a much faster compression algorithm.

But what impact does this have on the average website?

Brotli, which compresses data up to 26% faster than current algorithms, will only benefit domains with a HTTPS connection. So, has the time come for digital businesses to make the switch to HTTPS?

An introduction to HTTPS

HTTPS, or HTTP over SSL/TLS, presents the user with a more secure version of the web. HTTPS encrypts and decrypts web pages, making user data harder to access for hackers, generally ensuring the web is a safer place to be.

In addition to improved web security and speed, owning a HTTPS status provides a lightweight ranking preference for search engines. With that in mind, HTTPS migration may seem like the obvious choice for all website owners.

To recap, the benefits include:

  • A quicker website
  • Improved security
  • Increased trust from Google leading to improved rankings*

It’s important to remember however, migration isn’t without its limitations.


Migration Considerations

HTTPS migration means every URL on your site, i.e. every page, must be restructured, more specifically altering every HTTP to HTTPS.

For example, your page ‘’ would be stored in a new destination, ‘’.

Whilst this change may seem minor, without proper consideration problems will arise. When we migrate a site we always weigh up the benefits against the following implications:

1. Google will need to recrawl and reindex your entire domain

This may not be an issue if your site is only ten pages in size, but an e-commerce store with tens of thousands of pages will take some time to relocate their entire inventory over to the updated URL.

I recently wrote about website migration and anticipated timescales, check it out for more information. During any migration, you should also expect to observe a decrease in search engine rankings as Google decides which variant it should rank.

2. Site wide loss of inbound equity

Every link that points to your domain contributes to its ‘authority’, the development of which leads to increased trust from Google that your domain is respected. Part of the HTTP migration process is the redirection of expired URLs, http to live https.

It’s widely accepted that links travelling through a redirect lose around 10% of their equity, meaning a HTTPS migration could result in a reduction of existing inbound equity.

3. Short-term pain, long-term gain

Every site is expected to be HTTPS compliant in time, and this levels the playing field somewhat.

The decision is whether to adopt the new system early and begin developing authority to a new HTTPS domain now, or to wait it out capitalising on short-term gains but playing catch-up later.


HTTPS migration check list

Migrating to HTTPS can be a hefty project, and requires an experienced web development team to implement. In addition to the inclusion of the SSL (Secure Socket Layer), a complete migration includes:

  • 301 redirects for any expiring HTTP URLs to HTTPS
  • Updating external plugins to ensure they are HTTPS compliant
  • Update third-party Ad code to support HTTPS
  • Register HTTPS version in Webmaster Tools, ensuring correct preferences
  • Update Google Analytics to ensure the correct tracking

Is it time to switch to HTTPS?

The loss of organic visibility in the short-term is obviously something all businesses must assess to understand its full impact.

The long-term benefits of migration will complement all domains in the future; however, over a long enough timeline it’s hard to imagine why any website wouldn’t eventually make the switch to HTTPS.

Why the PHP7 release matters

In this blog I discuss why the PHP7 release is important to web professionals and web users.

“PHP is a popular general-purpose scripting language that is especially suited to web development. Fast, flexible and pragmatic, PHP powers everything from your blog to the most popular websites in the world.”

The first week of December 2015 saw a release of the new version of PHP, PHP7. All of the sites our web development team builds at CandidSky are constructed using PHP, the language powers the majority of our back-end functionality. WordPress, one of the most popular open source web frameworks, and one we use frequently, is also written using PHP.


One of the most noticeable differences has been the boost in performance. PHP’s core has been revised and updated bringing it in line with current programming standards. The increase in performance is due to better usage of processing and memory thanks to the rewriting of the languages engine. This is crucial to most frameworks, such as WordPress, where a lot of functionality is dependent on a fast ‘engine’ to process data and ensure that a website is served to a user in the shortest time possible.

Internet speed has been steadily increasing over the past few years. It is important for a language to stay up to date with increased speed to ensure that it does not become the source of any bottlenecks when loading pages. Although smaller websites may not notice the same performance improvements as the larger builds, any project employing PHP as its core language will benefit from the improvements made to process and memory.


Consistency is king

Developers spend most of their time programming. I am yet to meet a developer who doesn’t enjoy programming purely for the process itself. It’s our job on one hand, but our passion on the other. Whether it’s thinking through logic on paper or a whiteboard, or coding on computers, the tools we use have a significant impact on our everyday lives.

One of the key improvements that will have a positive impact on developers is the increased consistency of PHP7. Better consistency means writing code becomes more intuitive. A useful comparison to understand this is Apple and what they have successfully achieved with their operating system iOS. It has been adopted by a tribe of loyal brand advocates because of it’s consistency, resulting in a more intuitive experience for the user. The iPhone seems familiar to users as soon as they pick one up and actions do not seem like a hassle to perform. Each new release does not mean another steep learning curve. If anything, it makes us feel like we’ve longed for a newly added feature that we couldn’t quite see we needed.

So, why does PHP7 release really matter?

Once a website is ported to the new release, which will mean some code rewriting and a lot of testing to make sure there is no unexpected issues, we’ll see a boost in performance for the user, and developers will receive the gift of an improved programming experience.  It’s a win-win situation!

We’re excited about web technologies and aim to be best at what we do. Our dev team has been busy in the last few months, learning about the new additions and recently attending the PHP North West conference, which had a heavy focus on the long-awaited release of PHP7.

As the year is coming to an end, we’re looking back at the highlights of 2015, the release of PHP7 is definitely up there as one of our favourites.

Above the fold: Influencing customer reactions

All of our lives we hear people saying it’s wrong to judge a book by the cover, yet when arriving on a website, many of us do exactly that. Our research indicates you have as little as two seconds to shape a customer’s opinion.

That’s why first impressions are vital and it can still be argued that above the fold content is essential real estate for a website. As customer behaviour and technology changes, however, we must question whether traditional usage of above the fold is still valid.

In this article we focus on the following areas:

  • Defining the fold
  • Whether the fold is still important
  • How we used the fold to improve results

What is above the Fold?

Above the fold is the area of a website visible to a person when they land on a website without them having to scroll. It is the first view customers will have on your site, maybe even your brand. The term comes from the Newspaper industry; Newspapers had a limited amount of space to convince readers to buy their paper. By displaying the most compelling headlines and images above the fold, they maximised their chance of securing a sale.

Above the fold in practice
CandidSky Optimise The Flavour Factory

The Flavour Factory are a luxury and established e-liquid brand that launched in 2013.

Having attracted a significant client base through organic search, The Flavour Factory understood they needed to make continuous improvements to their website to keep on top of ever-changing client demands and maximise profit from an increasingly competitive marketplace. The Flavour Factory approached us to help them achieve these objectives. Our conversion rate optimisation (CRO) team created the strategy. Our web design and development teams implemented the necessary changes to deliver, test and tweak the hypothesis. From our site audit and customer research, we identified important insights related to UX and conversion, specifically impacted by the above the fold information being presented.

The Problem:

  • The primary product, bundles, was located below the fold
  • There was no easy way for a potential customer to register interest without making a purchase
  • The navigation bar included low priority links that were not the primary focus of the purchase cycle

The Solution:

  • Relocate bundles above the fold and pump up the size of the image tile to give it prominence
  • Add a subscriptions tile to capture the data of potential customers not quite ready to commit to a purchase
  • Decrease the size of the product category image tiles pulling them above the fold
  • Relocated the login and basket icons to decrease clutter and reduce distraction
  • Replace FAQ and blog links in the navigation with higher priority links – bundles and subscriptions


Amazing Results:

  • Increased revenue by 91.02%
  • Increased click-through rate by 60.40%
  • Increased conversion rate from 4.07% to 5.70%.

Our Conclusion:

Small changes grounded in solid customer research and analysis of highly relevant data sets will result in noticeable improvements for your brand. Clearly, in this instance, the hierarchy of information on the page, in particular, what the above the fold content was, had a massive positive impact on The Flavour Factory.

Despite faster internet connections decreasing page loading times, and a massive uptake in mobile and tablet usage making scrolling more natural, the fold can still effect conversion and user experience.

Customers are in charge; they have more choice than ever before meaning you have to make it as easy as possible for them to complete your desired action. Customers have become impatient; they can and do leave websites if they do not find the information they want straight away. Customers do scroll, but they need a reason to do so and this reason needs to become apparent quickly.

As a strong advocate in the power of CRO, I am a firm believer in employing the principle of marginal gains. Constantly look at your website, think about each page and what you want it to achieve then trial various ways of achieving your goals. If it doesn’t work, try again. If it works, make it better!

I’ll be writing more on marginal gains in the coming weeks so stay tuned, and as ever I’d love to hear your opinion or answer any questions you may have. Find me on Twitter or LinkedIn.


5 WordPress Plugins We Cannot Live Without

In this series, we get a bit more technical. We would like to share a little insight into our world (a developers’ world), to showcase some of the tools and processes we use, and reveal how they help us solve some of our biggest problems.

WordPress is one of our favourite platforms. Plugins allow developers to focus energy on producing a fantastic result. Identifying what they are is important, knowing the reasons why is extremely valuable.

This post will outline 5 handpicked plugins we love and discuss the benefits that they bring.


During the web development cycle, we are faced with difficult decisions. Most tasks are completed quickly. However, the implementation is usually locked to the project at hand. Although it may seem counterintuitive, we believe that investing more resources into a solid, reusable solution enables us to improve continuously and focus our energy on a fantastic product.

Each WordPress plugin we use at CandidSky offers something unique. Plugins require a level of configuration, customisation and programming to ensure they compliment website development, without enforcing limits on what our team can achieve.

Below is a list of commonly used Plugins by the team:

  1. Yoast SEO
  2. Migrate DB Pro
  3. Jetpack
  4. Advanced Custom Fields
  5. W3 Total Cache

Strong collaborative efforts of our marketing & development teams mean that success is accomplished across all fronts. To ensure our clients benefit from the vast knowledge our team possess both building and marketing on the web, we ensure that each team can focus on their areas of expertise. Yoast SEO allows us to do just that.

Structured Data

Breadcrumbs are great for SEO, so we always like to include them in our builds. Breadcrumbs are best to use as structured data markup to give Google and other search engines a helping hand in understanding the site’s page hierarchy. This also gives the site’s pages more data in Google’s search result pages – showing the breadcrumb trail to the page:

Screenshot 2015-09-01 18.05.10

We have developed a custom script that we like to use with the built-in Yoast SEO internal linking, which enhances the overall breadcrumbs functionality. The purpose of our script is to output product categories across e-commerce builds. As you can see above, structured data markup allows Google search results to provide valuable information to the user, making a great first impression of the website. Another benefit is user experience – when navigating few layers deep through product categories, users can go up a level at any point. This compliments primary navigation very nicely!

As well as breadcrumbs, Yoast SEO is also effective when performing meta tags and page title changes. Our SEO team can perform tasks usually reserved for development requests. The perfect example of focusing a team’s area of expertise. Our clients benefit from this during marketing campaigns, and improvements are implemented without a bottleneck.


Having a list of compliances is a great way to remember routine tasks during each of our WordPress builds. The list is an outcome of many conversations between the dev team & marketing team. Understanding each of the items on the compliances list is vital to maximising the benefits and eliminating consequences of misunderstood development requests.

The openness of our office, friendly culture and shared passion for digital naturally sparks a conversation. Let’s not forget that verbal communication is essential to delivering high-quality websites, while ensuring SEO best practices. Yoast fills the gap as a great tool to implement these practices and outcomes of our conversations.

Migrate DB Pro

We employ a very useful import/export plugin. Aiding synchronisation of development environments, such as, staging environments and adding content to new sites in bulk. Content migration comes in handy when there are a lot of changes on a staging site – there is no need to copy manually or recreate content within the live environment!

Migrate DB Pro is great for syncing environments and has a useful connection feature that allows you to push and pull databases instead of timely exporting and importing of full database dumps. It opens a communication path between two endpoints.

If you do need a full export, there is a great ‘Find’ and ‘Replace’ option, enabling you to rewrite paths and to tailor the dump to the new environment.

Forms: Jetpack & Akismet

Online forms are one of the most important areas for clients, Typically,  this is where they expect the majority of questions and enquiries to happen. For many businesses, this is the first point of contact with a potential customer. Therefore, it is essential that easy and quick access to form entries are present and spam is filtered accordingly.

One characteristic we seek when using WordPress form plugins is configurability. Our clients rely on the online submissions and often collect leads and convert users into customers. Jetpack Forms plugin allows our team to focus on important aspects of development: consistency across multiple forms, styling, conditional fields and security to name a few. We let Jetpack handle form markup generation, admin pages and storing submissions.

Akismet is a spam filtering plugin that we use with Jetpack Form. It acts as a middleman for the submitted data.  Form submissions considered as malicious can be stopped before they reach our servers. Administrators can go through a queue of messages considered to be spam. If confirmed, Akismet will learn to stop such messages from being processed altogether. For these reasons, we consider Jetpack & Akismet as one “super-plugin”.

Advanced Custom Fields (ACF)

Many CMS platforms consider it their goal to provide users with a simple and effective way to create beautiful pages. WordPress has a built-in WYSIWYG editor and basic custom fields. We find that these alone do not meet our expectations.

Advanced Custom Fields is probably our favourite WordPress plugin. It’s comparable to the Bullet Bill power-up in Mario Kart. There’s a big leap at the start as a lot of work is automated and we can rely on it.

In hands of a good developer, there’s a countless number of creative ways to harvest ACF power. However, you need to consider scenarios when building admin functionality with ACF – creating hundreds of fields is an option, but complexity can be harmful.

One of our favourite uses of ACF is supporting administrators with the ability to create pages with flexibility and simplicity in mind. We usually override the default WYSIWYG editor, enabling us to create fields that allow authors to design pages rich in media, content and interactivity while offering great layout flexibility. We can use a text area that will output introductory text, add a lead generation form and then wrap up the page with a text snippet and a list of useful documents. Very hard to achieve with the WYSIWYG editor alone.

We have noticed that a lot of our WordPress builds include data that is repeated across the site. Creating a dedicated admin page for site-wide content allows us to handle site-wide data all in one place. Clients appreciate easy and simple access to information such as address, email, phone number or footer menus. Ability to edit this information quickly and without repetition is very important.

Performance & optimisation with W3 Total Cache

One of the plugins we use across most projects adds a layer to our performance optimisation process. W3 Total Cache further decreases the load times, crucial to good user experience. It also allows assets to be cached, reducing the bandwidth required to load a website.


Fast internet access allows users to navigate between many websites quickly. If one of the sites takes a while longer to load, a user can become frustrated. Our team ensures that any bottlenecks are dealt with prior to launching a website. We do this by running many tools and optimising our code and libraries.

Firstly, we ensure that any unused code is removed completely from the final product. Including libraries that were part of WordPress, or other frameworks, by default. There are two major benefits to this. Less data is transferred from server to the user, meaning that less bandwidth is used. Important to users with limited bandwidths, considering that a large chunk of them use mobile devices to browse websites. Secondly, is reduced load time, making the site more performant and improving the user experience.

Websites consist of media and text. In most cases, media requires optimisation to slice out the overhead. We have a good knowledge of the performance benefits and drawbacks to ensure the right format is used in the right context.

W3 Total Cache helps us by skipping an extra step when users request a web page. Pages are cached and served as static content, meaning that database is accessed less frequently, and only with cached queries. This extra layer has a noticeable performance boost, especially across rather static builds. E-commerce sites require careful configuration. However, we’ve experimented with multiple ways of dealing with the dynamic content (products) and are satisfied with our results. We can utilise the power of W3 Total Cache and serve newly added content well.

To summarise, collaboration, simplicity and reusability stand as pillars of our development cycle. We love creating websites that offer great user experience, performance and SEO benefits to all of our clients.

OK, Great! Now that you know about some of the plugins we use, would you like to hear about HOW we build websites?

The next post in this series will tell you just that. Enter your email address here and we’ll let you know when the next blog entry is released. Your email address will never be used for spam or passed on to any 3rd party.

How Website Speed Optimisation Impacts Marketing Performance

80s style loading illustration

As the digital marketing space becomes increasingly competitive, everyone is looking for techniques that could give them the edge. There is one aspect of digital marketing that is often overlooked, website speed. In this blog, I explore some of the reasons for the common oversight, and the impact that this can have on both user experience, search engine rankings and ultimately, revenue.

A Brief History

When the internet was first gaining popularity in the late 80’s, limited computer processing power and extremely slow internet speeds, meant that website load speed was constantly measured and optimised. Due to innovations in technology we now live in a world of quad-core processors and fibre optic broadband. This coupled with a fierce competition to produce more and more innovative marketing campaigns, website designers and developers are often forced trade off website performance for increased aesthetics and functionality.

It’s true that internet speeds are increasing across the board, however last year Cisco reported that 62% of mobile connections were still limited to 2G speeds (typically loading a web page in around 6 – 8 seconds). The issue is that some people making do with a slow mobile connection could be forced to download the same ‘rich media’ website that wifi users get, but on a connection a fraction of the speed. The result is that load times are excessive, ultimately resulting in those users giving up and going elsewhere.

What’s the problem?

In the mid 90s, during the ‘age of dial up’, slow was the norm, so internet users expected to have time to make a brew while waiting for their download to finish. If a web page took slightly longer than others to load, it could be forgiven. However today, we are living in the ‘age of instant’, and we don’t like to wait. We have come to expect film streams to begin immediately, photos to appear instantly and downloads to arrive within seconds. Web pages are no different, and it’s now the norm for visitors to become frustrated if a site takes longer than a moment to load.

What’s the impact?

Following a study in 2009, web performance specialists, Akamai, found that “47% of consumers expect a web page to load in two seconds or less”. They also reported that “shoppers often become distracted when made to wait for a page to load. 14% will begin shopping at another site, and 23% will stop shopping and walk away from their computer”.

Interestingly the study compared results to a previous study in 2006, where consumers expected a load time of 4 seconds. As technology continues to improve and the bar for internet speeds rise, we expect that the impatience trend will too continue, with even lower load times expected as the norm.

So, we understand it’s important to manage the downside, but what about the upside?

Back in 2010 Google announced that website speed would for the first time be used as a search engine ranking factor. Respected search guru’s MOZ put the algorithm to the test, reporting that faster back-end performance (e.g. faster servers, databases and application code) does in fact directly impact search engine rankings. Check this out here to see the impact of online reviews on various consumer sites.

And although no direct impact could be found, faster front-end load times (e.g. more efficient HTML, CSS and JS) can have an impact too. “A decade of research from usability experts has taught us that faster websites are more enjoyable to use, have more visitors, who visit more pages, for longer periods of time, who come back more often, and who are more likely to purchase products or click ads. Ultimately these happier users are more likely promote the site through sharing and linking, which directly contributes to better search engine rankings”.

What can be done?

The next blog in this series will give you a flavour of the methods and the tools that we use at CandidSky for on-site optimisation to improve search engine rankings.

Enter your email address here and we’ll let you know when the next blog entry is released. Your email address will never be used for spam or passed on to any 3rd party.

Getting off to a good start: building websites with search in mind

Launching a new website can be a complex task. More often than not any planning is centred around how the website will look, feel and function, and starting to look at search optimisation at this point means more work, more money, and more time.

Many people get around this by treating SEO as an afterthought – something that can be dealt with once they are up and running, and to some extent this is true, however there are some important aspects of a site that need to be considered from the off. You can save a lot of time and money by dealing with these upstream, especially if the site is still in development.

Keyword Research

Keywords in search are the most important part, and carrying out some level or keyword research before you polish off the site will give you a huge advantage. It may even dictate what you decide to call the website. For example, if you were going to launch an online store selling goldfish (I’m not sure about the logistics of doing something like this, but hey, it’s an example) and were going to call it ‘’, after doing some research you may find that people search for ‘pet fish’ a lot, and that you may receive better placement in search engines for this search term by calling it ‘’.

Trying to market your site in search without knowing which keywords you need to target is a bad idea, and can be the downfall of many online start-ups. How can you achieve your targets if you don’t know what they are? You’re best off heading over to the Adwords Keyword Tool to decide which direction you’re heading in.

URL structure

URL structure can be a little tricky. Your URLs need to be informative for a user, and practical for search engines. This can be addressed later on, but changing them can have an impact on the page’s ability to rank well, and also means you will need to redirect from the old URLs to the new ones. It’s much better to spend a little time thinking about them before the site goes live, to produce URLs that are helpful, and encourage trust.

A common problem with open source E-commerce sites is that the URLs are dynamic by default, and unless you take some action to set them up properly, they may look something like this: /index.php?route=product/category&path=41_42

instead of


Sounds scary, I know, but canonicalisation is a simple concept when explained properly. Websites have a habit of outputting multiple versions of the same content

Using the example above:

would be the same content as /index.php?route=product/category&path=42

Notice how the numbers at the end have changed? That’s because in this instance those numbers represent what page you are on, and how you got there. In the first example, the user went from page 41 to page 42, and in the second example, they went directly to page 42. Despite these being exactly the same page, the route they have taken means that a different URL has been generated. Search engines see this as 2 different pages with exactly the same content, and this can be extremely detrimental to their rank in search engines. There are many more instances on a site where this problem arises, such as with: and

1 page, 2 URLs, duplicate content, Googleslap. This should be addressed technically before your site goes live to make sure you have the most successful launch possible.

Website Features

If your site’s SEO will benefit from certain features, it’s best to get them sorted whilst it’s still in development, as rolling them into a larger task usually means a lower cost than hiring someone to do a one-off job. There are many features which are beneficial to your search marketing – here’s a few of them:

  • Related Products
  • Product Reviews
  • Review Requests
  • RSS Feeds
  • Social Media Buttons

Site Structure

How you decide to put your site together will also impact how it performs in search engines. You may be aware that a large factor in search rankings is how many other sites link to yours, and the quality of those links. This also applies to your internal ones, so if you have a particular page on your main navigation bar which is linked to from every other page on the site, it’s going to have a better chance of ranking than one that is 4 clicks deep. You need to be able to work out which are going to be your main SEO pages, and give them pride of position on your site.

I could go on, and on, and on, but in an effort to keep these concise I’ve only pulled out some of the main ones. If you’re interested in hearing more, then check out our search engine optimisation services. Hopefully this helps you to understand just how much there is to do on a site from an SEO perspective before you send it out into the big wide world, hoping that it will pay off. Don’t gamble, invest a little and it will pay dividends later on.