Part 5: Website and Server Security
Question: How much time and resources do you invest in securing your Web servers, and what costs result from it? How important is security to your company or your clients?
Collis Ta’eed: Security is always important, and it takes many different forms: on-site security, back-ups, server security, anti-fraud measures and general account security.
Generally speaking, I’ve noticed an 80-20 rule in security. You can eliminate a lot of security hazards with basic measures. After the basics are dealt with, you get into the increasingly difficult territory of fringe cases, unpredictable behavior and some fairly impossible problems.
So, deciding how critical it is for your business and weighing the risks and rewards accordingly is important. For Envato, particularly in our marketplaces, security is critical, so we are as careful and prudent as possible.
Chris Shiflett: Security is important to clients, but often unstated and assumed, like performance or stability. Our job is to listen to a client’s needs and, through discussion, dig deeper to discover the details of those needs so that we can meet them.
Because the needs of clients can vary dramatically, there is no good benchmark for how much time or money is enough. The best advice I can give is to include security in your considerations, especially when planning a schedule and budget.
Question: How do you make sure that your websites are secure? What kind of mechanisms, checks, tests do you conduct, or what general principles of security do you follow?
Jacob Gube: A lot of websites have gotten hacked, and it’s the same story over and over again: weak passwords, no regular security vulnerability checks and neglect of file permissions. These three things don’t take a lot of effort and time, so it always baffles me why big and small websites alike get hacked. You don’t even need to upgrade to the latest software all the time if you think about these three things. I upgrade only when there’s a security patch. And when that happens, I drop whatever I’m doing, roll up my sleeves and start upgrading.
Chris Shiflett: I try to always apply two simple practices: filter input and escape output. This gives me a pretty good foundation. I then pay specific attention to things like CSRF (cross-site request forgeries) and my session and auth mechanisms.
When evaluating the security of something, some good principles to keep in mind are:
- Defense in depth
- Least privilege
- Least complicated
Question: What do you do to be able to respond quickly and efficiently to security problems? How do you make sure that sensitive customer data never leaks out?
Collis Ta’eed: The main thing we have on the team is a standing priority on anything security-related: moderate to severe security issues go in the drop-everything-and-fix-this-now queue. Minor security issues are generally set to high priority.
Chris Shiflett: The way you respond to a security problem should depend on the severity and exposure of the problem. For Web apps, one of the most extreme responses is to take the app offline. If keeping your app online would put users at risk, then this might be the only reasonable choice. However, what if the problem has existed for more than a year, you discovered it yourself, you find no evidence that it is known by anyone else and fixing it would take only an hour? The user might be slightly unsettled by this, but most companies would put your safety at risk in such a scenario.
Responding gracefully to a security problem requires planning, and one of the most important considerations is whether your deployment process can accommodate quick fixes. A deployment process that ignores the need for quick fixes forces emergency updates that fall outside of protocol. When that happens, there’s a risk that the quick fixes are forsaken for the next proper release, causing security problems to recur.
Part 6: Psychology of Web Design and User Behavior
Question: Where do you see the line between guiding the user on the website and shady advertising methods? Do you think that blinking ads, pop-ups, pop-unders and other elements are acceptable? Or should a professional website avoid them in all situations?
Chris Coyier: One major ethical black zone I see is undisclosed advertising. If you write an article on your website that says, “Check out Super Printing Company! I love them!” and the company paid you $1,000 to say that, that is unethical in my book. If you are paid or otherwise compensated, even if you claim that it doesn’t influence your opinion, it needs to be noted.
Pop-ups and pop-unders, are also ethically bad territory. This is exploiting technology to do something to my computer that I didn’t ask to be done. Not to mention, it’s not like the advertisements in pop-unders state the fact that they are paid endorsements.
I’d go so far as to say that there should be international laws to govern this kind of thing, if that’s even possible. If a website knowingly implements any exploitative advertising methods like these, they should be fined and the domain taken from them.
Jesse Bennett Chamberlain: I might be in the minority, but I think blinking ads, pop-ups, etc. have their place?as do the hard-sell trashy-looking fliers I get in the mail every weekend. I personally don’t like them, but that doesn’t mean they’re not effective when shown to the right audience. Should a professional website avoid them? Probably.
Question: Do you consider psychological theories in your designs? Or do you design intuitively? And how strongly do you trust studies that support one theory or another?
Darren Hoyt: I think it’s the same for people who go to school for music. The professor will teach them rigorous theory for four years, and at the end he’ll tell them to forget what they’ve learned before going out into the world to compose songs. When I first learned to design, I read every book about design fundamentals that I could find. But then over the years, I learned which rules could be broken, when appropriate. Some of the more academic design stuff is stuck in the back of my head, but it’s not something I usually think about consciously while designing.
Yaron Schoen: believe that with design, as with every form of expression, psychological theories play an important role. When creating an interface, I design for flow. I want my users to enjoy their experience by feeling that they have achieved what they came to do. I do not want them to feel like the achievement belongs to the application and that they just happened to be there. By putting the interface in the background and keeping it from interfering with the user, I can create a happy and fulfilling experience. This is a psychological mind game?something that I think all of us Web designers play when building an experience.
While I believe in psychology, I do rely on my gut instinct. It seems as though so many people are talking and thinking and writing essays about design and not really getting their hands dirty in it. Some sources I enjoy reading and trust with my life, but some are borderline spam. I think the best psychological theory is experience. Recently, I’ve even started to think that there is no real way to anticipate exactly how users will react. You just do the best you can, shove the product in their face and monitor them.
At the end of the day, with all due respect to philosophical and psychological theories, I trust my instinct and heart more. I remember someone saying not so long ago (I wish I could remember who): “There is no great design process, only great designers.” I hope with every design that I create, I come closer to being a great designer.
Part 7: Copywriting and Content Strategy
Question: Is copywriting part of your professional workflow as a designer or developer? And do your customers expect you to have solid knowledge of copywriting?
Trent Walton: Yes! No amount of Photoshop or PHP magic can fix the problem of bad copy. When kicking off a new project, content and copy are some of the first things we address, because a client’s message informs the purpose and function of the website. With a clear message in place, all subsequent design decisions are led by that idea.
Good writing and good Web copy are two different things. Someone who understands how users read and experience Web pages must do more than simply write copy. They must be able to distill big ideas into a concise message, while balancing the flow of information across pages.
Darren Hoyt: Funny, I just blogged about the challenge of getting good content from clients, or at least the discussion that happens beforehand.
No client of mine has ever expected finished copy from me as a designer; but if you really care about the product, you’ll try to put your own spin on its presentation. This is especially true for the home page, if you have a marquee area where you’re trying to drive home the key points of the website in a creative way. This might require a good sense of both visual design and language, which is really its own form of design. I’ve found that clients always appreciate the effort to improve the content they’ve provided.
Lea Alcantara: It depends on the project. Every project would benefit from a strong copywriter who has good content strategy skills and knowledge, but not every project has the budget or time to accommodate that. Most clients provide their own copy. If it really is a struggle or there is an obvious problem with what they provide, I try to convince them to hire a copywriter or content strategist.
Question: What is the significance of copywriting for you as a designer or developer? How often have you been confronted with poor, unprofessional copy?
Jen Germann: Most of my clients do their own copywriting. So, instances of “creative” grammar and otherwise unprofessional writing are pretty common. If it’s home page copy or prominent content for a main page, I try to clean it up a little or even rewrite it to make it look a bit more professional. Obviously, great content is the foundation of a great website; if the content sucks, nothing I do with the layout or design will hide that. So, I try to work with the client or fix it myself.
Jonathan Snook: Copywriting should be part of the design like anything else. The amount of care and consideration that goes into the copy determines how much it benefits users (and your pocketbook). Good copy helps users find what they’re looking for, increases enjoyment and reduces support costs. Unfortunately, content is often crammed in at the end like an insignificant part of the process. When clients review the budget, copywriting is often the first thing to get slashed.
Question: What is your experience with content theft, and how do you deal with it?
Jacob Gube: Content theft is prevalent with Six Revisions and Design Instruct content. Not a day goes by when I don’t find one of our posts reposted on another website. I guess it’s the price you pay for publishing great and unique content. So, the ever-optimistic side of me takes it as a compliment and testament to the quality of content we produce.
In one instance, an article of mine that was stolen and posted on another website became popular on a social bookmarking website (Delicious), and the worst part was that people went to my original post and said that the content was taken from the other website; apparently I stole my own content! The way I handled the situation wasn’t the most civil or mature: the images were hotlinked in the stolen article, so I replaced them with funny images pointing to my original article, and then tweeted about it to expose the content thieves.
Content theft in a medium as open as the Internet is tough to deal with unless you have dedicated staff for it. In many instances, especially where our content is translated to another language and the website seems to be not for profit, I just turn a blind eye, because our goal is to share information. If we are able to reach audiences that do not speak English and teach and inspire them about design and development, then not getting attribution and having our bandwidth leeched is a small price that I’m willing to pay.
I’m selective with the stolen content that I actively request to be taken down. Passively, a website owner can do the following:
- Don’t offer full feeds. RSS feeds are easily syndicated using XML parsers.
- Prevent hotlinking (very easy to do if you have access to your Web server). This ensures your bandwidth isn’t stolen.
- Subscribe to Google Alerts for your domain name and authors’ names. This will alert you whenever your website or authors are mentioned on another website. This is the method I use to find mentions of interest on the Web, and an unanticipated result is that I’m notified of content theft when thieves scrape our pages or misuse our RSS feed.
Rob Morris: I’m probably not the person to talk about stopping plagiarism. Just a few months after launching the 2009 version of Digitalmash, I’d collected screenshots of 25 separate copycat websites (that I knew about).
I guess I do know a little about dealing with content theft after the fact. I normally send a pretty friendly email letting them know that I know, and requesting that they change their content to something a little more original. After that, you can contact hosting companies and employers, lodge DMCAs, etc. But I’ve learned it’s better just to move on. You’ve got to have faith in karma. I’d like to think that the people I work with and for can tell the difference between a copy and the real thing.
- 1 https://www.smashingmagazine.com/interviews-expert-tips-from-renowned-designers-part-2-4/
- 2 https://www.smashingmagazine.com/the-lost-files
- 3 https://www.smashingmagazine.com/interviews-expert-tips-from-renowned-designers-part-4/
- 4 https://www.smashingmagazine.com/the-lost-files/interviews-expert-tips-from-renowned-designers-part-2-4/
- 5 https://www.smashingmagazine.com/the-lost-files
- 6 https://www.smashingmagazine.com/interviews-expert-tips-from-renowned-designers-part-4-of-4/
Hold on, Tiger! Thank you for reading the article. Did you know that we also publish printed books and run friendly conferences – crafted for pros like you? Like SmashingConf Barcelona, on October 25–26, with smart design patterns and front-end techniques.