Solution to #400 bad request error on Google Chrome and Gmail

Solution to #400 bad request error on Google Chrome and Gmail

For the last few weeks my son has been unable to use his gmail, gdrive or in fact any part of his g suite account using Google Chrome, due to getting this dreaded #400 bad request error.

The 400 Bad Request error is an HTTP status code that means that the request you sent to the website server, often something simple like a request to load a web page, was somehow incorrect or corrupted and the server couldn’t understand it.

I googled this errors for hours, but none of the solutions I found worked.

  • I completely uninstalled chrome and started from scratch, no dice.
  • I even tested this on my own PC, and had the same issue.
  • Tested with other browsers, but they do not have this issue.

After troubleshooting the issue extensively, what I discovered was that this problem was only affecting my son’s google profile and only occurred after I created his profile in chrome and synced it. If I logged into Gmail without creating the profile, everything worked, If I used the guest profile, or if I used incognito, everything also worked fine. So the issue is clearly with the Google profile and what chrome is trying to do after it has downloaded/synced it for the first time.

I contacted Google support (as I have a paid g suite account), and had some painful exchanges, with them insisting that a #400 error is a client-side error and so the issue is with my environment and not a problem with any of their services. It has taken a lot of perseverance and repeating the evidence over and over to show that it is not a local environment issue, but finally, a solution has been found.

All you need to do is reset your google profile sync.

  • Visit http://chrome.google.com/sync (you need to be logged in to the affected Chrome profile).
  • Review if there is anything needed to keep on your profile. For example, Bookmarks which you can backup by following the steps from here http://support.google.com/chrome/answer/96816.
  • Make sure to check every item in that list (most of them is like clear browsing history).
  • After checking what needs to be exported and download, the next step would be to click on “Reset Sync” button on the bottom and this will delete all the sync data that cannot be recovered.

I did not need to delete the profile from the browser, but if the above solution does not solve your problem, then I would give that a go as well.

I hope this helps the many other people who are having this error and never found any solution.

The Truth about WordPress Security

The Truth about WordPress Security

 

One of the services I provide is managed WordPress websites, and a common negative comment I hear from people is about WordPress security, claiming “WordPress is not secure.”. More often than not these words of misplaced warning come from other web designers or IT guys who clearly have not done their research, and really should know better. The obvious major drawback of this information is that clients then become fearful of potentially falling victim to malicious behaviour.  But the truth is, WordPress core is one of the most secure publishing and web development platforms you can choose to develop a site on.

What most people don’t realize, is that WordPress is not a set it and forget it system

WordPress security isn’t about setting and forgetting. Rather, it’s about taking every measure you can to harden your website to prevent it from being hacked. It’s not just up to WordPress to implement security for you either.  Using WordPress, as with any off the shelf CMS, means YOU are responsible for your website maintenance, including security. This actually true of ANY website, especially bespoke built websites, which are the most likely to have gaping security holes since they will have never been maintained or updated.

While WordPress already does a lot to harden its core, there’s a shared responsibility between you, your hosting infrastructure, and WordPress to be vigilant about enforcing security best practices, or hire someone like me to do it for you.
So, if you are rejecting WordPress due to WordPress security concerns, let me enlighten you with a few reasons to convince you that WordPress is actually more bullet proof than you might realize.

The No.1 culprit of a hacked WordPress website is due to an outdated extension or outdated core caused by poor or non-existent maintenance.

Hacking is newsworthy

cyber criminals hacking your website
WordPress wasn’t always as secure as it is now. Back in 2009, when WordPress was on the brink of massive popularity, the CMS contained a number of security vectors that were exploited and
picked up by the news. The platform received extreme criticism, in which was really the community’s way of saying that WordPress needed to up its game and become more bulletproof.

These security concerns were addressed in version 2.8, following a string of security patches to strengthen the WordPress codebase. While security was on the shaky end then, today WordPress is quite secure. Yet, because WordPress makes up such a huge chunk of the internet (28 percent and rising; 1.2 billion downloads) if a hacker is scouring the web to cause trouble, there’s at least a quarter chance they’ll land on a WordPress website.

As such, these security exploits are publicized when any high-profile attack occurs. This gives WordPress a reputation for being less secure than comparable CMSs, like Drupal and Joomla. However, this is completely inaccurate.

The reality is, WordPress is secure enough for millions of end users and a number of Fortune 500 companies to trust their online business with.

Other popular CMS’s like Drupal and Joomla aren’t targeted as much, simply because they aren’t as widely used as WordPress. While WordPress powers over half (52 percent) of all CMSs on the web, Drupal powers a mere two percent and Joomla only six percent of the CMS market. So, when WordPress does get hacked, it’s commonly covered by media outlets and the news. But what many people don’t realize brings us to the next point.

Most security exploits are a result of an outdated component.

Most security attacks on WordPress occur through an outdated theme, plugin, or through WordPress core. Of all the high profile exploits in recent years, each attack has targeted vulnerabilities that
could have been avoided with a simple update. Therefore, it is not the fault of WordPress when these breaches occur, it is the fault of the website owner not properly maintaining their website.

It’s your duty to update plugins, themes, and WordPress core accordingly.

While so called managed WordPress hosting providers like WP Engine or GoDaddy may run automatic updates to the WordPress core for you, they do not update all your plugins and themes to ensure they contain the latest security patches, this is still down to you, so the term “Managed WordPress” is obviously rather misleading to many website owners, who are unwittingly under the impressions that EVERYTHING is being managed, which is not the case.  Just to be clear, the managed WordPress solution I provide, does include everything.

If you do not have someone like me managing your site and are managing your own website, then It is also up to you to familiarize and educate yourself regarding plugin and theme best practices. While free plugins and themes are awesome, when browsing the plugin repository, make sure the plugin/theme has been updated recently and works with the latest version of WordPress. If you activate a plugin/theme that’s more than a year old, you could be potentially opening up a portal for hackers because the extension will most likely not have been patched with the latest security update.

Premium plugins and themes are less likely to contain security vulnerabilities because they are monitored and updated more regularly. That’s one benefit of paying for a premium component
— you won’t have to worry about the author going astray and neglecting to keep the theme/plugin up to par with the latest security standards. However, do not try to pirate premium themes and
plugins; this is a bad idea because they most likely won’t contain the latest security scripts.

There are many security vendors working quickly to detect and patch vulnerabilities.

In terms of security, no system is perfect. According to WordPress.org, “Security is about risk reduction, not risk elimination, and risk will never be zero.”
This is true not just for WordPress, but for any system. That’s why, in addition to the WordPress core team, many third-party security providers work endlessly to detect and fix vulnerabilities.

Even against the most secure systems, hackers can still find a way in if you don’t take the right precautions;

 

The open source nature of WordPress means that anyone can contribute to detecting security vulnerabilities, meaning faster fixes. For instance, you might have heard about a recent WordPress security breach through the REST API (introduced in version 4.7.0) where 1.5 million-plus pages running that specific version were defaced. Various security vendors detected the vulnerability and immediately reported it to WordPress to build an update.

If your enterprise site contains highly sensitive information, or you are just worried about this happening to you, there’s no way it could have as long as you invest in managed services that automatically run WordPress updates for you. I was notified of this breach as soon as it was made public and immediately started issuing patches across all my client sites so that nobody was affected.

So Just remember…

WordPress is as secure as you want it to be.

If you want your site to be shielded with layers upon layers of security shields, then you can. But laxity in security will only result in exposure to vulnerabilities.

It’s your duty to take additional measures to harden the security of the WordPress site you’ve built. With the help of managed hosting and service providers like myself, security is taken to the next level. To avoid a treacherous site invasion, there are some additional security measures you can (and should) take to harden the security of your WordPress site. The hosting I use for WordPress includes web application firewalls, intrusion detection, brute force protection, malware scanning and more.

Enforce Strong Passwords

This is the most basic of security measures you should be taking. If a hacker decides to run a brute-force automated script, an easy to guess password will make it more accessible for them to crack the code. Instead, use a strong password generator to make sure your password is secure enough. You can also use a plugin like Force Strong Passwords to enforce strong passwords for other users on your site or with WordPress Multisite.  By default, I always use strong randomly generated passwords on all client sites.

Use 2FA (Two-Factor Authentication)

Enabling 2FA adds an extra layer of security to your login credentials. 2FA works by requiring a second factor of information that only you can give, like a code sent to your phone to verify your
activity on a specific computer.

Use SSL For Data Security

SSL (secure sockets layer) encrypts all information submitted to your site. This means hackers won’t be able to see or intercept the data your users share on your site (like credit card info). While WordPress doesn’t come with automatic SSL, most hosting providers offer SSL and many now offer Let’s Encrypt.

Since Google has started issuing “Not Secure” warnings for pages not secured with HTTPS, it’s now important to make this transition to HTTPS if you haven’t already in order to avoid your clients seeing this warning message. Therefore I now enable SSL on all client sites by default.

WordPress ERR_TOO_MANY_REDIRECTS

WordPress ERR_TOO_MANY_REDIRECTS

I had this problem yesterday on my WordPress multisite installation, one of the sites was giving this “ERR_TOO_MANY_REDIRECTS” error but the other site was working just fine. This really had me scratching my head as it was working fine the night before.

Solving problems like this often requires trial and error, but sometimes you can be a detective and backtrack what has changed since it last worked. In this case, the last thing I had done was I had enabled Cloudflare, but I recall it was working after that as well. But then I remember the annoying habit that Google Chrome has of OTT caching not just of pages but of DNS lookups, meaning I may well have actually tested the site properly after the switch.

So first I disabled Cloudflare, which I was sure must be the cause, but nothing changed, I was still seeing the error. then I checked the SSL, that was valid and passed all the SSLLABS tests too. Then I thought to try another browser since Google Chrome has a tendency to cache dns results as well. Voila, the site was, in fact, working with Cloudflare disabled. So I went through the Cloudflare settings and found the cause.

Cloudflare’s Flexible SSL option can cause redirect loops when combined with certain configurations. Because all requests are sent to origins over HTTP when Flexible SSL is selected, an origin configured to redirect HTTP requests to HTTPS will cause a redirect loop, causing browsers to display “The page isn’t redirecting properly” or “ERR_TOO_MANY_REDIRECTS”.

If you encounter this, you will need to remove redirects at your origin. Look for RewriteRules in Apache or rewrite directives/301 return directives in nginx and remove them to clear the issue.

You can replace this configuration with an Always Use HTTPS page rule to redirect all users to HTTPS without creating a loop.

In my case, I just switched to full (strict) mode, and installed LetEncrypt SSL on my origin server. Problem solved.

Trustpilot, can they be trusted?

Trustpilot, can they be trusted?

It is well known that we, the consumers, trust recommendations coming from peers or fellow consumers much more than we trust what businesses are telling us about them. Therefore the businesses selling social proof are very powerful and they can easily manipulate our thoughts on any brand.

Yelp even won a court settlement recently, giving them permission to legally manipulate ratings. Both Yelp and Trustpilot claim that they don’t manipulate the truth, but when you take a closer look at the services they are selling, you get a completely different picture.

There are quite a few sites online that allow you to write reviews on any company, but the majority of worthwhile ones are paid services geared towards businesses collecting product reviews on their e-commerce websites, so members of the public cannot just go and write a review about the company, the rest are business directory websites like yelp.com. So when I discovered trustpilot.com a few years ago it seemed like there was finally a useful and transparent review site.

Trustpilot may have started well back in 2012 when it was run by just a couple of guys, maybe they even had honourable intentions to keep the site honest, but sadly the service has definitely gone downhill since they have grown in size and their standards have declined and any good intentions left by the wayside in favour of profit.

Trustpilot’s service has degraded so much that they are themselves now being reviewed on other review sites for their unethical behaviour.

> Only 9of reviewers recommend Trustpilot
> Trustpilot – not to be trusted so much

From my own dealings with them, I can confirm that I have experienced what I would consider unethical and biased practices when they have removed negative reviews and they have made it very difficult (sometimes impossible) and time-consuming for me to get it re-instated, requesting ludicrous evidence, and refusing to make any effort to verify facts, even something as simple as clicking a link.
Most consumers will simply get so frustrated with this incompetence and time-wasting tactics, they will give up, which is clearly the intent as this puts Trustpilot in the position that they can blame the consumer for not following through.

The compliance team pushes the boundaries of incompetence and dealing with them severely tests your patience.

If a company is using their free service then it seems as though they will happily allow defamatory or fake reviews to be posted unabated, and will gladly ignore any requests to get them removed, in fact, if you read the feedback on the sites above, business owners are claiming they are being blocked by TrustPilot from reporting defamatory or fake reviews.
The only way around this seems to be by using their paid service,  after which you receive the opposite treatment and they will go out of their way to remove negative reviews and will even refuse evidence from the customer proving the reviews are legit and will not make any effort at all to verify details you send them.

So what does this mean to the consumer?

Unfortunately, since Trustpilot allow reviews to be manipulated,  this means that the scores and ratings you see for any company may not be reliable.

They do have processes in place to stop the same person leaving multiple reviews under different names, and knowing how to get around this will be beyond the ability of the average person who is not very computer literate. This, therefore, puts the bias on companies which have only positive reviews, and are thus more likely to potentially be paying to have the negative ones removed.

One solution to verify a company that seems too good to be true is to check other directory sites such as yell.com, yelp.com, freeindex.com etc which they may not be monitoring. Also social media, Facebook, twitter, linked in etc. Companies who are in the habit of removing negative reviews will usually not allow posts on their Facebook page without moderation, or will quickly remove anything negative, so this is easy enough to test. No company can remove other people’s tweets though, so check their timeline and do a search for specific phrases.

 

 

EdFirst – Unethical Telesales Practices

EdFirst – Unethical Telesales Practices

Dodgy unsolicited sales calls are pretty much the norm these days, and we tend to take them from granted, those of us who are savvy do not fall for them, but sadly there are still plenty of people out there who do get scammed and swindled out of their hard-earned cash by these tricky sales people. The more of us that document these scams and companies implementing them, the less effective they will be as more people get into the habit of searching online first for reviews.

I had a phone call recently from this chap at edfirst.co.uk (aka School Supplies Service), asking me if I did IT support for schools, and how he was looking for providers in my area as currently, they did not have any and the schools were in need of IT providers. He lamented how his company was the main supplier for schools and involved in all the tenders and how I would be listed as the “go to guy” on the school’s database for my entire area and would make a lot of money as a result. He also made a point of telling me they do not make any money from this and are not allowed to charge anything for this service.

I was still interested and listening at this point, but it all went downhill when he then went on to mention the company he had called before me, and how he had spoken to someone called “Tina”, but she needed to speak with her boss first, so he had called the next person on the list, which was me. He then proceeded to try to play me off against them, stating that the first one to sign-up would be the sole provider for my area, and I really needed to sign up right now or he would then call the next person on the list, and then asked me for a £500 registration fee.

Alarm bells now started to ring, as clearly any legitimate tendering service would not have any requirement for you sign-up there and then on the spot or lose your chance, and trying to play me off against someone else like that is quite clearly a dodgy and unethical sales practice, plus he had contradicted his earlier statement of them not making any money from this by asking me for £500. So I made my excuses and asked him to email the details over to me, so I could check up on this company.

I checked out the edFirst.co.uk website and it seems to be just another directory website targeted at schools, who do little more than supply a printed version of their directory to the schools.  After a bit of googling, I found numerous feedback from others which confirmed my suspicions and those who had paid the fee to be listed had got no work from it.

https://www.electriciansforums.co.uk/threads/school-supplies-service.30175/
http://my.bookkeepers.org.uk/Forum.aspx?type=&cid=0&tid=83284&lp=0&page=0&sort=
http://landscapejuicenetwork.com/forum/topics/school-supplies-service-ltd

I also called the IT support company he had tried to play me off against and spoke to Tina, and she confirmed the conversation and that he had tried exactly the same thing on her, and tried to play her off on the company he had called prior to calling her.

Needless to say I advised Dale that I would not be parting with my cash on this occasion.

Gemma

Reviewing on Trustpilot

Normally I post all my reviews on Trustpilot, but in this case,  I was told by Gemma from the Trustpilot compliance team that literally every single part of my review was defamatory and had to be removed. I was not allowed to mention the person who called me, or what was said during the phone conversation or mention the other reviews/feedback found publicly online. I was advised by Gemma that I would need to provide police/court evidence to back up everything I have written above, which is obviously quite ludicrous and impossible.

Basically, I was thwarted from posting anything negative, so I can only assume that edFirst are using Trustpilot’s paid service, which allows them to request the removal of negative reviews. Read my review on Trustpilot below for more details.