Identifying weaknesses in your startup

Metrics for growth.

To grow your startup you must be able to identify and prioritise areas of weakness. Measuring metrics is a useful way to do this. By leveraging these metrics, you can: identify, prioritise and investigate weaknesses; design and test hypotheses, and measure the results.

Here is a set of high-level stages of the customer journey, with example metrics that you should consider. By considering metrics that represent each of these stages, you’ll be able to spot weaknesses in your startup.


3 easy ways to make sure your ad manager is not ripping you off.

I recently spoke with a business spending over £10,000 a month on ads, managed for them by an agency. And guess what? They didn’t know anything about their performance.

But that’s okay because they had professionals managing their account... Right?

Well, last year I worked with a businesses who potentially wasted over half of their ad spend. All because of an ad management service who didn’t know how to run ads (and ignored the indicators I talk about here).

That experience highlights the importance of businesses verifying their ad performance.

Here are three methods that you can use to check up on your Google and Facebook ads.

1. Measure marketing return on investment

As with any investment, calculating your ROI is important. It can both quantify the performance of marketing campaigns and inform budgeting decisions.

Methods for calculating MROI vary and result in different levels of accuracy.

A simple way to estimate your MROI is to look at a period of time (for example the last month) and use the formula:

MROI = 100 x (Gross profit - Marketing investment)/Marketing investment

Which will give you a quick estimate of your MROI as a percentage.

But it isn’t perfect. It relies on a simplified model of purchasing behaviour. That model might ignore factors such as previous interactions with your brand and other marketing.

When interpreting your MROI, you must consider the scope and limitations of your calculation.

What makes a good MROI?

It depends on your business and goals. A negative value would definitely be a cause for concern. And considering that you might expect around a 3% to 6% return from a stock portfolio, your MROI should be higher than that.

2. Google AdWords Quality Score

How to check your Google AdWords Quality Score.

  1. Visit Google AdWords and login.
  2. With “All campaigns” selected on the left (this is the default view), select the “Keywords” tab.
  3. Select the dropdown “Columns”, then “Modify columns…”.
  4. Find the metric “Attributes >> Qual. score” and click on the button to add it to the list of columns.
  5. Click on “Apply”.
  6. Ensure that the date range in the top right is set to “Last 30 days…”.
  7. Click on the column header “Cost” to sort it in descending value.
  8. See the quality scores in the column “Qual. Score” on the far right.

What makes a good AdWords Quality Score?

Higher quality scores are better. The score is used when calculating the cost of your ads (or the best position for your bid). The higher it is, the cheaper your ads will be.

For example, a quality score of 2/10 could lead to a 250% increase in cost. A quality score of 9/10 could result in a discount of about 22.2%. A quality score of 7 is likely to not affect the cost.

Furthermore, ads targeted at a keyword set with a higher quality score will often have a higher conversion rate. That means more visitors turn into customers, saving on your cost per acquisition.

If your average quality score is less than 7 we’d suggest talking to your ad manager about it. They should be able to explain the score and improve it.

3. Facebook Relevance Score

How to check your Facebook Relevance Score.

  1. Visit Facebook Adverts Manager .
  2. Select the tab ‘Adverts’.
  3. Click on the column ‘Amount spent’ to sort from highest to lowest.
  4. See the scores in the column ‘Relevance score’ which is usually on the far right.

What makes a good Facebook Relevance Score?

This score is like the AdWords quality score. However, it applies to to each of your adverts, rather than keywords. It serves as an estimate of how well your target audience is responding to your ad.

A higher score increases the likelihood of your advert being shown. It also results in cheaper ads which perform better.

If your average is less than 5 we’d suggest talking to your ad manager about it.

Insight into a black box

When your entire ad operation is outsourced, it can appear to be a bit of a black box. Businesses should use these simple methods to better understand their marketing spend.

At Zealous Digital we empower brands and tell their stories. Our focus is on building real connections which add value. We love data, blending it with fundamental truths to create innovative growth strategies.

Want us to take a look at your ads? Contact us today to arrange a short, friendly chat about how we can help. 

WordPress “Hacked By …”. Don’t let this happen to your business.

It’s Sunday morning, 26th February, and I get a panicked call from a business owner.

They’d just noticed that their WordPress site had been hacked…

The result of the hack, at least at first glance, was a blog post defacement. The latest blog post title and body were replaced with “Hacked By …”.

After investigation, I established that this was likely the only change. However, I also noticed that the post had been changed by multiple, different attackers.

While it is trivial to rollback the post, I opted for starting afresh with a previous backup from before the incidents. I decided on this option because the site is rarely changed, so reverting to a backup a month old didn’t affect any content. In addition, it allowed me to be confident that the site was clean within minutes of getting the login details from the business.

From there I updated the site to the latest WordPress version and reset all keys and passwords to ensure that any leaked information could not be used to access the site again.

WordPress 4.7.0 and 4.7.1 are vulnerable.

After cleaning up a breach you need to establish how it occurred. Themes, plugins, WordPress itself, server software and password can all have vulnerabilities. It was important to find the likely culprit so that we can fix/mitigate the vulnerability.

In this case I suspected a vulnerability that I had read about a few weeks ago. A feature enabled in WordPress version 4.7.0, the WordPress REST API, was buggy, enabling unauthenticated modifications to any post or page of a WordPress site running version 4.7.0 and 4.7.1.

And it’s not hard to exploit! Within 48 hours after Sucuri’s announcement of their findings hackers were successfully modifying sites. In just a few days thousands of businesses were affected.

Within the disclosure article they explain the exploit and the cause, giving a specific request that could be used to change a post:

"an attacker could submit a request like _wp-json_wp_v2_posts/123?id=456ABC to change the post"

Sure enough, on inspection of the Apache log at the times of the defacement there are entries that look like:

POST _wp-json_wp_v2_posts/123 HTTP/1.1

Therefore confirming my suspicion that this vulnerability was the culprit. And since it was fixed in version 4.7.2, the site was now secure.

Securing WordPress sites into the future.

WordPress 4.7.2 was available for a while before the site was hacked. The problem was that the site hadn’t been updated.

The business owner told me that they log into the site about once a month to handle updates. However, this shouldn’t have caused an issue because since version 3.7 WordPress should automatically install security updates.

On inspection of the wp-config.php file I found the line:


It disables all types of automatic update, a practice that is strongly discouraged and directly contributed to this issue.

WordPress was initially installed with their host’s “1-click WordPress installer”. I assume this line is one of their customisations.

The fix was simple, remove this line. Doing so automates installation of minor updates for WordPress, and enables critical security patches for themes and plugins.

I also enabled automatic plugin and theme updates .

I strongly encourage businesses to enable at least these critical updates because it is clear from the number of hacked sites that many do not. It is also possible that sites installed with custom scripts (such as the 1-click installers that some hosts offer) do not use the default settings. I recommend checking the automatic update settings if you’re unsure.

More than just defacement: remote code execution.

The incident I described above was limited to the defacement of one post. However, the damage can be even worse if an attacker can successfully run code on the server, essentially giving them full control of your site.

Sucuri have monitored attacks that attempt to exploit sites that use plugins like Insert PHP and Exec-PHP, which enable PHP code to be embedded directly in posts for customisation.

Like Sucuri state, plugins like those should not be used. Instead, PHP code should be limited to plugins and themes.

However that doesn’t stop hundreds of thousands of sites from using these plugins and therefore being vulnerable to this new wave of attacks.

Don’t let this happen to your business: Update your site.

If you’re still running WordPress 4.7.0 or 4.7.1 you should update right now and investigate the possibility of security breaches (especially if you use a plugin like Insert PHP or Exec-PHP).

This issue highlights the importance of having automatic updates enabled. In addition, having backups of both files and databases, and an established plan for restarting from one of those backups, is imperative for businesses who need to stay online.

At Zealous Digital we work with brands to tell their stories, building meaningful relationships with their audiences. This is achieved through digital marketing that has a strong focus on audiences and their problems.

If you’re a starting or growing a business, contact us today to arrange a short, friendly chat to learn about how we can help.

How to build it and make them come. Great products, great marketing, and the fundamental problem.

Great businesses are built around great products.  

Just look at Google, they wouldn’t have had a chance at capturing the search market that they have today without being great at search. 

But what makes a product great? 

It all starts with the problem that the product solves.  

With Google Search that problem was finding answers to questions in a vast, ever growing set of information. The key? Relevancy. A measure that existing search engines fell short of. 

Google Search wasn’t the first search engine. Just like Facebook wasn’t the first social network. They succeeded because the solution that they provided was so much better than the competition.

So to build an awesome product, you need to have a relationship with your target audience and their problem. This relationship should play a fundamental role from product conception, through to marketing and iterative improvement. 

What comes next? Customers.

And how do you get those? By capturing their attention and directing it at your awesome product!

That’s marketing. And just as all great products address a need of a specific group of people, your marketing should address that need too. 

This is a common hurdle that businesses fall at time and time again. They get obsessed with their product and its features, so it comes as no surprise that a common approach to marketing involves obsessing over those features too. 

But that doesn’t work well. It’s akin to screaming “buy this now!”. 

So you need to take a step back to consider the origin of your product. You created it to solve a problem that a group of people have. It follows naturally that you need to build a relationship with that group of people, centred around their problem.

That’s where the plethora of marketing channels come into play. But you’ll notice that the underlying theme doesn’t change. Capture attention, build interest and desire, and then call to action. 

In the digital age we have access to amazing tools that allow us to develop deeper and more meaningful relationships with our audiences than ever before. The proliferation of social media allows brands to connect one to one with customers and prospects. It also affords us the ability to build laser targeted, multi-step marketing campaigns that resonate with your audience as if they were one to one interactions. 

This provides businesses with an amazing platform from which they can reach the specific audience who their solution was built to benefit. And despite all of the advancements in the tools available, the fundamentals of marketing stay the same. 

Next time you’re working on solving a problem, whether that be building a product, marketing it or something entirely different, try taking our approach: break the problem down into its fundamental parts and solve those. You’ll develop an efficient solution, targeted at the core of the problem you started with.

Achievable WordPress security measures — don't become the victim of an opportunistic attack

With all the press about WordPress sites being compromised, including cases of ransomware distribution and password stealing plugins, it is clear that security should be at the forefront of your mind when running a WordPress site. Fortunately the vast majority of attacks are opportunistic, making use of known vulnerabilities in WordPress, plugins and themes. A result of this is that basic security practices, such as using strong passwords and keeping software up to date, can thwart most attempts to hijack your site.

Keep your site up to date

Keeping WordPress, plugins and themes up to date with security patches is of paramount importance. The availability of security updates signifies the existence of a vulnerability that might already be being exploited in the wild, and the longer you leave your site vulnerable the more likely it becomes that you are targeted. To reduce the risk of attack you should update your WordPress installation, plugins and themes regularly, preferably as soon as the updates are available.  You should also limit your use of plugins and themes to those which are trusted and receive regular developer attention (if they stop being supported by their developers they should be replaced). 

WordPress is relatively easy to keep up to date. Since version 3.7 there has been an option to enable automatic updates, a functionality that streamlines the process for you by automatically installing minor and security updates. While this feature is enabled by default on new installations the use of a version control system such as Git will disable it. 

Next come plugins and themes. If you've stuck to using plugins and themes from the repository you'll be able to enable automatic updates easily by making use of an update plugin. While there are several options Advanced Automatic Updates is widely used, you just have to install it, and then navigate to the settings and enable updates for both plugins and themes. If you have used themes or plugins from other sources you will have to update those manually unless another solution is provided. 

Further considerations

Backups. Software breaks, hardware breaks and ransomware exists, but what about your backups? Backups are essential for swift and cheap recovery from catastrophe. offer a good guide on manual site backups, however you may wish to automate the process, and for that we recommend UpdraftPlus. With UpdraftPlus you'll be able to schedule backups, restore from your backups easily and store your backups in cloud storage such as Dropbox or Google Drive. It is possible that an attacker who compromises your site would be able to retrieve the credentials to access the remote backup location (e.g. Dropbox) to remove or modify your backups, and therefore we recommend that you periodically download your backups so that you have trusted copies stored in a location which can't be accessed if your WordPress site is compromised. 

As with all passwords, your WordPress account needs to be secured with a strong password to protect against brute force attacks. Either use a password manager, or generate a random password of at least 16 characters in length. In addition to a strong password there are security plugins available which can further reduce the viability of brute force attacks. We recommend Wordfence as a great all-round security plugin which can be configured to provide lots of security benefits, including protection from brute force password attacks and two-factor authentication (with the premium plan). 

Your database credentials are stored in the file 'wp-config.php' which is generally found in the root of your WordPress installation, which is accessible via the internet. This isn't usually a problem, but it is argued that moving this file out of your web-root folder can further reduce the likelihood of this file being compromised. This can be done by logging into your server and moving the file 'wp-config.php' from your WordPress installation root folder (where you find the folder 'wp-includes') up a single directory. In addition you should ensure that the file system permissions are set to either 400 or 440. You can read more about the benefits of moving wp-config.php on StackExchange

The security practices laid out in this article should help you move your site out of the pool of easy targets that hackers are compromising on a daily basis. It should also be made clear that updating software and using strong passwords are two practices paramount for all computing, from your workstation to your phone. While the focus here has been on hardening your WordPress site, you also need to consider other attack vectors such as the devices (think keyloggers and other malware) and networks (think surveillance) used to administer your site, for example in many cases people don't use SSL (no 'https' in the URL; the connection isn't encrypted) to connect to their admin panel, and as a result of this computers on the same network could record login credentials. Therefore it is important to administer your site through secure, trusted networks, and not through open public WiFi hotspots. Being 100% secure isn't practical and isn't the aim; taking practical steps to reduce risk will keep your site safe from many of the attacks that you will be likely to face. 

For further advice you can check out's Hardening WordPress and OWASP WordPress Security Implementation Guidelines (which are also useful, albeit dated in some areas). 

Need assistance with your website? Hire Us