Do You Need to Break Into a Locked Windows 10 Device? Ask Cortana

Posted on

Are You Locked Out Of Your Windows 10 Device

Windows 10

June’s “Patch Tuesday” (June 12) is here, but it is likely many Windows 10 users have not yet applied these updates. If you have not, just be sure not to leave your laptop lying around! The patches in this cycle fix a code execution vulnerability using the default settings for Windows and the “Cortana” voice assistant. We’ll detail how this vulnerability can be used to execute code from the locked screen of a fully patched Windows 10 machine (RS3 at the time of our original submission, and confirmed on RS4 prior to this patch cycle). The vulnerability was submitted to Microsoft as part of the McAfee Labs Advanced Threat Research team’s responsible disclosure policy, on April 23. Attribution for this vulnerability submission goes to Cedric Cochin, Cyber Security Architect and Senior Principle Engineer.

In this post, we will address three vectors of research that have been combined by Microsoft and together represent CVE-2018-8140. The first of these is an information leak, but we’ll culminate with a demo showing full code execution to log in to a locked Windows device!

Using “Hey Cortana!” to Retrieve Confidential Information

Personal digital assistants such as Siri, Alexa, Google Assistant, and Cortana have become commodities in many technologically inclined houses. From telling jokes, to helping with the grocery list, to turning on the kitchen lights, these robotic voices are beginning to feel oddly more and more personal as they expand their roles in our daily lives. However, we should consider the increased risk of built-in digital personal assistants when looking at new attack vectors for laptops, tablets, and smartphones. Our research on Microsoft’s Cortana voice assistant began after reading about the “BadUSB” attacks demonstrated by industry researchers. We decided to take this a step further and ended up finding and reporting to Microsoft several issues related to Cortana.

If you have spoken with Cortana, you may have noticed that “she” is very helpful for a number of simple tasks: providing definitions, or looking up corporations, movies, artists, or athletes. She can even do math! In Windows 10, on the most recent build at the time of submission, we observed that the default settings enable “Hey Cortana” from the lock screen, allowing anyone to interact with the voice-based assistant. This led to some interesting behavior and ultimately vulnerabilities allowing arbitrary code execution.

We begin this analysis with a quick look into Windows indexing. If you have ever opened the advanced view of the Windows Indexing control panel, and navigated to the File Types tab, you will see a long list of file extensions. For each of them you will find details about the associated filter used by the indexing process. Essentially you have the “file properties filter” and several other filters that could all be summarized as “file properties and file content filter.”

This means the index process will crack open the files and index their content, including some strings present in these documents. Let’s keep that in mind for later as we continue.

Using this knowledge, we wanted to try to access the same menu that you would see when using a Cortana search on an unlocked device.

This will come as a surprise and lies at the core of all the issues we found, but simply typing while Cortana starts to listen to a query on a locked device will bring up a Windows contextual menu, as shown below:

On top: the result of typing “pas” in the Cortana search field on an unlocked computer. Above: the result of asking “Hey Cortana, P A S” and using a whitespace keyboard sequence.

In the preceding example, we queried Cortana for the term pas, no preamble to the question, just speaking the three letters, P. A. S. Why not “pass”? Because Cortana can be quite picky with verbal statements and there is no dictionary definition for “pass,” leading to Cortana inviting us to continue in Edge after unlocking the device. Alternatively, instead of issuing a verbal statement, we could click on the “tap and say” button and just start typing this text, for example.

We now have a contextual menu, displayed on a locked Windows 10 device. What could go wrong?

Remember that all the results presented by Cortana come from indexed files and applications, and that for some applications the content of the file is also indexed. Now we can simply hover over any of the relevant matches. If the match is driven by filename matching, then you will be presented with the full path of the file. If the match is driven by the file content matching, then you may be presented with the content of the file itself.

Keep in mind that the entire user folder structure is indexed, which includes the default location for most documents but also for mappings like OneDrive.

Example of data leakage using voice command with Cortana and the whitespace keyboard sequence.

Armed with this knowledge, you can use your imagination to come up with specific keywords that could be used to start harvesting confidential information from the locked device.

Code Execution from the Windows Lock Screen (User Interaction May be Required)

Next, we asked the question: Could we go a step further and get code execution in the context of the authenticated user? Remember we are using only a combination of voice commands and mouse/touchpad/touchscreen to gain access to the contextual menu at this point. We observed that just by hovering over a file, the full path or content of the file would be displayed. What happens if we were to click on it? That depends on the target. If the file being opened is an application or an executable (such as notepad or calc.exe), the file will run and be accessible only after the user properly logs in. If it is a document, script, or text file, it will be opened by an editor instead of being executed. At this point we can execute various preloaded Windows utilities such as calculator, but we cannot pass any parameters to the command line. We can open scripts including PowerShell, but instead of being executed, they will be opened in a text editor (notepad). The lack of parameters is a limitation for a “live off the land” attack, which uses current tools and content to achieve a malicious purpose; however, there are plenty of malicious activities that could be performed even with these restrictions. For example, many uninstallers will happily remove software without any need for parameters.

Let’s return to our goal: code execution from the lock screen. The only requirement for something to show up in the contextual menu is for it to be indexed.

Public folders indexed by default.

There are multiple ways for an unauthenticated attacker to get results to show up in the index of an authenticated user. One method relies on OneDrive. As the root of the OneDrive directory structure is in the user folder, all the OneDrive content is indexed by default. Basically, if you ever share a folder or file with “edit” rights, the person you share it with, as well as any other recipients of a forwarded link, can now drop a file that will be indexed. With the file indexed we have multiple options to proceed.

Option 1: Drop an Executable File

This method assumes you can write an executable file to the disk; it does not require you to have executed it. Via a phishing attack or another vulnerability, an attacker could drop a backdoor (for example, Cobalt Strike Beacon or Meterpreter) and be in business. If you need to execute the payload as an administrator, you can simply right-click (for a touchscreen this is a longer-hold screen press) and select “Run as administrator.”

When running applications that do not have the Auto-Elevate Privilege, you will trigger a user account control (UAC) prompt and nothing will execute. This could still result in a valid attack because users rarely check the content of the prompt and often proceed through the warning dialog box. The attacker would have to execute the program, and then wait for the authenticated user to log in and finish the job. If the application has auto-elevate privileges, there will be no UAC prompt and the application will execute at high integrity.

This is interesting behavior, but on its own not a very likely attack scenario, so let’s continue to explore our options. Why not simply use a USB key to drop the payload because we have physical access? The content of the USB key is not indexed, so it would not be presented as a result of the search query (although there are other ways to use a USB device; see below).

Option 2: Drop a non-PE Payload

Portable executable (PE) backdoors are great, but can we gain execution with a non-PE payload, for example, a PowerShell script?  We can use the same right-click capability to assist, but with a small twist. The right-click menu is not always the same, even for a given file type.

When you ask Cortana about “PS1,” you will be presented with your indexed PowerShell scripts. A right click will allow you to “open file location” or “copy full path,” but with no means of execution.

If you click on the file as we already mentioned, the file will open in edit mode. Curiously, it will not open the default editor (PowerShell ISE) for PowerShell scripts; instead, it will open the script in notepad. We assume this was intended as a security measure because notepad cannot execute scripts, unlike PowerShell ISE.

The default right-click menu for PS1 files.

Remember we mentioned that Cortana changes results based on your input query? When properly logged in, if you ask Cortana about “txt” using the query “Hey Cortana” followed by the letters “T,” “X,” “T,” she will present you with text documents, Notepad, and the most recent documents open by Notepad. Yet the right-click menu for items in the Recent category is different than the right-click menu for the same item in the Documents category.

At top:the context menu for a Recent item; above: the context menu for a Document item.

We follow a three-step process:

Land a PowerShell script in a location that will be indexed Public folder, public share, or OneDrive Execute a search query that will show the document and click on it “Hey Cortana, PS1” Select the PowerShell script you just indexed and left click The PowerShell script opens in Notepad Execute a search query that will show the recent documents, right click, and… Using Cortana, type or search in the contextual menu for “txt” Right click on the PowerShell script in the Recent category under the Apps tab at the top (not Documents) Click “Run with PowerShell”

“Run with PowerShell” right-click menu option for Recent items.

We now have local code execution with the payload of our choosing, without any exploit, even if the device is encrypted, on an up-to-date locked Windows 10 device.

This technique helps us understand some of the differences between apps, documents, extensions, and the way Windows handles them from a locked or unlocked screen. Yet it probably does not represent much of a real-world attack vector. Then again, we are not finished.

Logging into a Locked Device with no User Interaction

Finally, we have local code execution, but with some real limitations. We need to get our payload indexed but we cannot pass command-line parameters. This could be a limiting factor for our PowerShell attack vector because the execution policy may prevent its execution, and without command-line parameters we cannot pass an “-ExecutionPolicy Bypass” (or any other flavor). We would also have to find a way to land a PS1 script on the victim’s box, and have remote access to the physical machine or the login screen.

The techniques we have described so far are far too complicated compared with the simplicity and effectiveness of what comes next.

You recall the use of the keyboard-timing sequence to trigger the contextual search menu from a locked screen while querying Cortana. Any keystroke can trigger the menu from the time when Cortana begins to listen to when the answer is displayed. Press any key at this point; we like to use the spacebar because you cannot backspace and Windows will nicely ignore or trim out the space in its text results anyways. Invoke keyboard input too early or before Cortana is listening and you will be prompted to enter your password; invoke too late and Cortana goes back to sleep or returns normal results without a context menu.

It is not very intuitive to use the keyboard in addition of voice commands, but you can type your search the same way you do on an unlocked device, assuming that you triggered Cortana to listen.

The following screenshot demonstrates this behavior:

Trigger Cortana via “Tap and Say” or “Hey Cortana” Ask a question (this is more reliable) such as “What time is it?” Press the space bar, and the context menu appears Press esc, and the menu disappears Press the space bar again, and the contextual menu appears, but this time the search query is empty Start typing (you cannot use backspace). If you make a mistake, press esc and start again. When done (carefully) typing your command, click on the entry in the Command category. (This category will appear only after the input is recognized as a command.) You can always right click and select “Run as Administrator” (but remember the user would have to log in to clear the UAC)

You can use the following example of a simple PowerShell command to test. Enjoy the soothing beeps that demonstrate code execution from a locked device.

What can we do at this point? You name it. Our demo shows a password reset and login on a Windows 10 build, using only this simple technique.

The easiest mitigation technique, in the absence of patching the device (which we strongly recommend), is to turn off Cortana on the lock screen. This week’s Patch Tuesday from Microsoft contains fixes for these issues under CVE-2018-8140.

This concludes our examination of Cortana (at least for now). The McAfee Advanced Threat Research team has a fundamental goal of eliminating critical threats to the hardware and software we use; this month’s patch is a clear step toward furthering that goal. The attack surface created by vocal commands and personal digital assistants requires much more investigation; we are just scratching the surface of the amount of research that should be conducted in this critical area.

A team of several independent researchers also discovered and disclosed this vulnerability around the time of our submission. Additional credit for this discovery goes to: Ron Marcovich, Yuval Ron, Amichai Shulman and Tal Be’ery. Their names are also on the Microsoft disclosure page.

The post Want to Break Into a Locked Windows 10 Device? Ask Cortana (CVE-2018-8140) appeared first on McAfee Blogs.

Read more:


Indexing Sites For Conferences Large Site Crawl Paths

Posted on
Internal Linking

Internal Linking And Indexing Sites For Conferences

Posted by Tom.Capper

By now, you’ve probably heard as much as you can bear about mobile first indexing. For me, there’s been one topic that’s been conspicuously missing from all this discussion, though, and that’s the impact on internal linking, indexing sites for conferences and previous internal linking best practices.

In the past, there have been a few popular methods for providing crawl paths for search engines — bulky main navigations, HTML sitemap-style pages that exist purely for internal linking, or blocks of links at the bottom of indexed pages. Larger sites have typically used at least two or often three of these methods. I’ll explain in this post why all of these are now looking pretty shaky, and what I suggest you do about it.

Quick refresher: WTF are “internal linking” & “mobile-first,” Tom?

Internal linking is and always has been a vital component of SEO — it’s easy to forget in all the noise about external link building that some of our most powerful tools to affect the link graph are right under our noses. If you’re looking to brush up on internal linking in general, or even indexing sites for conferences, it’s a topic that gets pretty complex pretty quickly, but there are a couple of resources I can recommend to get started:

This top-level Whiteboard Friday from RandThis 30-minute audit guide from me

I’ve also written in the past that links may be mattering less and less as a ranking factor for the most competitive terms, and though that may be true, they’re still the primary way you qualify for that competition.

A great example I’ve seen recently of what happens if you don’t have comprehensive internal linking is (Disclaimer: eFlorist is not a client or prospective client of Distilled, nor are any other sites mentioned in this post)

eFlorist has local landing pages for all sorts of locations, targeting queries like “Flower delivery in [town].” However, even though these pages are indexed, they’re not linked to internally. As a result, if you search for something like “flower delivery in London,” despite eFlorist having a page targeted at this specific query (which can be found pretty much only through use of advanced search operators), they end up ranking on page 2 with their “flowers under £30” category page:

Indexing Sites For Conferences Internal Linking


If you’re looking for a reminder of what mobile-first indexing or even indexing sites for conferences Large Site Crawl Paths is and why it matters, these are a couple of good posts to bring you up to speed:

General guide to mobile-first indexing, by my former colleague Bridget RandolphHow mobile-first indexing disrupts the link graph, by Russ Jones

In short, though, Google is increasingly looking at pages as they appear on mobile for all the things it was previously using desktop pages for — namely, establishing ranking factors, the link graph, and SEO directives as well as internal linking for indexing sites for conferences. You may well have already seen an alert from Google Search Console telling you your site has been moved over to primarily mobile indexing, but if not, it’s likely not far off.

Get to the point: What am I doing wrong?

If you have more than a handful of landing pages on your site, you’ve probably given some thought in the past to how Google can find them and how to make sure they get a good chunk of your site’s link equity. A rule of thumb often used by SEOs is how many clicks a landing page is from the homepage, also known as “crawl depth.”

Mobile-first indexing and indexing sites for conferences impacts this on two fronts:

Some of your links aren’t present on mobile (as is common), so your internal linking simply won’t work in a world where Google is going primarily with the mobile-version of your pageIf your links are visible on mobile, they may be hideous or overwhelming to users, given the reduced on-screen real estate vs. desktop

If you don’t believe me on the first point, check out this Twitter conversation between Will Critchlow and John Mueller:


Read more:


This Is How to Design Your eCommerce Site for More Conversions

Posted on
Website Design And eCommerce

To increase conversion rates on your ecommerce website, no part of the user journey can be overlooked. From that initial landing page through checkout, every step a user takes on your website needs to be carefully designed with that final purchase in mind. But building a user path that successfully balances an enjoyable shopping experience with a clear path to conversion is easier said than done.

To help you design a more delightful and intentional conversion path on your ecommerce website, we’ve put together a list of some best practices.

1. Clear Purchase CTAs

Having a clear call-to-action (CTA) is essential to convert website traffic into sales. It’s what turns a visitor into a customer in the shortest amount of time possible. Most CTAs are typically a ‘Buy Now’ or ‘Add to Basket’ style button which stands out from the rest of the page to grab the visitor’s attention and encourage them to click — this can be done by using contrasting colors or design elements.

The wording of the CTA should be kept short and sweet. Phrases such as ‘Buy Now’, ‘Add to Cart’, ‘Checkout Now’, etc. work best. Put simply, the CTA should align with the visitor’s interest; someone on the product page is interested in clicking ‘Buy Now’, whereas someone on a content page will be interested in ‘Reading More’.

You might also want to consider creating a sense of urgency on your ecommerce site. It has been proven that when users feel a sense of urgency when shopping online, conversation rates can increase by up to 332%. This can be done simply by changing the way you word your CTAs — for example, changing ‘Shop Here’ to ‘Shop Now’ could make the difference in pushing the visitor to check out.

Below, you can clearly see how the CTAs stand out from the background.

If the eye is drawn, so is the cursor.


2. Simple, One-Click Checkout (For Guests Too)

Although adding clear CTAs to get visitors to add items to their cart is a good step in conversation rates, there is another step which can increase this even more.

By adopting a similar checkout process to Amazon with a one-click checkout process, you can skip the ‘add to cart’ step and have visitors check out quickly and efficiently on the product page. Amazon recently lost their patent for the one-click checkout process, so you are able to implement this onto your own website.

According to a recent blog by Magento, shortening the checkout process to one-click allowed visitors to place an order in 10% of the time it takes in a conventional method, which is a big factor in the percentage of abandoned carts — when visitors simply abandon the checkout process because it takes too long.

If we look at the top five reasons for ecommerce cart abandonment we can see that by eliminating the extra steps required in a traditional checkout process, we will significantly increase the chances of checkout conversion. A recent article by eMarketer reported that just under 75% of shopping carts are abandoned, and even more for mobile users.

Even if you do not want to implement a one-click checkout, it is critical you streamline the checkout process as much as possible by requiring the very minimum data input from the user — Amazon does an excellent job of this with their one-click checkout system, and a well-recognized CTA.

Image result for amazon one click


3. Greenbar SSL

It has been shown that shopping cart abandonment dramatically decreases when you display the greenbar SSL on your website. Here is what they look like on different search engines:

Image result for greenbar ssl

The greenbar SSL is essential when conveying a trustworthy and reputable website, as it is something that all major ecommerce sites should have. It is not only a visual cue to the potential customer, but also an important security aspect as well.

Having a greenbar SSL encrypts the visitor’s payment information, which makes it harder for hackers and scam artists to steal their information. Simply put, users do not want to purchase from an unsecure website — the large red X with an unsecured padlock can be a real barrier to converting visitors into sales.

Even Google has started to include SSL certified websites in their SEO ranking, offering up to a 5% increase (a very cheap and easy way to bump up your SEO score).

In a recent test by Blue Fountain Media, two forms were created on their website. One showing a Verisign seal (the right hand side image) and the other without (left).

Through testing they found a 42% increase in conversions on the form containing the Verisign seal, demonstrating that visitors are more inclined to share personal data and convert when they are confident that it is secure.

Visitor anxiety 4. Payment Methods (Visible with PayPal)

There are currently over 200 different ways to pay online that aren’t reliant on a card, including direct debit, bank transfers, digital wallets, e-invoices, digital currencies (such as Bitcoin) and many more.

It is essential to cater to this market when designing your ecommerce website, especially when we consider that these types of transactions are predicted to be over half of all ecommerce payments by 2019, according to a report by Global Payments.

Although it is impossible to have over 200 different payment methods on your website, it is important that you understand your target market and are able to offer payment methods best suited for them. For example, a clothing website where the average spend is £50 may benefit from offering mainly credit and debit card-style payments, whereas a website such as may want to push finance more — as the value of the products being sold is significantly higher.

By providing the top three payments methods in your sector, you can expect to increase your conversion rates by 30% alone. However, it is not as simple as setting your payment methods and forgetting about it — you must analyze the data received from your customers’ checkouts on each payment method and be ready to adjust and tweak them accordingly.

Overclockers does a great job of this by showing all their available options to buy in the product description, and near the CTA.

5. Product or Company Reviews

Reviews are one of the most powerful tools to convert any interest in your product to a sale. Visitors want to hear from other buyers, not only if the product they are interested in is actually any good, but also about the service they received from your website.

By showing reviews directly next to or below the product, you are demonstrating instantly that you are a trustworthy seller. It has been shown that customer recommendations drive between 20% and 50% of all purchasing decisions and that 87% of people believe the reviews they read online on products and services.

It all comes back to reassuring the customer. Without reviews, the customers might ask themselves questions about your website: Why are there no reviews? Is this a genuine site?

Websites such as and Amazon give customers opportunities for instant feedback on the quality of a product or service, so much so that when it is not shown it can cause concern and worry for potential customers, thus hurting conversion rates.

Again, Amazon leads the way with reviews — it’s the first thing you see when searching for a product, and gives you an instant indication of a product’s quality.

6. Well-Selected Imagery

Excellent photography of either the product or service you are selling is pivotal when trying to push more sales on your ecommerce website — as the old saying goes, ‘a picture is worth a 1000 words’. We’ve written on this very subject and its importance in all sectors.

Humans by their very nature are visual beings. We often look at pictures and graphic elements before reading the information about a product — it is what initially grabs our attention. You need to ensure you have the best possible photos of your product, as well as a good range of images covering all angles and details. This gives the buyer confidence in what the product is, the quality, and what they are to expect when they receive it.

On the other hand, if you have low quality pictures, no zoom function, and a lack of detail shots, you can leave your potential customer anxious, asking themselves if you perhaps have something to hide? Maybe the product is fake? Why are the images bad quality? These are all enough to potentially deter a visitor from converting.

Data shows that visitors don’t actually read the information on your websites, just 16% of readers will actually go through the entire page and read it word for word, while over 75% will just skim for snippets of information and photographs.

It is also worth noting that by creating good quality images you have more chance of them being shared on social media. Studies show that 74% of people rely on their social media networks for information about purchasing decisions.

7. Mobile Optimized

Over 50% of all web traffic is now mobile. With this number increasing drastically year over year, it is essential that your ecommerce site is mobile friendly.

In 2015, Google officially declared that mobile searches outnumbered those on desktop. When you consider that mobile shopping carts are abandoned much more than on desktops, users abondon websites if they don’t load in under three seconds, and users want to check out quickly while on the move, you’ll quickly realize it’s critical your website is optimized for mobile. A mobile-optimized website will lead to a massive uptake in conversion rates.

Having a simple checkout process is even more important on mobile than it is on desktop. Users are working with a significantly smaller screen, so the less distractions the better. Keep it simple. Users want to add the item to their cart, pay, and get out. This can be done by stripping back any unnecessary elements for mobile and directing the user down a simple and easy to follow path towards checkout.

It is also important to remember the unreliable nature of phone data. With phone signal dropping in a split second reducing users download speeds to a snail’s pace, it is imperative that your mobile optimized site has the smallest possible page size, meaning fast load times even on a slow internet connection. Simple steps like this can make the difference between converting sales on mobile and not.

8. Concise and Effective Product Descriptions

Product descriptions are a key tool in your ecommerce selling arsenal. Without effective product descriptions that sell the product to your customer base, you are losing out on click-through rates and purchases.

Having a boring or unclear product description isn’t going to cut it — your customers will switch their attention off and won’t be interested in purchasing. That’s why it’s vital to focus on your ideal buyer and target them personally, with words and descriptions that relate to them — doing this gives your customer a sense that you understand their wants and needs, which ultimately makes them feel more confident in choosing to purchase from you.

While we’re talking about instilling confidence in your customers, it is crucial to avoid using cliché phrases such as ‘excellent quality’, ‘genuine’ etc. These are all things that your customer should already know by your excellent product photos, slick website, and efficient checkout process that we have already covered. Trying to convince your potential customer that your product is ‘excellent quality’ gives the impression that you might have something to hide and are trying too hard to convince them what you’re selling is indeed good quality.

Above all, the most important factor to consider when writing your product descriptions is to keep it concise. As we mentioned earlier, users of your website will skim read and anything longer than a few lines is either going to get ignored or skipped over. If you do have a large amount of information that you need to convey to your customer, you might consider hiding it behind a ‘read more’ button or cutting it down in easy-to-digest bullet points.

Overclockers does really well with their product descriptions — although they aren’t the most personal. They are concise and to the point, but also offer tons of information (if you want it) by scrolling further down the page.

9. Minimal Layout

Creating an easy to follow and cohesive journey from homepage to checkout is one of the most important factors when looking at bounce and conversion rates, as a study by EyeQuant showed websites that adopt a cleaner look (more white space, bigger images, less text etc.) saw significantly less bounce rate and higher conversion rates than those that had a more complicated website.

While it might seem daunting to think about redesigning your ecommerce site to be more minimalistic, it is actually relatively straightforward if you follow a few simple rules:

Focus on product imagery with less design elements and distractions on product pages. Direct your customers to the add to cart, purchase or checkout with large CTA buttons that stand out. Test your website — this is often forgotten but it’s crucial you make sure your checkout process is as slick on your brand new iMac or iPhone as it is on a five year old desktop PC running Internet Explorer or old smartphone. Limit your colors. Again, the less distractions the better. Get your user focused on the product itself, then onto the checkout button. Less is more. If the product page still works without it, then lose it. It’s all about focusing the customer towards the end goal — checkout!

If you follow these four steps to rework your product pages, you will see a significant increase in checkout completion and a drop in bounce rates.

Read more:

Online Services

70% OFF Website Hosting Cost From Siteground

Posted on

70% Off Siteground Hosting Packages Ends Soon 

This is a friendly reminder that our big Back to Business Sale is in effect until September 9th. All new clients can get great web hosting deals at up to 70% off! Hurry while it lasts.

Is your website hosting speed loosing you customers and are you paying a high website hosting cost? A slow loading site can truely influence your customer retention and sales of your products/services. There are many factors to slow page speed but the main one is your hosting accounts.

Siteground is a leading website hosting company with lightning fast servers no matter what level your account is on. They endevour to bring fast site speed to thier customers because they know how important this asset is for marketers and website owners. Their website hosting cost is the best you will get anywhere else and right now they are having a sale for 70% off the cost of whatever package you purchase which is unheard of untill now. Not only are they the best priced hosting company around but now they are giving deals of 70% OFF. WOW!

Since I have been using Siteground my sites have been more stable and faster than ever before and some of my sites are over ten years old so I do know lots about hosting and hosting companies. Not only is their website hosting cost truely affordable for Siteground also have the best support I have ever come across. No waiting around for your ticket to be answered in 24 hours or so but INSTANT 24/7 service via their chat support which has allowed me to really get things done. The longest I have ever waited for support is about two minutes and that was a long wait. They will help you with almost anything that your site requires within their scope.

Don’t miss out their super 70% OFF sale which is only for a short time and lock in your hosting for the next year or so. I know I will be.

Heres the link to Sitegrounds super 70% OFF Sale below. This is a friendly reminder that our big Back to Business Sale is in effect until September 9th. All new clients can get great web hosting deals at up to 70% off! Hurry while it lasts.




Heres A Little Info About This Fantastic Hosting Company And Their Website Hosting Cost

  • SiteGround has three plans and one can sign for any of them with a great discount 70% as we speak
  • The StartUp plan is perfect for people with one website that are starting now
  • The GrowBig plan is a great value for money offer, including the option for multiple websites and the SuperCacher that greatly improves a WordPress and Joomla website speed
  • The GoGeek plan is perfect for people with e-commerce and larger sites, or more geeky development needs like staging and GIT integration

We load websites faster!


The results below are based on tests with real accounts on 12 of the most popular web hosts on the market: Bluehost, HostGator, iPage, Fatcow, Justhost, AsmallOrange, InMotion, WebhostingHub, Arvixe, GoDaddy, GreenGeeks and A2Hosting.

Loading speed

We load websites faster!

  • Industry average loading time: 4,7 sec
  • Our loading time without cache: 1,7 sec
  • Our loading time with cache: 1,3 sec

Website Hosting Cost Site Speed

Siteground Website Hosting
We have used Pingdom to test the loading time of identical WordPress websites hosted on the 12 different hosting companies. The faster loading result for SiteGround was achieved with the SuperCacher switched on for the website.

We can handle more traffic!

  • Industry average hits handled: 2852
  • Without cache we handle 3 times more: 8276
  • With cache we can handle: over 230 000

Great Website Hosting Cost

Website Hosting Cost
Apart from loading speed, we have tested how many hits can be successfully handled in two minutes by each of the 12 accounts with the same test WordPress website. The test was done with the help of the Siege testing and benchmark utility. The higher number of handled hits by SiteGround was achieved with the SuperCacher switched on for the website.


  • The GoGeek plan is perfect for people with e-commerce and larger sites, with low website hosting cost compared to other hosting companies and more geeky development needs like staging and GIT integration

How to Use Hosting Sign Up Step 1

Step 2. Choosing Domain

Clients can choose to buy a new domain, or sign up with an existing domain. With The GroeBig and GoGeek plans, clients recieve a free website transfer, which is included in these two plans.

How to Use Hosting Sign Up Step 2

Step 3. Review and Complete

Unlike many other hosting providers our advertised discount applies to any of the initial periods chosen during the sign up process. Being able to get the low price for the one year period is a fact that increases conversions greatly in comparison to other providers where the lowest monthly price applies only for the longest period. So highlighting this fact may strongly increase your conversions.



Web Hosting