So the point of this episode is taking 30 minutes today to implement just a few free or super low cost solutions that can save you days and days of lost productivity.
00:52 Nanci: What are we talking about today? We are going to talk about security. We are going to talk about web security, personal security sort of not personal security but more online security, not self-defense but online hygiene or digital hygiene. I’m going to kick it off with a bit about WordPress. From episode nine if you recall we have that tutorial slashpodcast.com/web-series, and we build an entire website and one of the things that I wish that I had time to include was a bit about WordPress security.
01:50 Julian: And I think it’s time they remember there was this massive ransomware attack from the virus called WannaCry. This episode is about having a healthy dose of paranoia when it comes to your digital hygiene because unfortunately there are far more hackers out there than there are security experts looking to exploit open vulnerabilities on your network, your computer and your website and those vulnerabilities are everywhere.
02:26 Nanci: So the point of this episode is taking 30 minutes today to implement just a few free or super low-cost solutions can save you days and days of lost productivity. If you ever lost a website and to being hacked and you haven’t had an appropriate backup you know what I’m talking about. If you’ve had to hire a developer or like a company to do a professional restoration of your website can be very expensive. So we are going to give some few tools today. First, some stats so according to a recent paper from WP White Security 41% this is WordPress websites and don’t forget 27% of the world’s website are powered by WordPress. So 41% of the hacked WordPress websites were through a security vulnerability on their hosting platform, so actually, no fault of their own of the WordPress website of a weak password, nothing like that it was the actual hosting company that they were using had a weak spot. We will talk about that in a minute. 29% were hacked via a security issue in the WordPress theme they were using; we are going to talk about that as well. If you remember from the web series, we installed a WordPress theme for our hypothetical copywriter Jenny Jones and we chose an absolutely top of the line premium WordPress theme. So we would not have been one of that 29 % hacked for a weakness in our theme. 22% were hacked via a security issue in the WordPress plugins that they were using. If you are not familiar with WordPress it’s like this open source platform, and it’s pretty bare bones, and there are thousands of plugins, but usually, people probably use maybe between 10 and 40. They can add more functionality or some design. People use plugins for different reasons and for various reasons plugins get updated either to make the functionality of them better or to patch a security breach. And so what they are saying here is 22% were hacked via a security issue in the plugin, and that could be one of two reasons. One, the plugin itself was not a great plugin. The developer didn’t take the time to make sure that it was secure or commonly what happens is you get a WordPress website delivered to you and you don’t update your plugins. I’ve had so many clients come to me and say can you help me, my website stopped working, and I go in, and it’s like well you haven’t updated your plugin in 19 months like it’s just an accident waiting to happen. So what I suggest you do for plugins is set a calendar reminder even once a month so that you can go in and click one button update all plugins and then it’s just done, cross off your list and you’re safe and secure again. Last but not the least 8% were hacked because they had a weak password.
06:10 Julian: Just in terms of what you mentioned in the beginning, having a backup of your data, whatever that data is, is a simple, easy win. That’s just a simple as making a copy on your separate hard drive, a duplicate copy of all your data. Ideally, you have a copy both physically present in your home and the cloud through a service like Dropbox. Referencing back to these topical events like WannaCry the way it works, it would come in, and it would just hold your files ransom. It would hi-jack lets say you have a hard drive plugin to your computer where all your family photos are sitting, for example, it could infect that that hard drive and locked you out of accessing your photos, so you had to pay. So having a healthy dose of paranoia, I always unplug and eject my hard drives before I keep duplicate copies of everything I do because of a complete fear.
08:44 Nanci: I just want to start at the top, which is your choice of hosting company. We’ve recommended Siteground in the past, there are other good companies but what I want to advise you to do is choose one of the top 10 companies that are like WP Engine, Mediatemple, and Siteground. I’m not going to say who the bad ones are, but they are the one’s that you see everywhere, 395 a month, first year free, it’s unlimited email, you get what you pay for and when it comes to hosting and security and uptime, it’s not where you want to save money. So you can expect to pay between 10 and 30 dollars a month for quality hosting, and that’s usually up to 5 websites for that. So WordPress.org is like a foundation because WordPress is open source it’s free. What you can do is go to WordPress.org, and they will have a list of hosting companies that they’ve sort of rubber stamp for approval. They have done all the homework for you they have determined that this is a great hosting company that has good security and is optimized specifically for WordPress website which is also important. Siteground meets all of those requirements. I’ve been using Siteground for either nine websites that I host for the last 18 months, and I have been so happy, the uptime is great, the security is great, the customer service is great and just great. I will put a link to that in the show notes if you’re interested in learning more about Siteground. Next, if you follow along with the web series after you secure your URL, like your new domain JennyJonesCopyWriter.com hypothetically and you install WordPress on your new hosting account at Siteground. You want to install a WordPress theme and what you don’t want to do is go to like a big market place, I think it’s called ThemeForest and find a theme that you like with no consideration of the history of the developer if the developer is committed to the theme for decades. When you customized a theme, it can cost you hundreds of dollars or more for design customization, structural and all kinds of different custom choices that you make and if theme stops working and the developer stops supporting it, you have to start over from scratch with a brand new theme. I’ve seen that happen to clients, and they start reaching out to the developer for support and the email bounces back, there’s just no sign of that developer anymore. So when you are choosing a WordPress theme, you want to choose a reputable WordPress theme provider. Here at slashpodcast we recommend Genesis Themes by StudioPress. Of course, there are other companies that do premium themes, so my point just does your research and make sure that the theme that you choose is a quality web developer theme provider whose going to keep that theme updated both for security along with new WordPress updates. Also, you need to go in there to your dashboard and when you have set your monthly reminder to update your plugins, you’re going to update everything. If WordPress needs to be updated, you update it, if your theme needs to be updated, if your plugins need to be updated you are going to do everything all at once, once a month and you’re going to be probably safer than 60% of the websites out there because most people do not update their plugins on a regular basis. I know this next one is gong to sound obvious but for your username and password to log in, don’t have it be something simple for years and years the auto-generated username at WordPress was admin and they wouldn’t let you change it like it was insane. You had to install a separate plugin this is an example of what plugins do, you had to install a plugin that would let you override it. So at some point, they woke up and not only do they not assign an auto-generated username but they advise you and almost push you to use a safe complex username and password. Moving on, there are all sorts of little small things that you can do in the code of your WordPress website to make it safer and more secure, but some of those changes are technical. You have to go deep into the code, into PHP and one wrong character and you’ve messed up your whole website, and you have to hire someone to help you fix it, trust me. So what do we have? We have all in one security plugins, you install a plugin, and you set your parameters to the recommended settings, and it’s going to take care of probably 90% of all of those small little changes, it’s going to take care of them for you. Of course, WordPress Security is a thing, which is why we are taking about it. As you can imagine there is more than one choice, there are several choices. I don’t want to overwhelm you with a choice. I will tell you that ithemes security is the most downloaded security plugin on the internet and it’s excellent. There is a free version which is just fine, and then there’s a premium version which has an even advance later of protection. I can tell you that I installed the free version of ithemes security on my five websites yesterday and I’m happy that I did. Two other options that came up several times in my research Wordfence and Bulletproof security, again both of those have free and premium versions. So just choose one of them, and you’re going to be just fine. All right next, you want to have a backup, So it’s one thing like Julian was saying for sure if you got family photos, you’re going to put them on to a Dropbox of a Terabyte hard drive offsite or both but how do you backup a WordPress website exactly.
16:29 Julian: I learned this lesson the hard way about a year and a half ago when I was about to start a contract in California, and I got an email from Gmail that said your site had been hacked and at first I thought it was a spam email because it looked like a spammy email. I opened up the email, and it proved to be a legitimate email from Google telling me that my site has been hacked and for the time being like anytime a visitor would go to my site it would get a big security warning. Which of course means that nobody will bother clicking on the link and my website being the primary means through which I get new clients, this was a terrifying moment for me and I was completely unavailable, lacking both knowledge and time and availability to try to actually address the problem and I did not have a backup furthermore. So in one panicky phone call to my WordPress hosting company, I manage to get both security fix. It was a fee base service, which at that point frankly I would have paid whatever because I was terrified that my site was not only going to crash and what if I lost it all. There are years of blog posts and contents that I’ve created that I’ve should have backed up, but I hadn’t. I realized how foolish I’ve been, but luckily it was salvage.
22:16 Nanci: So be smart, back up. What I should have done is like what Julian does is not just Dropbox which I’ve done now, I have I think it’s called a mybook its one terabyte of extra storage, and I keep it in a fireproof safe. We are laughing here but I hope you can tell it’s not funny, it’s not funny at all, it’s quite dangerous when you lose your website, a client’s backup or anything and it is so simple just to take a few easy steps in advance to protect yourself.
23:39 Julian: And just on that not on protecting yourself, I was reading Tim Ferriss’s book Tool’s of Titan. It’s an interview with all the people he had on his podcast, and he derives there kind of key life lessons and its a great book and shouts out to Tim Ferriss for putting it together. He happened to be with Samy Kamkar who is just reading from the book one of the most innovative computer hackers in the United States, best known for creating the fastest spreading virus of all time a MySpace worm named Samy. He also created SkyJack, which is a custom drone that hacks into any nearby drones allowing any operator to control a swarm of devices. Anyway, he interviews Samy and asking him questions basically how can I protect myself against people like you and one of the quick easiest things to do, you can do it right now before the end of this episode if you’re not already doing it, cover up your webcam camera use a piece of tape or get one of this little site blockers that slice open and chat like little window but its probably 60 seconds for a hacker to access that camera and has a view into your personal space and whatever you do in your personal space is now visible and could be published online.
25:54 Nanci: So I got a few last tips on the website. If we are talking about plugins be careful of the plugins that you install. Plugins are great. I love plugins, nothing makes my day better than a new plugin, but you have to be careful not to, the same thing as themes you don’t just install an orphan theme. Some developer, young guy or young woman came up with an idea launch it and then a couple of days later moved to Indonesia, you want to go to it’s called the WordPress repository, and that’s where all of the plugins for WordPress reside, where they live on the internet, and you want to find a plugin that has been installed thousands and thousands of times and has been updated in the last few weeks to few months. So really it’s not so much the quantity, that’s only part of it, it’s the quality of the plugins.
27:27 Julian: So we haven’t talked too much about just detecting malware.
27:31 Nanci: So the security plugins that I talked about earlier which was ithemes Security and Wordfence. There are two ways you can do it, sometimes with your hosting its included like a Siteground regular malware scanning is included and they will send you a note like you received one when your site was hacked, and the other one is a plugin. So I think the premium versions of the Wordfence and the BulletProof Security include daily scanning. So basically whether it’s your hosting company or a plugin that you’re using, you definitely want to be notified as soon as possible for 2 reasons, you don’t want your site down, specially if it’s important to your business and with some hacks the longer it goes the worse it gets, the more damage that they can do while they are in there.
31:07 Nanci: Take a look at backup buddy. Again there are other options, but it’s not just about security it’s about how you restore, how you get notified when there is a problem and how quickly you can get everything back up.
31:25 Julian: So protect then detect and if you happen to be a hack, then restore.
31:30 Nanci: Yes, perfect. There’s one last plugin that I would recommend, a lot of quality hosting company’s install it automatically now when you take hosting with them, but it’s called Limit Login Attempts. One reason you might think that you’re not going to get hacked is your information’s just not that interesting to people like my website, themoneycoach.com its got some blog post and some content teaching Canadian women how to invest, like how interested are the Russians in that information.
32:05 Julian: Another way of putting it, just because your site doesn’t have passwords or credit card information or it’s not a transactional site, where you’re selling things for people, that doesn’t mean you don’t have a value to a hacker.
32:25 Nanci: What most hackers want to do is send thousands or even millions of email addresses from your domain. He or she may have wanted to hack your site so that she could send millions of spam emails from JulianHaber.com and it triggers JulianHaber.com to become blacklisted. So now it’s blacklisted, and it’s going to take some fixing to tell the global server network ‘hey JulianHaber.com is fixing, and it’s good again, and the website that helps you is MXToolbox.com. Apparently one of the first places you go to when your hacked is MXToolbox.com, and it will tell you, I search today a few of my websites I know they were fine but what happens is like I put in themoneycoach.com and just a long string of green check marks came up. But if you have a quality host like Siteground or WP Engine they will do this for you. You won’t be tinkering around, trying to figure out. Part of the reason you pay for hosting isn’t just someone can type in your URL and come up with your website. You pay for quality hosting so that when things go wrong because they will go wrong at some point, you have the support there from the experts that can say don’t worry we got this and you can experience the relief when a few hours or a day later everything is fine again. I think that’s about all we had to say. I’m sure there’s so much more about digital security, but we wanted to kick you off with digital hygiene and WordPress security 101.
Thanks for joining us if you feel like this particular episode was valuable to you, please leave us an iTunes review you can go to slashpodcast.com/review, and it will take you straight to iTunes where you can leave a review. We appreciate it. Next week’s episode is a question that a listener asks us which is what’s better, a Facebook group or a Facebook page. See you next week.