Kristen Doyle 0:00
Let me ask you something. Is your website as secure as your bank account? For most online entrepreneurs that I talk to, the answer is no, and that’s putting your business at a pretty serious risk. Every minute, yes, every single minute, WordPress websites get attacked somewhere around 90,000 times.
Kristen Doyle 0:27
Now I know that sounds like a ton, so before you panic, most of those attacks are thwarted and don’t result in a hack, but some of them do. So today I am going to share some simple but really important steps that you can take today to protect your website and your business, and you won’t need a tech degree or even need to do anything that complicated to do it, promise.
Kristen Doyle 0:56
Are you a digital product or course creator, selling on platforms like teachers pay teachers, Etsy or your own website? Ready to grow your business, but not into the kind of constant hustle that leads straight to burnout? Then you’re in the right place.
Kristen Doyle 1:11
Welcome to The Savvy Seller. I’m Kristen Doyle, and I’m here to give you no fluff, tools and strategies that move the needle for your business without burning you out in the process. Things like SEO, no stress marketing, email list building, automation, and so much more. Let’s get started y’all.
Kristen Doyle 1:34
Before we get into what to do, I do want to address something I hear all the time that you might be thinking too: my site is too small for hackers to care about. If that’s what you’re thinking, I need you to reframe your thoughts a little bit, because here’s the thing, hackers don’t care if you are running a million dollar business or if you just made your first 100.
Kristen Doyle 1:58
They don’t care if you have 10,000 visitors a day, or 10 visitors a month. Most website attacks are not done by individual people. They’re actually automated. They’re just programs, bots, crawling the internet, looking for vulnerable websites. These programs don’t distinguish between big and small sites at all. They are just looking for easy targets. It’s like a couple years ago when we had a rash of vehicle break ins in my typically very safe neighborhood.
Kristen Doyle 2:28
These were not sophisticated thieves who had been scoping out our houses and targeting certain cars. They were bored high schoolers running around in the middle of the night, checking for unlocked doors. And most of the time, what they stole was change out of the cup holders and just other little things. Your website is part of that neighborhood that we call the Internet, and we need to make sure that your doors are locked.
Kristen Doyle 2:54
Speaking of unlocked doors, let’s talk about one of the most common security vulnerabilities that I see, and it has to do with who is logging into your site and how. One thing I see way too often is that people have really weak log in credentials for your admin user account on your own website.
Kristen Doyle 3:14
A lot of times, I see people using your business name or the website name as your username and super simple passwords that you can easily remember. But that is a big vulnerability, because if the hacker, which, like I said, is typically a bot, if they can guess your username, then they can go through processes to try and figure out your password.
Kristen Doyle 3:38
And if you’re just using your business name or the website name as your username, or even worse, if you’re using admin as your username, you’re making it really easy for them to get in. 8% of WordPress websites get hacked just because of weak passwords. It’s like walking out and leaving your front door unlocked.
Kristen Doyle 3:57
One of the biggest mistakes I see, in addition to using something like admin or your business name for the username is using really easy to guess passwords, like kids, birthdays, pets, birthdays, or business name plus one exclamation mark or 123. Honestly, if you can remember your password easily, it is probably not secure Enough. And I would encourage you to take this approach for all of your passwords that you use everywhere, not just your website, but this is especially important for your website login.
Kristen Doyle 4:31
I want you to start thinking of it like your bank account login. It needs that same level of security. Here’s what that means. Use randomly generated passwords that are long, most sites will let you use somewhere in the neighborhood of 14 to 18 character passwords. It should be nothing that you can easily remember or that anyone would be able to easily guess.
Kristen Doyle 4:55
I recommend that it not have any real words in it. When you start using secure passwords like this, you do kind of run into the problem of trying to remember those passwords. So get yourself a good password manager. I personally use 1Password. I also know people who are using Bitwarden. Both of those are great options. They are probably the two most secure password managers out there.
Kristen Doyle 5:19
Quick note about LastPass. I know a lot of you might be using it. It used to be really, really popular, but here is why I can’t recommend it anymore. Over the last two or three years, LastPass was having multiple security breaches every single year. In fact, I have had some of my own passwords compromised through LastPass security breaches that happened while I was using them.
Kristen Doyle 5:44
It just was happening too often, and they didn’t seem to be fixing the problems since they kept having more breaches. So I would not recommend them, but I do recommend using 1password or Bitwarden to store all of those passwords, and they’ll even help you create those random passwords.
Kristen Doyle 6:03
Another huge login vulnerability that I see is keeping old admin access active. Maybe you hired somebody to fix something on your website six months ago, but they still have full admin access to the site, even though they’re not logging in anymore. Think of it like this. If you gave someone a key to your house because they needed to water your plants one weekend while you were out of town, you wouldn’t let them keep it forever, and it’s not because you think they’re gonna come back and rob you one day, you wouldn’t have given them the key in the first place if you did. Right?
Kristen Doyle 6:35
It’s just that you don’t want extra keys to your house just floating around. What if they lost it? What if that VA that you used, if their password was compromised in a security breach somewhere, and now your site is vulnerable because of it?Once a quarter or so, I would recommend going through your admin users and just doing a quick audit of who has admin level access to your site and whether or not they still need it.
Kristen Doyle 7:03
Another thing to consider is that some people you have on your site as admin users might only need editor access or contributor access. If you have someone who is writing blog posts for you, they probably don’t need all of the admin access to your site. They probably can just use the editor role that allows them to go in and create blog posts and access just the plugins that are related to that. And then make sure, as you bring people on to your website for a project or to do troubleshooting, that you remove their access once that project is over.
Kristen Doyle 7:37
Let’s talk about another major security risk, not updating your site’s plugins, themes, and even WordPress itself. Here’s a statistic that might surprise you. While only 8% of website hacks are due to weak passwords, that number is a lot bigger when it comes to updates. In fact, 61% of websites that get hacked were running outdated software. It’s kind of like driving a car and never changing the oil or replacing the tires.
Kristen Doyle 8:07
I had another web design client who had never updated their WordPress site because they were afraid that they might break something. Want to guess what happened? Well, they reached out to me in a panic because their site had gone down and they didn’t know what happened or how to get it back up and running.
Kristen Doyle 8:22
I was able to restore their site and bring it back up to date so that it’s safe and protected now, but it took me a ton of work. And anytime you have to reach out to someone to hire them to do a ton of cleanup work like that, it is going to get expensive and obviously cause them a lot of unnecessary stress. I will give a shameless plug. If that client had been on my WordPress Care Plan, those issues never would have happened, because we take care of those updates, and we have the backups to be able to fix the site quickly in the event that anything ever does happen.
Kristen Doyle 8:53
Now, updates to your website aren’t just about getting new features, and I know that’s what a lot of people think, and so they don’t think they’re that important, but those updates are pretty often patching security holes that hackers already know about. See once security problems are discovered, hackers very quickly find out about those issues and start to take advantage. So it’s really important that you are doing your website updates quickly when they are released, so that your site stays protected against those kinds of vulnerabilities.
Kristen Doyle 9:26
The good news is you can make it pretty manageable if you just have a simple system in place. I recommend checking for updates weekly, so set that up in your calendar, on a regular schedule, create a backup before you run your updates in case anything goes wrong, like those things my client was worried about, and we’ll talk more about backups in a minute.
Kristen Doyle 9:46
When you get ready to update, always go in this order. Plugins, first, then themes, then the WordPress core. And test your site after you make the updates. If you’re worried about updates, breaking your site, that’s what backups and staging sites are for but that is a topic for another episode.
Kristen Doyle 10:04
When it comes to plugins, we don’t just need to make sure we’re updating them. Another statistic that might surprise you is that 52% of WordPress vulnerabilities come from outdated plugins, not WordPress itself, but the plugins we’re adding to our sites. And it’s not just about running those updates that we discussed earlier. Sometimes the plug in itself isn’t being maintained by the developer anymore, which means even the most up to date version could still be a security risk to your website.
Kristen Doyle 10:34
Think about it like this. If a plug in has not been updated in two years, that is two years of new security threats that it hasn’t been updated to protect against. So the solution here is to be very careful about what plugins you are installing and to check up on them over time to make sure they are still good.
Kristen Doyle 10:54
Here’s how to vet your plugins before you install them. Look to see when the plugin was last updated. You want it to be fairly recent, not multiple years ago. Look at how many active installations it has. If it only has dozens or hundreds of installations, unless it’s a very niche plugin, it probably isn’t being used enough for the developer to be encouraged to keep maintaining and updating it.
Kristen Doyle 11:20
Always read the recent reviews to make sure people aren’t complaining about any security concerns and make sure it is compatible with the current WordPress version, not just older versions of WordPress. Now, another plugin issue is something I’m going to call plugin overload, and I see it all the time. Entrepreneurs get excited about every cool plugin they hear about. They get a little distracted by shiny object syndrome, and they start installing tons of plugins, but they never remove the ones that they stop using, or maybe they never even set those plugins up, so they’re just sitting on their site, not doing anything.
Kristen Doyle 11:59
Think of every plugin as another door into your website. The more doors you have, the more places the thief can try to break in. And a lot of people don’t realize that even inactive plugins can be a security risk as long as they are still installed on your site. In fact, a lot of times inactive plugins are a bigger security risk than the ones that are active. So you need a good plugin management strategy.
Kristen Doyle 12:22
First of all, only install plugins that you actually need on your site. When you get ready to install them, always use that vetting process that I’ve shared just a few minutes ago, and then delete plugins that you are not actively using. Notice I didn’t just say deactivate. You want to deactivate and then delete plugins that you’re not actively using on the site. If there’s a plugin that you only use once a year or so, even I would recommend removing it from the site in between uses and just adding it when you need it.
Kristen Doyle 12:51
You’ll want to do an annual plugin audit, where you look through your entire list of plugins to make sure that you want to keep everything on there that they are still being maintained, that they haven’t gotten outdated or abandoned by their developer, and that they are still in use on your site. It might be helpful to keep a log of what each plugin does, so that you know if you really need it. Because I know sometimes it can be easy to forget why you installed something on your website. So you can keep a simple log in something like Google Sheets or air table of what plugins you have and what their purpose is, or what pages you’ve used them on.
Kristen Doyle 13:31
Now that we’ve covered the major vulnerabilities, let’s talk about some proactive steps you can take to protect your site. The first one is to make sure that you have recent backups. Think of backups like your insurance policy. You hope you never need them, but you’ll be so grateful to have them if something goes wrong.
Kristen Doyle 13:49
Now, your hosting company probably offers backups, but don’t rely solely on those, because if you ever get hacked, those will get taken. So make sure that you have your own backup system in place. I recommend keeping at least 30 days of backups stored somewhere separate from your hosting account. I include this in all of my maintenance plans for those clients. But if you’re DIYing ing your website maintenance, there are lots of plugins out there that you can use to take regular backups. Updraft Plus is one that seems to work well, so that is the one that I would recommend if you need to take backups on your own.
Kristen Doyle 14:23
And the other proactive step I want you to take is to make sure you have a good security plugin installed to monitor your website’s security. It’s like those security cameras in all of our driveways that caught the teenagers a couple of years ago trying to break into our cars. A good security plug in, like Solid Security, which is the one I’m going to recommend that you guys use. Its free version will run regular site scans, and it will alert you to any suspicious activity, bot attacks or plug in issues. So this is another way to make sure your plugins are safe and your site isn’t having attacks.
Kristen Doyle 15:01
When you install and set up those plugins, make sure that they are sending alerts to an email you check regularly and pay attention to those when you get them, because they are telling you something very important about your website.
Kristen Doyle 15:14
All right, let’s make this super actionable. Here’s what I want you to do this week. Check and update your admin passwords using a password manager, install solid security or another security plug in on your website if you don’t already have one, and make sure you have a recent backup of your site. Keep in mind that website security, just like security in your home, is not a one and done thing. It’s ongoing maintenance that you need to be doing continuously to protect your business.
Kristen Doyle 15:44
If you found this episode helpful, I would love for you to take a screenshot while you’re listening and share it in your Instagram Stories. Tag me @kristendoyle.co and let me know which security tip you are implementing first. This is such important information for all online business owners who have a website, and I would really appreciate your help getting it in front of more people who need to hear it. And hey, if you are feeling a little overwhelmed by all of this, don’tworry. Start with just one thing. Updating those passwords is a great first step. Talk to you soon.
