WordPress Security and the #1 Way to Stay Protected

WordPress Security and the #1 Way to Stay Protected

WordPress Security and the #1 Way to Stay Protected

I am not generally a rule-follower in real life, which is why it is super-ironic that I got myself all messed up in computers. Because if there is one thing that computers love, it is rules. So people in this industry talk a lot about rules. A. Lot.

Today’s thoughts are about ‘the rules’ (or let’s say ‘best practices…so much nicer to my ears) that govern security issues around your WordPress website.

Is WordPress Less Secure Than Other Platforms?

This security myth has been around for a long time. WordPress is currently used on more websites than any other open source content management system (CMS). This makes it a bigger target and gives it more users who make more mistakes. If you can use this CMS without a lot of technical knowledge (which you can), it leaves more sites vulnerable to being hacked or compromised. A larger user base leads to more security breaches.

It could also be said that because of its greater ‘ease-of-use’ rep than platforms like Joomla or Drupal, WordPress attracts a less sophisticated or technical user. Each has its own set of pros and cons, with WordPress definitely coming down on the side of out-of-the-box readiness.

There are four ways that your website can be vulnerable:

  1. hardware (for example, the server – which is a computer – where your website files are stored gets physically damaged)
  2. software (for example, the program files that are used to execute your website become infected with malware)
  3. administration (where the person doing the upkeep of the site does not), and/or
  4. users (ack)

Guess which area is most likely to lead to  your site being compromised? (hint: I wrote ‘ack’ beside it)

Yes! Users create the most vulnerabilities for websites. They. Are. The. Worst.

However, without users, your site is nothing, so here’s what you do.

One Rule to Rule Them All: Update

Most hacks are due to poor security management. Vulnerabilities are discovered all the time for WordPress and, once discovered, they are either patched or you are advised to remove the plugin and use something else (which can really suck). If you keep your plugins, theme(s) and WordPress core files updated, you will have decreased the risk without incurring much cost.

When a vulnerability is discovered in a plugin, sites get hacked not because they are specifically being targeted, but because the hacking bots scour the internet searching for that particular vulnerability. When they find it in your site, they do their bad stuff (i.e. insert malicious code or a virus). It was not personal against you. You can rest easy – no one is out to get you; they are out to exploit the holes that you are leaving open.

And while we’re at it, deactivate and delete unused plugins and themes. A vulnerability can still be exploited in a deactivated plugin because the code is still on the site.

Use a Good Great Hosting Service

I have been using SiteGround since 2005 and, although I’ve worked with many other hosting companies, I have yet to find one that is better. Their support is excellent and they are very security-conscious. Because of their attention to security, they have become one of the best WordPress hosting companies in the world. There are also other good ones out there – just make sure you use one of them.

Up Your Password Game

Do you use the same password on multiple sites? (Probably yes…) Has a site where you have an account ever been hacked and had the passwords stolen? (Probably yes…) How long do you think it would take to guess your password? (Probably less time than you think…)

If you are curious, check out an article called Estimating Password-Cracking Times. Just as a little aside, they have a tester where you can enter a password, but I would advise you never to use a real password. There is a disclaimer saying that they don’t collect passwords (and they probably don’t), but it isn’t a good idea. In fact, there is another disclaimer telling you not to use a real password. This is just for testing what ifs, people.

Get this: your super-secure password from 2001 is significantly less super-secure in 2021 because technology has improved. Change your passwords frequently. And because it would take a computer-brain to remember all of your passwords, use a password manager like LastPass. Excellent tool.*

For your WordPress site, make your users at every level use significant passwords. For many tools, this is called ‘forcing strong passwords’. Make sure that option is checked off.

Because the #1 best defense in your WordPress security plan is to train your users to follow best practices, but usually you have to make them.

*Update March 2023 – LastPast breach. In an ironic twist, LastPast has copped to a security breach that was disclosed in December 2022 and happened earlier in the fall of 2022.

Update July 2023 – Another tool to test your password that I was recently made aware of is vpnmentor.com/tools/passwordmeter Any hesitations I have about using these types of tools is that you are actually putting your password out there and possibly into a database. There is a list of good password-making tips on the page.


If your site ever does get into trouble, Sucuri specializes in fixing sites that have been hacked (as well as securing sites before they ARE hacked).




How to Pick a Domain Name (and other impossible tasks)

How to Pick a Domain Name (and other impossible tasks)

How to Pick a Domain Name (and other impossible tasks)

If I know you – and I do, dear big-idea-thinker – you have a dream about where your new business will take you. So much planning goes into the business plan (right?!?), the product and the riches that will undoubtably ensue.

You likely spent time at the kitchen table, thinking up a great name for your business. Something that no one has thought of before.

But wait…before you lock in your logo and all of your business cards with this new name (not to mention the t-shirts and coffee mugs)…stop and do a search for the matching domain name!

In the beginning…

In the beginning, there were only .com domain names (actually, the domain arpa was the first internet top-level domain, according to Wikipedia, but we’re not going back quite that far in this little history). The ‘.com’ part is called the top level domain (or TLD). You then choose the word that goes in front of the TLD to form your domain name (i.e. mybusiness.com). In the wild west of when domain names were first being settled, it was relatively easy to get your business initials as your domain name. Or if you had a short name, you could use your actual name (I’m looking at you, coke.com).

As businesses came online, .com names were snapped up and savvy businesses started looking for alternatives to .com.

In 2009, only 21 generic TLDs were available. There were also country-code TLDs (for example, the now popular ‘.ca’). Many of the TLDs spoke to the purpose of the organization that owned the domain – .edu (education), .gov (government), etc.

The organization that monitors TLDs decided to create additional TLDs and, in 2012, received 1,930 applications (wowzers!), proposing new TLDs. Not all were created, but we now have a vast array of TLDs from which to choose in comparison to the piddly few that were available in 2009.

New TLDs

The broad spectrum of TLDs available to you, dear domain-name-owner-wannabe, can be overwhelming. You are no longer limited to the ones that you see on a day-to-day basis, such as .com, .org, .ca, .net. You can now have .agency, .beer, .clinic…well, the list is quite extensive, so you can look them up on Wikipedia’s List of Internet Top Level Domains page.

Interesting times

We are now living in interesting times. Just like the explosion of .ca names in the early to mid-2010’s, businesses will now start showing up with something other than .com after their name. This new playing field creates the opportunity to choose a more description domain name or to claim one that is shorter than what would be available if you had to use .com.

So how do you pick?

Good question.

My advice to clients is to always own their business name, if it is available, in both the .com and .ca versions, which are the most commonly used in Canada. Your customers will likely guess ‘yourbusinessname.com’ or ‘yourbusinessname.ca’ first, so they are the low-hanging fruit. By the way, I also recommend to clients that they own the name of any key business people in their organization as a domain name (more on this later). Those domain names are not always available.

A second option is to use a keyword phrase that describes your business. This can be especially effective if it is a catchy phrase. For example, deliciouscookiesforall.com is long, but memorable.

When choosing the name, keep in mind:

  • that keywords in domain names are GREAT;
  • you are going to have to use that puppy as an email address;
  • that email address will likely have to fit on a business card;
  • sometimes when you mix words together, they form unfortunate other words, so ALWAYS check. (If you don’t know what I’m talking about, check out Bored Panda’s ’30 Unintentionally Inappropriate Domain Names‘)

Domain names are relatively inexpensive to purchase, but have a big impact on your business. It is fine to own several and point them all at the same website. If you clicked on coke.com above, you might have noticed that it actually took you to coca-cola.com. The first domain name (which was very guessable) is redirected to the main website.

 A cautionary tale

Once upon a time, a new client came to me with a problem. An employee had left their company in a huff and decided to buy a domain name that matched this client’s business name and set up a seedy little website. Yikes.

‘What can we do?’, they asked me.

Um…not much, unless you want to launch legal action. Yep. Legal action (assuming that your polite request to have the website taken down was not heeded).

This new client had registered several domain names, but not their exact business name, and now their customers were searching for them online and finding this other website.

In the end, they waited it out. The disgruntled employee did not renew the domain name and the client snapped it up as soon as it became available. Problem solved. True story, even though I started with ‘once upon a time’.

The take-away is to protect your business name, as well as any name that connects to the reputation of your business, by buying those domain names where possible.

Domain name strategies

Beyond protecting your business name and reputation, there are other strategies that can be used when purchasing domain names. You might want to register related names to stop someone else from registering and using it. You could choose to register common mis-spellings of your name. The key is to recognize where your risks and opportunities lie. Minimize risks and maximize opportunities.

Get help.

If you need help brainstorming ideas or just knowing what is available, get in touch and we’ll talk. One of the services that I provide clients is domain name research. I will find out what’s available compared to your desired domain name and probably come up with a few ideas that you haven’t thought of yet.




Picking (and using) Your Business Email Address

Picking (and using) Your Business Email Address

Picking (and using) Your Business Email Address

As a small business owner, it goes without saying (but I’m still going to say it) that you want to use every available opportunity to promote your business and make it easy for people to find you online.

Your email address can be like the picquic tool of your online toolbox.

Starting a new business

Huzzah and congratulations! Part of picking the name of your business should be a consideration of what is available as a domain name for your website. Even if you have decided you don’t need a website (what?!?) and are just using the email to keep business communications separate from your personal communications, you should do some research to find out what is available.

I will always counsel clients (and friends…and people that I randomly talk to at the farmer’s market…) to register a domain name and use a ‘unique domain name’ business email address. It looks more professional and adds credibility to your business. Which business email seems like the more legit company: treetrimmingservices@gmail.com or info@treetrimmingservices.com? Even if you have no intention of having a website, the second email sends a message that you are, indeed, in business and not just a fly-by-night operation*.

*If you are a fly-by-night operation, you can stop reading. There’s nothing to see here. Move along.

There is usually a small cost to purchasing the domain name and then setting up an email-only service, but well-worth it for the value that it brings to your perceived professionalism.

What your domain does for you

Your unique domain name can be a workhorse for your business. Every time you send out an email, it advertises where your website is located and makes it super-easy for people to find your business online.

When you have your own domain, you can generally create as many email addresses as you want. Some hosting services limit the number of email accounts that you can have with your website hosting, so not all hosting services are created equally. The hosting offered through CarricDesign allows you to have as many as you like and gives you access to set them up and change passwords as needed.

Tips for using email in a volunteer-lead organization

If you have a lot of volunteers in your organization, you will need to make a decision about using their name as the email address or their position (i.e. sally@volunteercorp.com versus membership@volunteercorp.com). Oftentimes the volunteer positions are filled by people that rotate in and out of the position, so using the position name as the email address versus the person’s name makes a lot of sense, since people can keep emailing the same address even when the person manning the position has changed.

The flip side of that is using the person’s name in the email address. This lends a more personal flavour to the email and let’s people know that they are talking to a person instead of a nameless, faceless entity. If you have a good email management protocol, you can simply add a forwarder to an email address when that person leaves the position, and have their email sent to the new person.

Both systems work, so consider what has the most advantages for your organization.

Having multiple email addresses

Business owners often lament the copious amount of email and the multiple email addresses that they have to manage. Did you know that your email program can import emails from multiple email addresses AND sort them into their own email inboxes? Gmail is especially good at this, but all email programs have at least a rudimentary way to sort emails for you (very handy!). You can also set up multiple email addresses to arrive in one program, so instead of having to open up different email programs or log into multiple email addresses, you can get them all in the same program. Once you have them set up, you can reply from different email addresses as well. Ask me – I can help!

Using Gmail or Outlook

Don’t want to go to all of the bother to choose a domain name and set up email? Then perhaps Gmail or Outlook are the solution for you. From a business standpoint, they say ‘I’m a very small business and don’t have a nephew who works on websites’. If, for some reason, you choose hotmail for your email address, then you’re on your own! Using hotmail is like trying to sing opera in a teeny-bopper voice on a candyland set. Keep hotmail, aol, me.com etc. for your personal email; they do not say ‘I’m a professional’.

Back to Gmail. Remember, you are competing with everyone in the world that has or wants a ‘@gmail.com’ email address and they are all unique. If your company is called ABC Carpets, you might find that abccarpets@gmail.com has already been claimed. You might have to zigzag a bit and settle for abccarpetskingston@gmail.com or some other iteration. Instead of re-inventing the cheese ball, here’s an article I found that has some good ideas for creating your email address.

Using the email that comes with your Internet Service Provider

When you order your internet service from Cogeco or Bell or some other company, you are usually allowed to pick out an email address. Yay you!

Don’t use it for your business. Seriously. Don’t.

If you start using mybusiness@cogeco.net as your business address, you are tied to that internet service provider. You are tied to their fortunes as a company (if they go under, your email address disappears). You are tied to their price structure. You are tied to their policies and limitations. Because as soon as you decide to move your service to another provider, you will lose your business email address.

Instead, give yourself the freedom to choose any internet service provider by using your own unique domain name email address, and choose your internet service provider based on their service, not because you are stuck.

Use a signature file

It is fitting to end this post on email by urging the use of a signature file. If you don’t know how to do it, try searching on Google: ‘how to set up an email signature using XXX’, where XXX is the name of the email program you are using. Your signature should include some basics, like your name, title, company and phone number/email address (yes…even though it is attached to an email…), but it can also have links to your social media accounts, a link to your website, and/or a disclaimer message. Wise Stamp (wisestamp.com) is a great place to generate a kickin’ email signature (just in case you want to take it up a notch!).

In conclusion (because I realized I had more to say)

Clients often are confused or overwhelmed about their domain name, their website hosting and how everything works together. You are not alone. I’ve got your back. Give me a call.



Oh Google, you DO care!

Oh Google, you DO care!

Oh Google, you DO care!

Google logo A lot of the work that has been flowing through CarricDesign lately revolves around improving ranking results in ‘search engines’ (by which clients usually mean ‘Google’).

So when an article comes across my desk about an algorithm update, I sit up and took notice. The article du jour is from Website Magazine and talks about Google’s so-called ‘Farm Update’.

Google is finally ready to penalize content farms. (Official Google blog post – they call the sites ‘low-quality’)

For those who are building websites using web standards practices, good (…unique…useful…) content and all the good stuff that comes with thinking about SEO, things are looking up. No longer will you have to compete against spammy content farms who reproduce content or generate fluffy stuff that doesn’t really help anyone, just to rank well for keywords and produce link juice for other sites.

Google (and all other search engines) change their algorithm all the time. A tweak of this, a pinch of that – helping to serve up the ‘best results’ possible. Think about it like this: search engines make money by being the search engine of choice for as many users as possible. Their claim to marketshare correlates to what they can charge for advertising. In order to be the search engine of choice, they have to consistently serve up the results that people are looking for (i.e. what they REALLY want versus what their search query is…you might be surprised how different those two things can be!). The better the search engine is at getting the user where they want to go, the more likely the user will return…and the search engine claims more marketshare.

My sympathies are for the small business owner who is trying to run their business (which they are hopefully good at), keep up with the book-keeping (get an accountant!) and create content for their website. The temptation to copy from another site – say, a manufacturer’s site – is high. But this algorithm update will ferret out that behaviour and penalize for it. There is now more incentive to create useful, thoughtful content for your website.

It will be important to look at your website’s analytics and know where pages are at in the search engine results page and watch what happens. If you see dramatic downward trends for pages that you feel contain the meat and potatoes of your business, evaluate the content with your ‘low quality’ radar on – sooner, rather than later.

Other useful strategies for small businesses: engage with your customers on Facebook and/or Twitter; ask trusted employees to post to your Facebook page about products they like in your store; re-evaluate current content – now is the perfect time to freshen things up; consider other forms of content, like videos; start a blog.



Being Social With Your Business

Being Social With Your Business

Social media includes elements that allow us to be social – to talk to one another.

Using your website, you can ‘talk’ to clients and potential clients 24/7.  Allowing them to talk back to you in a public way is both risky and rewarding. Are you ready to monitor the conversation and step in when needed? Do you like to hear from your customers, both positive and negative?

The great side of incorporating social media into your website is the ability for people to say great things about your business and let others know.  For example, if someone likes using your product or service, why not make it easy for them to tell others via a Facebook page?

The downside is that people are far more likely to go on a public tirade when they feel they have been unfairly treated.

So what to do?

Many business owners feel they want to engage in this new way with their market, but don’t have any more time in the day to make it happen. Perhaps a Twitter feed is the way to go for this person.  It allows short updates/blurts of information without the commitment of a blog or Facebook, where you might also need to deal with adding photos.

Whatever way you decided to engage in any type of social media should authentically reflect your brand and the message that you want to communicate with your customers. It is a new world of personal engagement and you have the opportunity to create your own path.



“You Want Me To Go Where?” (Making Your Linking Text Count)

Sweating at a workoutI was at my workout class this afternoon and had a little epiphany about linking text and how valuable it is to give clear instructions and use it wisely.

Did I mention I was at a workout class?  🙂 It was one of those where you are lifting weights to the beat of the music, which takes your mind off the hideous torture that it is to lift weights (but I digress…).

Every time we had to change what we were doing, the instructor would call out instructions.  Sometimes she would say something like ‘here we go!’ and sometimes she would say ‘Let’s take that up for a clean and press’.  Now – which do you think was easier to follow?

Let’s assume that I was on this website at this workout for the first time. Would I know what to do with ‘here we go’? Not necessarily.  It is non-specific, non-directional and non…well, anything, except I knew I was suppose to do something.

But when the instructor calls out ‘Dead row – let’s do 4!’, I know exactly what my next step should be.

And that’s what good linking text does for your website user. Good linking text says ‘find out more about what our clients are saying’, instead of ‘click here’.

How about this – if they haven’t read the paragraph of text in front of the linking text, would a user still know where it was going to take them?  Linking text should be a call to action.  ‘Click here’ makes me want to say ‘Oh yeah? Make me’.

What does your linking text say to your users?

(BTW – if you are in the Kingston area and want to know what kind of exercise class made me think about this, check out Omega Fit Club – Group Power.  Love it!)