WordPress Security and the #1 Way to Stay Protected

WordPress Security and the #1 Way to Stay Protected

WordPress Security and the #1 Way to Stay Protected

I am not generally a rule-follower in real life, which is why it is super-ironic that I got myself all messed up in computers. Because if there is one thing that computers love, it is rules. So people in this industry talk a lot about rules. A. Lot.

Today’s thoughts are about ‘the rules’ (or let’s say ‘best practices…so much nicer to my ears) that govern security issues around your WordPress website.

Is WordPress Less Secure Than Other Platforms?

This security myth has been around for a long time. WordPress is currently used on more websites than any other open source content management system (CMS). This makes it a bigger target and gives it more users who make more mistakes. If you can use this CMS without a lot of technical knowledge (which you can), it leaves more sites vulnerable to being hacked or compromised. A larger user base leads to more security breaches.

It could also be said that because of its greater ‘ease-of-use’ rep than platforms like Joomla or Drupal, WordPress attracts a less sophisticated or technical user. Each has its own set of pros and cons, with WordPress definitely coming down on the side of out-of-the-box readiness.

There are four ways that your website can be vulnerable:

  1. hardware (for example, the server – which is a computer – where your website files are stored gets physically damaged)
  2. software (for example, the program files that are used to execute your website become infected with malware)
  3. administration (where the person doing the upkeep of the site does not), and/or
  4. users (ack)

Guess which area is most likely to lead to  your site being compromised? (hint: I wrote ‘ack’ beside it)

Yes! Users create the most vulnerabilities for websites. They. Are. The. Worst.

However, without users, your site is nothing, so here’s what you do.

One Rule to Rule Them All: Update

Most hacks are due to poor security management. Vulnerabilities are discovered all the time for WordPress and, once discovered, they are either patched or you are advised to remove the plugin and use something else (which can really suck). If you keep your plugins, theme(s) and WordPress core files updated, you will have decreased the risk without incurring much cost.

When a vulnerability is discovered in a plugin, sites get hacked not because they are specifically being targeted, but because the hacking bots scour the internet searching for that particular vulnerability. When they find it in your site, they do their bad stuff (i.e. insert malicious code or a virus). It was not personal against you. You can rest easy – no one is out to get you; they are out to exploit the holes that you are leaving open.

And while we’re at it, deactivate and delete unused plugins and themes. A vulnerability can still be exploited in a deactivated plugin because the code is still on the site.

Use a Good Great Hosting Service

I have been using SiteGround since 2005 and, although I’ve worked with many other hosting companies, I have yet to find one that is better. Their support is excellent and they are very security-conscious. Because of their attention to security, they have become one of the best WordPress hosting companies in the world. There are also other good ones out there – just make sure you use one of them.

Up Your Password Game

Do you use the same password on multiple sites? (Probably yes…) Has a site where you have an account ever been hacked and had the passwords stolen? (Probably yes…) How long do you think it would take to guess your password? (Probably less time than you think…)

If you are curious, check out an article called Estimating Password-Cracking Times. Just as a little aside, they have a tester where you can enter a password, but I would advise you never to use a real password. There is a disclaimer saying that they don’t collect passwords (and they probably don’t), but it isn’t a good idea. In fact, there is another disclaimer telling you not to use a real password. This is just for testing what ifs, people.

Get this: your super-secure password from 2001 is significantly less super-secure in 2021 because technology has improved. Change your passwords frequently. And because it would take a computer-brain to remember all of your passwords, use a password manager like LastPass. Excellent tool.*

For your WordPress site, make your users at every level use significant passwords. For many tools, this is called ‘forcing strong passwords’. Make sure that option is checked off.

Because the #1 best defense in your WordPress security plan is to train your users to follow best practices, but usually you have to make them.

*Update March 2023 – LastPast breach. In an ironic twist, LastPast has copped to a security breach that was disclosed in December 2022 and happened earlier in the fall of 2022.

Update July 2023 – Another tool to test your password that I was recently made aware of is vpnmentor.com/tools/passwordmeter Any hesitations I have about using these types of tools is that you are actually putting your password out there and possibly into a database. There is a list of good password-making tips on the page.


If your site ever does get into trouble, Sucuri specializes in fixing sites that have been hacked (as well as securing sites before they ARE hacked).




How to Pick a Domain Name (and other impossible tasks)

How to Pick a Domain Name (and other impossible tasks)

How to Pick a Domain Name (and other impossible tasks)

If I know you – and I do, dear big-idea-thinker – you have a dream about where your new business will take you. So much planning goes into the business plan (right?!?), the product and the riches that will undoubtably ensue.

You likely spent time at the kitchen table, thinking up a great name for your business. Something that no one has thought of before.

But wait…before you lock in your logo and all of your business cards with this new name (not to mention the t-shirts and coffee mugs)…stop and do a search for the matching domain name!

In the beginning…

In the beginning, there were only .com domain names (actually, the domain arpa was the first internet top-level domain, according to Wikipedia, but we’re not going back quite that far in this little history). The ‘.com’ part is called the top level domain (or TLD). You then choose the word that goes in front of the TLD to form your domain name (i.e. mybusiness.com). In the wild west of when domain names were first being settled, it was relatively easy to get your business initials as your domain name. Or if you had a short name, you could use your actual name (I’m looking at you, coke.com).

As businesses came online, .com names were snapped up and savvy businesses started looking for alternatives to .com.

In 2009, only 21 generic TLDs were available. There were also country-code TLDs (for example, the now popular ‘.ca’). Many of the TLDs spoke to the purpose of the organization that owned the domain – .edu (education), .gov (government), etc.

The organization that monitors TLDs decided to create additional TLDs and, in 2012, received 1,930 applications (wowzers!), proposing new TLDs. Not all were created, but we now have a vast array of TLDs from which to choose in comparison to the piddly few that were available in 2009.

New TLDs

The broad spectrum of TLDs available to you, dear domain-name-owner-wannabe, can be overwhelming. You are no longer limited to the ones that you see on a day-to-day basis, such as .com, .org, .ca, .net. You can now have .agency, .beer, .clinic…well, the list is quite extensive, so you can look them up on Wikipedia’s List of Internet Top Level Domains page.

Interesting times

We are now living in interesting times. Just like the explosion of .ca names in the early to mid-2010’s, businesses will now start showing up with something other than .com after their name. This new playing field creates the opportunity to choose a more description domain name or to claim one that is shorter than what would be available if you had to use .com.

So how do you pick?

Good question.

My advice to clients is to always own their business name, if it is available, in both the .com and .ca versions, which are the most commonly used in Canada. Your customers will likely guess ‘yourbusinessname.com’ or ‘yourbusinessname.ca’ first, so they are the low-hanging fruit. By the way, I also recommend to clients that they own the name of any key business people in their organization as a domain name (more on this later). Those domain names are not always available.

A second option is to use a keyword phrase that describes your business. This can be especially effective if it is a catchy phrase. For example, deliciouscookiesforall.com is long, but memorable.

When choosing the name, keep in mind:

  • that keywords in domain names are GREAT;
  • you are going to have to use that puppy as an email address;
  • that email address will likely have to fit on a business card;
  • sometimes when you mix words together, they form unfortunate other words, so ALWAYS check. (If you don’t know what I’m talking about, check out Bored Panda’s ’30 Unintentionally Inappropriate Domain Names‘)

Domain names are relatively inexpensive to purchase, but have a big impact on your business. It is fine to own several and point them all at the same website. If you clicked on coke.com above, you might have noticed that it actually took you to coca-cola.com. The first domain name (which was very guessable) is redirected to the main website.

 A cautionary tale

Once upon a time, a new client came to me with a problem. An employee had left their company in a huff and decided to buy a domain name that matched this client’s business name and set up a seedy little website. Yikes.

‘What can we do?’, they asked me.

Um…not much, unless you want to launch legal action. Yep. Legal action (assuming that your polite request to have the website taken down was not heeded).

This new client had registered several domain names, but not their exact business name, and now their customers were searching for them online and finding this other website.

In the end, they waited it out. The disgruntled employee did not renew the domain name and the client snapped it up as soon as it became available. Problem solved. True story, even though I started with ‘once upon a time’.

The take-away is to protect your business name, as well as any name that connects to the reputation of your business, by buying those domain names where possible.

Domain name strategies

Beyond protecting your business name and reputation, there are other strategies that can be used when purchasing domain names. You might want to register related names to stop someone else from registering and using it. You could choose to register common mis-spellings of your name. The key is to recognize where your risks and opportunities lie. Minimize risks and maximize opportunities.

Get help.

If you need help brainstorming ideas or just knowing what is available, get in touch and we’ll talk. One of the services that I provide clients is domain name research. I will find out what’s available compared to your desired domain name and probably come up with a few ideas that you haven’t thought of yet.




Oh CRAP. (Designing your website)

Oh CRAP. (Designing your website)

Oh CRAP. (Designing your website)

If you Google ‘how to design things for a website’ (go ahead, we’ll wait…), you will see such lists as ’24 Things to Consider When Designing and Developing a…’ (who knows what they are designing or developing because their title was too long for the search result listing page) or ’15 Things to Know Before Designing a Website’.

Wowzers. How will you get them all right?

(I read the articles, just in case. Turns out, I’m all good.)

I’ve been reading articles like these since starting as a website designer and instead of overwhelming you with options (and there are lots of things to consider), let me introduce you to the c.r.a.p. principle of design.

C.R.A.P. stands for contrast, repetition, alignment and proximity. It was introduced by Robin Williams, a woman whose design books were so very helpful when I started out on this path.

Just about any design project can be evaluated from this framework and come out the better for it.

Contrast makes for better UX

Making elements stand out on a website can draw the user’s eye to something that you for sure want them to see. (If you don’t like that sentence, feel free to read ‘This is how you start again‘). Contrast can include changing the colour of nearby elements, changing the font size or type or putting different shapes side-by-side.

The colour wheel is a great place to start if you want to built a site with some ‘wow’ colour combos to spark action. There are even online tools, like Coolors, that can help you get started. Big caution: You can’t always just plop complementary colours on the same page and be done with it. There is an art for putting colours together so that they are easy to read and make sense to the user.

I repeat…

See what I did there? I created a sub-head using the same font size and colour as the other headings on this page, making it easy to scan. Just like contrast, the repetition on your site can be the colour, the font or the shape. Repetition gives a calmness to your site, because it makes things easier to understand and ultimately, find.


I hope that centering the sub-head above grates on your nerves as much as it does mine. It is a great example of contrast, because it sticks out as different from the rest. In this case, ‘different’ isn’t great and just causes confusion on the page (sorry about that). Aligning elements makes a page flow better for your user.

And just in case you are wondering, here’s a little gem about what is really important to your user:

What is the most important factor in the design of a website? - graphic

That’s right: finding what they want (red arrows added by yours truly for emphasis).

If it is a big thing for them, make it a big thing for you and do what you can to help a brother out.

The ‘P’ in CRAP – Proximity

Things that are associated with each other, should be located close to each other on the page. This might mean that there is a little extra space between a title and the paragraph above it, showing that the title is a part of the next paragraph (like the headings on this page). White space, or negative space, can be used effectively to group elements and help the user to find their way through the site. Placing elements close together can make for a busy or ‘exciting’ onside experience for users, so it shouldn’t be discounted as a tool.

Putting it all on the page

Sometimes a design just needs a tweak to snap it into place. Sometimes everything needs to be broken apart and you need to start again. How do you know which is needed? A good place to start is to evaluate using the CRAP principles. Test your website using friends and family (because that’s what they’re there for, right?) who have never used your site and ask them to complete a task. Just watch them. Note where their mouse moves and what they click on. If you have a little bit more in the budget, engage the services of a web design professional (shameless self-promotion there, because of course I mean me).

Don’t let your website flounder when all it needs is to have a little CRAP applied.



This is how you start again

This is how you start again

This is how you start again

If you are the kind of person to notice these kinds of things, you might notice that my last post was dated 2011. There. I said it.

My website has always had a ‘the-cobbler’s-children-have-no-shoes’ kind of flavour and I’m okay with that. I have spent my time working steadily on client websites, with word-of-mouth being my biggest ally.

This week I re-launched my site. While sifting through the files, I found a blog that I started in 2010, when I was experimenting with the genre. I have to say, it was fun reading through my old posts. Kind of like a time capsule.

So I decided to start again. My posts tend to be short and written the way that I would speak. I don’t clean them up for presentation too much. More like a diary.

I’m at the starting line again and who knows where it will take me. But once again, I have a place to put my thoughts, dear friend. Right here.



Oh Google, you DO care!

Oh Google, you DO care!

Oh Google, you DO care!

Google logo A lot of the work that has been flowing through CarricDesign lately revolves around improving ranking results in ‘search engines’ (by which clients usually mean ‘Google’).

So when an article comes across my desk about an algorithm update, I sit up and took notice. The article du jour is from Website Magazine and talks about Google’s so-called ‘Farm Update’.

Google is finally ready to penalize content farms. (Official Google blog post – they call the sites ‘low-quality’)

For those who are building websites using web standards practices, good (…unique…useful…) content and all the good stuff that comes with thinking about SEO, things are looking up. No longer will you have to compete against spammy content farms who reproduce content or generate fluffy stuff that doesn’t really help anyone, just to rank well for keywords and produce link juice for other sites.

Google (and all other search engines) change their algorithm all the time. A tweak of this, a pinch of that – helping to serve up the ‘best results’ possible. Think about it like this: search engines make money by being the search engine of choice for as many users as possible. Their claim to marketshare correlates to what they can charge for advertising. In order to be the search engine of choice, they have to consistently serve up the results that people are looking for (i.e. what they REALLY want versus what their search query is…you might be surprised how different those two things can be!). The better the search engine is at getting the user where they want to go, the more likely the user will return…and the search engine claims more marketshare.

My sympathies are for the small business owner who is trying to run their business (which they are hopefully good at), keep up with the book-keeping (get an accountant!) and create content for their website. The temptation to copy from another site – say, a manufacturer’s site – is high. But this algorithm update will ferret out that behaviour and penalize for it. There is now more incentive to create useful, thoughtful content for your website.

It will be important to look at your website’s analytics and know where pages are at in the search engine results page and watch what happens. If you see dramatic downward trends for pages that you feel contain the meat and potatoes of your business, evaluate the content with your ‘low quality’ radar on – sooner, rather than later.

Other useful strategies for small businesses: engage with your customers on Facebook and/or Twitter; ask trusted employees to post to your Facebook page about products they like in your store; re-evaluate current content – now is the perfect time to freshen things up; consider other forms of content, like videos; start a blog.



Tag-teaming a website

Tag-teaming a website

Tag-teaming a website

Kingston WritersFest websiteI have been working alongside some very dedicated volunteers over the past few months on the Kingston WritersFest website. Everything is geared towards the five-day festival that runs in September.

One of the challenges has been in getting changes up on the website when more than one person has access to the files.

Even in my careful moments, I need a system to make sure that I am not overwriting the changes that my colleague has just made. Right now, the system consists of a big sticky note on my file folder, reminding me to download a fresh copy of the file…before I start working on it.

Despite the fact that we have both made errors, having only two people working on the files is fairly safe. If more were involved, it would definitely be time to head towards a project management system that would allow users to check out the files and require them to be checked back in before another user could modify them.

On another note, I want to recognize the hard work of Susan Olding, who has, with a few notes from me, schooled herself in tech-speak and has been doing a fabulous job of making updates to the site. My hat is off to her!