Welcome back to the Food Blogger Pro podcast! In this episode, Bjork talks with Andrew Wilder from Blog Tutor about blog security.
Last week on the podcast, Bjork interviewed Susan Wenner Jackson from Ahalogy. Susan shared her best advice for mastering Pinterest as a food blogger. To learn her secrets, click here.
How to Secure your Food Blog
When you’re starting and maintaining your food blog, there are so many things to do. From getting your website designed just right to making that batch of double chocolate cookies 5 times to make it perfect, a food blogger pretty much always has a full plate (har har).
So when someone tells you that you should take some of your precious, precious time and use it to create strong passwords and back up your blog, I’ll admit that I’m not the first person to jump up and down in excitement.
However, these things are so, so important. It only takes one small event – which are often caused by factors out of your control – to bring your blog down. And if you don’t have it all backed up, you could lose all of your hard work just like that.
Andrew Wilder specializes in blog security, and today he’s here to tell us what we need to do to make sure our blogs are safe from both intentional and unintentional harm.
In this really important interview, Andrew shares:
- How he transitioned from being a studio lighting designer to a food blog security master
- The two most important things you can do for your blog’s security
- How databases work and why you need to back them up
- What tools he recommends for your website backups
- Whether or not you should use your hosting company’s backups
- Why you should use a password manager
- Why you should update your WordPress software and plugins
- What two-factor authentication is and why you should be using it
- How he helps webmasters keep their websites live and secure all the time
Listen to the Food Blogger Pro Podcast below or check it out on iTunes:
Resources:
- Eating Rules
- Blog Tutor (now called, “NerdPress”)
- VaultPress
- UpDraft Plus
- BackUp Buddy
- Securi
- CodeGaurd
- 1Password
- KeePass
- LastPass
- WordFence
- iThemes Security
- Login Security Solution
- Google Authenticator for iPhone and Android
- Duo Security
- Deals & Discounts page on FBP
Remember, we are closing the doors on FBP memberships on November 19! Sign up now to get access!
If you have any comments, questions, or suggestions for interviews, be sure to email them to [email protected].
Be sure to review us on iTunes!
If you’d like to jump to the comments section, click here.
Transcript:
Bjork: Welcome to episode number 20 of the Food Blogger Pro Podcast. Hey, there, Bjork Ostrom here. I actually have some really big news to share this week on the podcast and I’m excited that you’re tuning in for it. Believe it or not it’s actually news about Food Blogger Pro. Are you ready for it? Drum roll. I won’t actually drum roll on the mic. On Thursday, November 19th we’ll be closing the doors on new membership signups to Food Blogger Pro and we won’t have another public enrollment for at least six months from now.
We’re also going to be capping total membership signups to 2,000 members. If you go to FoodBloggerPro.com before November 9th and you don’t see the signup option, all that you see is a waiting list signup, that’s because we’ve hit that 2,000 member mark. I just wanted to explain that in case we get to that number before November 19th to avoid any confusion. Here’s the reason why we’re closing down the doors on Food Blogger Pro and doing really limited enrollment throughout the year. We really see it as having two different seasons. It allows to have a marketing season and then a membership season. The marketing season like right now will happen twice a year. It’ll be when we announce that Food Blogger Pro is open for enrollment and that we’re taking new membership signups.
We’ll do a really big announcement here on the podcast like we’re doing right now on Pinch of Yum, Lindsay’s food blog and on the Food Blogger Pro blog, basically, all the different platforms that we have to announce this change. Much like a college we only have limited resources for a certain number of students, so that’s why we’re capping it at a total of 2,000 members. That’s the marketing season. It makes sense, it’s a time for us to really market. It’ll be probably a week to two weeks of a lot of announcements and updates about Food Blogger Pro with a really hard end date when you have to get in by.
Then there’s the membership season and this is what I’m really excited about. This will be the six months in between those public enrollments and this will allow us to focus in on the members and really help them transition their blogs to the next level. Again to use the college analogy, it’ll be like a semester at a university or at a college where we’ll really be able to dig into content, learn about how you can build a thriving blog and share insider trends and things that we’re seeing in terms of social media or blog monetization or building traffic. All of this without having to worry about the advertising or marketing side of Food Blogger Pro as much as we do right now.
That’s the overview of why we’re making this switch. We want to have a really strong marketing season that’s short, one to two weeks, and then really focus in on the membership season where we’re able to really lean into teaching and learning alongside the members of Food Blogger Pro. How about this, some frequently asked questions. One of the biggest ones, who should join Food Blogger Pro? This might sound a little bit backwards, but Food Blogger Pro is actually a really good fit for people that are strapped for time. Let me explain that a little bit. If you have time to search things out, to put together your own game plan, to learn on your own then Food Blogger Pro realistically probably isn’t a good fit for you because you can do all that stuff in the free time that you have.
If you have limited time or you’re strapped for time and you want to make sure that you’re using it wisely then realistically Food Blogger Pro is going to be a really good fit for you because it’s easy to waste time, that precious time, doing things the wrong way or even worse doing things that don’t matter whereas with Food Blogger Pro you’ll have a roadmap and suggestions for what you should do next and how you should do it. If you run into any issues we have a community forum where you can bounce ideas off of people or get feedback or suggestions on where you should go next.
This is a little bit of a tangent, but I think it’s an important concept. For those of you that are thinking about joining Food Blogger Pro or that are part of it my recommendation would be to implement something that we call one percent infinity. Here’s what I mean by one percent infinity. One percent infinity means that you get a little bit better every day over a long period of time forever, right. That’s the infinity part, so one percent better every day for a long period of time.
Food Blogger Pro’s a great place for you to do that where you can go in each day, take 10 to 15 minutes, go through a couple of videos and maybe read through the community forum, maybe interact with people a little bit. If you do that each and every day, not for an hour or two hours, but just a little bit of time, then over a long period of time you’ll be able to sharpen your skills. You’ll also have a guide for what you should be working on, so you don’t waste time doing things that don’t matter or doing things the wrong way.
If you do this type of intentional learning I think this makes me so excited, but if you do it each and every day for one year or longer you’ll be light years ahead of where most bloggers or website owners are because of that intentional learning. That’s my little rant on one percent infinity. We think Food Blogger Pro’s a great place for you to do that, for you to take those little learnings each and every day and apply them to what you’re doing with your blog.
How about this question, is it a good fit for me in terms of my content? If you aren’t necessarily 100% food blog would Food Blogger Pro work for you? Obviously, the content of Food Blogger Pro is focused on food, but I’ll say this, we have 10 to 15% of our members that don’t have a food specific website. They just adapt the video training and community conversation to their niche, so that’s another really common question that we get.
Then the last most common question, how much is it? It’s $29 a month. There’s no commitments, so it’s not like you have to sign up for a two-year contract like you would with your cell phone or anything like that. It’s $29 a month and there’s no commitment at all for how long you stay. Again we’ll be closing off Food Blogger Pro, the doors to Food Blogger Pro, on Thursday, November 19th or when we hit that 2,000 member mark, whichever comes first. If you want to secure a spot you can head over to FoodBloggerPro.com and click the orange join today button.
Speaking of securing, see what I did there, we’re going to be talking with Andrew Wilder today from BlogTutor.com about different steps that you should be taking to make sure your blog is secure. It’s a really awesome conversation, one that I’m really passionate about because I think so often it’s something that people miss. Andrew’s a blogger himself, he’s worked with hundreds of different food blogs to help them set up a safe and secure site, so I know you’re going to get a ton out of the interview today, so let’s jump in. Andrew, welcome to the podcast.
Andrew: Happy to be here, thanks.
Bjork: We were talking a little bit before we pressed record and we’re talking about the fact that we just love to geek out on all things backup and security which I’m so honored and excited to have you on the podcast today. Not only because you will be able to geek out with me on that, but because you know what you’re talking about. I’m super excited for the listeners to hear a little bit about what you have to share.
Before we do that, I was reading through and studying up and it was funny because I realized that we maybe have a similar story. Not that it exactly parallels, but we were doing very different things before we were doing what we’re doing today. I worked at a nonprofit before this and then slowly made this transition into doing the food blog and Food Blogger Pro, kind of this world. You were doing lighting design, is that right? Now you’re doing blog and website consulting. Connect those dots for us, how does that happen?
Andrew: I don’t know if there’s a dot between lighting design and web design and stuff. I spent about 10 years working as a lighting designer in the theater and doing live events. The coolest part of that was when I worked on cruise ships. I traveled the world for a while and that’s awesome when you’re in your 20s and then it becomes soul crushing for a little while.
Bjork: It’s a transition from awesome to soul crushing, yeah.
Andrew: Somehow it’s magically both at the same time and over the years I sort of had a love/hate relationship with lighting design and over time the hate part was growing and the love part was shrinking until I reached that tipping point where I’m, you know what, it’s time to move on. Through all of those years I had been doing some website work as a side gig, a hobby that paid the bills term.
When I left the lighting business I ramped up some of that work to help pay the bills and figure out what the heck I was going to do next. Around that same time I had all this life changing stuff happen. I was out of a four-year long relationship, I think my grandmother passed away in the same month, all this stuff and then a couple of months later I decided to try dating. Actually, my New Year’s resolution was to get over the stigma of online dating which was easy because you do it once and you check off your resolution.
Bjork: Yeah, right, exactly. It’s easy to check that off.
Andrew: I started dating again and realized if I’m going to be dating I need to be in better shape and I also had this aha moment where my body was really stiff and not moving. It all coalesced and I rekindled my passion for food and health. It had been a really strong interest before when I was in high school and it got pushed to the wayside especially when I was working on cruise ships. That spark grew again and long story short, by the end of that year I had this big transformative year, I was exercising and I was eating well and I wouldn’t shut up about it. I was driving my friends crazy because I was like oh, eat this, don’t eat that, blah, blah, blah. Finally I decided to pursue that as my next path and that’s how my food blog, Eating Rules, was born.
Bjork: Great, and so you start Eating Rules and then there’s also these subcategories under it or maybe they’re not even subcategories now, maybe they are the umbrella branch because you have healthy ads and then you also have the Blog Tutor brand in business. That’s the one that we’re going to talk about and focus on a little bit today. Out of Eating Rules, your food blog, how did Blog Tutor come to be?
Andrew: I’ve been doing all this website stuff and at one point I was asked to speak about Google analytics at a Food Bloggers Los Angeles meet up. There’s about 30 or 40 of us and we meet about once a month and do a potluck and so they asked me to talk. I did this 15-page presentation. I didn’t know who I was going to be talking to, so I printed all this stuff out with screen shots and everything and we spent two hours and went through everything. Then afterwards everybody swarmed me and they were like hey, can you fix this and can you fix this and what do you charge? I’m like yeah, sure, I won’t charge you, no problem.
Bjork: That’s a good question, yeah.
Andrew: People insisted on paying me. They wouldn’t take no for an answer and that’s where I’m like wait a minute.
Bjork: Right.
Andrew: That’s when I realized … Because I was still fairly new to food blogging and I realized food bloggers are very serious about their sites and it wasn’t just a hobby. Even if it was just a hobby a lot of people would spend money on their hobby because they want to enjoy it and not be struggling with all this tech stuff. Blog Tutor really just sprung from that one meeting and I hung out a shingle as the Blog Tutor and it’s been great, I’m swamped.
Bjork: Cool, and there’s such a need for it and there’s so many things like you said where people just don’t want to handle the tech end of things. They want to do what they enjoy and they want to focus on the food element which is why it’s so nice to have an offering like Blog Tutor which is why I’m so excited to talk to you because there’s this very unique overlap that you have and a very cool perspective where you understand the important IT techie website. I’ll go so far as to say geeky elements of building a food blog specifically. Not just the general blog stuff, but very specific to food which I think is awesome for the people that listen to this podcast and one of the reasons why I’m excited to have you on today.
Let’s say this, somebody has five minutes left, they’re on their commute and then they’re going to sell their phone after this. They’re not going to have the podcast app. What do you tell that person that has five minutes left to listen to this and then we’ll get into some of the more long form stuff. What’s the most important thing that you know right off the bat for people to understand and to know and to implement about security and backups on their site?
Andrew: You just said the magic word, so I’ve got two things. First is back up your site. It’s shocking how many people aren’t backing up their site and there’s so many reasons to do it, security’s only one of them. Back up your site and make sure the backups are happening automatically because otherwise you’ll just forget and not do it and that they’re going off of your server to somewhere else.
Bjork: Great.
Andrew: That’s a huge one and the other big, big takeaway is use strong, unique passwords everywhere.
Bjork: That’s awesome. For those of you that are listening, my challenge to you and you know who you are you people that will hear that, that you know that you need to do it and then you won’t do it. I know because oftentimes I’m one of those people and I just have to block out a chunk of time and say I’m going to sit down and do it. I’d encourage you listening to do that if you haven’t done that. What we’re going to do now which I’m excited about is we’re going to actually talk about the nitty-gritty details of that. Let’s jump in, Andrew, and talk about backups. With this are we assuming that the people we’re talking to are on a WordPress site just to get that out of the way before we move into it.
Andrew: Generally speaking, but this really applies to any website.
Bjork: Okay.
Andrew: I don’t know if there’s an automated way to back up blogger sites. I know you can do an export, so you might have to set up a calendar reminder and just download everything once a week.
Bjork: Sure, great.
Andrew: Generally, we’re talking about WordPress.
Bjork: Yeah, and that’s what we found. Every once in a while for Food Blogger Pro members they’ll come on, they’ll be a part of Blogger, or maybe they’ll have another site like Squarespace or something like that. Oftentimes though we’ve noticed that those members eventually migrate over to WordPress just knowing the flexibility that exists with that and stuff like doing automated backups which we’re going to talk about now. Assuming we have a WordPress site, we have a food blog, we’re up and running, but we don’t have any backups. First, why is that an issue and then second, what can we do to remedy that, what are the actions we need to take?
Andrew: Okay, so it’s an issue for two reasons. One is your site may get hacked and that way if it is ever hacked you can restore it from a backup. Short of that the … Actually, it isn’t necessarily something malicious that could happen, too. Your server could crash. You could have … A database table gets corrupt or something or there’s a power outage. I was dealing with a client’s website yesterday who all the database tables got corrupted and I actually had to restore from my database backup. It’s not necessarily malicious. The other thing is you can make a goof, sometimes you might accidentally delete a plug-in or change some files and bring down your site and being able to restore from a backup is really important.
Bjork: Yeah, and we’ve had that happen especially when we were first getting started where I would go in and I say that I don’t know really development or coding, I just can copy, paste, and cross my fingers. I did that once and then I went back to pinchofyum.com and refreshed and it was like white and it’s just white, so scary. Especially if you don’t know what the change was that caused that error, so especially across the board always have those backups. Man, a great example like you said is if it’s a user error, if it’s something that you changed, a piece of code, or sometimes, too, I noticed this, maybe a plug-in that you update that doesn’t play well with other stuff. It’s like ooh, man, if that happens it’s really scary if you don’t have those backups. We know the reason why, so what does it look like to actually implement that? What are the steps that people take to make that happen?
Andrew: Okay, so I guess the important part to know about this is understanding how WordPress works. There’s two components to it. There’s all the files that are on your server and those files are generally text files or images. The text files might be like PHP scripts or JaveScript or Cascading Style Sheets, all of the stuff that’s the program of WordPress and your photos. Then there’s also the database and the database works in parallel and that holds all the content of your posts, it holds all your site settings. It might hold some other custom stuff or all your comments, all of that. When somebody browses to your website, WordPress or any content management system will do is the files will run the program and they’ll push information from the database and they’ll actually build the webpage on the fly and spit out this web document to the browser.
Bjork: Great.
Andrew: They’re catching plug-ins that can speed that up, but generally that’s what’s going on and so you’ve got these two parts. A lot of people will download a database backup plug-in and they’ll backup just the database not realizing that they have to backup all of their files, too. Without both halves of that you’re not making a full backup.
Bjork: Okay, and I want to stop on that and vamp on that for a little bit. This is more of … I’m going to attempt to do a super simplified version of what that process looks like. You can tell me if it’s totally off or if it’s somewhat accurate or how I should tweak it just to see if people can … to communicate what that process looks like. With a server this is something that took me a while to learn, but essentially a server is just a computer, right. It’s a computer where … You had said files are hosted, so I’m going to make this really basic. Let’s pretend that it was a Word document in WordPress and it would say something like when somebody goes to this page get this information and then that would be the file.
Then the database would be Excel where there’d be all of these different rows and columns. The Word document says get this information in this Excel area and it grabs that and puts it in and it completes the document and in this case it’s a website. Now for those that want clarification it’s not actually Word, it’s not actually Microsoft, but the idea is that there’s those two components, that those live together and they work off of each other and talk to each other. In a really, really basic level is that kind of how that works?
Andrew: I’ll say yes. Yeah, once you know how it thinks it’s not like this crazy rocket science. It really is a computer sitting on a rack in a server room somewhere that’s hopefully got air conditioning and all that stuff, but it is just a computer.
Bjork: Right, yeah, and I think that’s something that was so interesting to me is to learn oh, a server is just a computer and it makes sense that it’s called a server because it serves things to people that come there. It serves them files and it serves the database. What you’re saying is sometimes there’ll be backup plug-ins that just back up the database. It’s really important if you have a WordPress site or any website that you’re doing the database and the files, that you have a plug-in or a service that does both. Do you have some examples of plug-ins that people could use or services that might work well for that?
Andrew: Yeah, I want to mention four of them actually.
Bjork: Great.
Andrew: The first one is called VaultPress. It’s actually made by the people who make WordPress. WordPress is a free software and they add these extra features and you can pay for it. You can pay for a Akismet for the comment spam filtering. VaultPress is a service they offer. It’s a little on the pricey end, but it works really well because it’s built by the people who make WordPress. I think they have a couple of layers and you can even have real time backup, you make a change and it backs up right there. The one I use is called UpdraftPlus.
Bjork: Okay.
Andrew: I think they just passed more than half a million downloads, so it’s the number one download plug-in right now.
Bjork: Oh, awesome.
Andrew: It’s free for the basic version. They have a premium version that adds features. You can schedule what time of day you want the backup and there’s some other features there, but even just the free version will make you a successful backup.
Bjork: Okay.
Andrew: Then another popular one, it’s called BackupBuddy. I haven’t used it in a while, but I’ve had a lot of people tell me it’s really great. All three of those are plug-ins for WordPress and what’s nice is they’re integrated into WordPress, they’re built for WordPress and they know what they’re doing, right.
Bjork: Right.
Andrew: In terms of those parameters. What I found is sometimes WordPress plug-ins will
glitch or there won’t be enough system resources, so I actually like to use a second layer of backups. I found a service called CodeGuard which is another third-party tool. What they do is they actually log into your site remotely using various protocols that have nothing to do with WordPress. They’ll log in every night and download your files and retrieve your database and store it on their servers. What’s nice about that is it’s not reliant on the WordPress processes and so it tends to be more successful or glitch less often maybe.
Bjork: Sure.
Andrew: One of the troubles with all this stuff is there’s so many moving parts of this that no one backup system is going to be 100% effective all the time. It may glitch and pause and not complete a backup one night and the next night it might do okay. I like having two systems in place because I find backups are so important that I like the redundancy.
Bjork: Yeah, can you talk about that a little bit, redundant. What does that mean and why is that important?
Andrew: If one set of backups isn’t working for some reason, that way you can log in and go somewhere else and get the backup and it’s really just an added layer of protection.
Bjork: Great, so it’s essentially not a backup of the backup, but it’s a backup in case the other backup doesn’t work. The idea being if you want to be extra secure, if you want to sleep really well at night you want to have at least two versions of the backup. An example that is related, but maybe a little bit different for my computer, I back up to a program called CrashPlan which goes to the cloud. For those that aren’t familiar the cloud is essentially any type of server that’s not where you are.
Then I also have a time machine backup right on my desk and the idea is that then we technically have two different backups in two different places. I think that’s awesome what you said about the redundancy of a website backup, that you have two just in case which I think is awesome. One of the things that I know people will run into when they’re signing up for a website and they’re going through their hosting company or maybe they get an email. It’s an offer for the hosting company that says you need to back up your website, you can pay us ‘x’ amount and we’ll take care of that for you. Should people do that?
Andrew: I think that’s a totally acceptable way to go as long as the price is right. If they’re giving you an offer and they want $100 a month to back up your site, hmm, you might want to shop around. I’d say there’s nothing wrong with your hosting company doing the backups for you. The trick is to make sure that you actually confirm that they’re doing the backups. Don’t assume it comes with your hosting plan.
Bjork: Okay, great. That’s awesome and I feel that if people come away with just
starting to do backups on their site, if nothing else it’s going to be a huge win for people because it’s so, so important. I appreciate talking about that a little bit and I think that’ll provide some good action items for people moving forward. I want to talk about that second piece that you talked about, the password piece. You had said it’s really important for people to have secure passwords. I’m thinking about a secure password and let’s say it’s a bunch of different numbers, it’s a bunch of different letters, maybe some symbols involved in there. You’re saying that we should have one of those for each and every website we visit, is that right?
Andrew: Yep.
Bjork: Okay, so how do you keep track of those? Is it that you do have to have a brain of steel?
Andrew: No, I have no idea what all my passwords are.
Bjork: Okay.
Andrew: I should say there’s nothing like less sexy even talking about passwords, so bear with us. It’s so important. Okay, so the first question is a uniqueness, right. If you use the same password on every website then what happens if, I don’t know, your Bank of America website or whatever, some banking website or some other website you use is hacked and they get your email address and your password. They’re going to … The hackers may try that password on every other service and so by having unique passwords you’re able to nip that in the bud and then if something’s compromised then that’s the only thing that gets compromised.
Bjork: Great, so the idea being, let’s say there’s the Home Depot hack and I think those may be credit cards, but let’s pretend it was also emails and passwords. If I had a Home Depot account and that was hacked they would have my email address and if I used the same password for that Home Depot account they could go and they could try Bank of America and they could try Target and they could try Walmart. They could try all these other websites and if you use the same password they’d be able to log into those, maybe PayPal’s another example. You’re saying that’s the issue with using the same password. It’s not necessarily that it’d be easy to guess, but when something is hacked that people would be able to use it in other places.
Andrew: Exactly.
Bjork: Yeah, so somebody has the same password they’re using. What is the first step that they take in order to move towards using secure passwords?
Andrew: You’re not going to be able to hold all these passwords in your head, right? Like I
was saying, I don’t even know what my passwords are. What you want to do is get a password manager. This is a program that you keep on your computer or there’s some websites that offer this service that can also synchronize with your phone. What you do is … They basically just are holding a database of all your usernames and passwords. They store that encrypted and then you need one master password to access it. All you need to do is remember that one really strong password and then you can get to all of your other passwords.
Bjork: Got it, so that strong password that you have that you do have memorized probably has numbers, symbols, letters. That unlocks all of the other passwords that you have and then you’re able to either copy and paste those or sometimes they’ll be some type of application where it allows you to automatically enter it in. The one that we use is called 1Password and I know they have some really cool functionality where you can just type in your master password and then double click on Gmail and it will take you there and it’ll go through the login process. We use 1Password, are there other ones that you’ve used that you recommend people maybe look into?
Andrew: I use one called KeePass, K-e-e-P-a-s-s. It’s a little complicated to set up, it’s a little on the geekier side and it doesn’t do any of that synchronization stuff. There’s another one out there called LastPass which I think is very much like 1Password.
Bjork: Sure.
Andrew: I’ve heard really good things about LastPass as well, so LastPass or 1Password are probably the best choices out there right now.
Bjork: Okay, great, yep. We’ve maybe used that for three or four years now and what’s amazing is when I go in and look at the list of passwords that we have it’s like 600 and the idea that either those could potentially have all the same password if we didn’t use it and this wouldn’t even be possible, but that you’d have to remember all of the other passwords. It’s just overwhelming to look at that, so it’s good to know that those resources are out there and I’d really encourage you that are listening to check those out because that’s going to be a huge thing. You know that then if there is some service that’s hacked you don’t have to worry about somebody getting your information and using it in all these other different places. One of the …
Andrew: We should also … I’m sorry, we should also talk about what it means to have a strong password.
Bjork: Yeah, that’d be great.
Andrew: Because I see a lot of my clients’ passwords, they send them to me, so I can get
into their site. Having just a regular word with a couple of numbers at the end is not a strong password or putting a period at the end or capitalizing the first letter. You want to make it so that it’s broken up and it has some randomness to it. If your password is butterfly72 because you love butterflies and you were born in 1972 hackers can get to that. That’s nothing to a brute force hacking attack, so you want to have that randomness in there, it’s really important.
Bjork: Can you talk about what a brute force attack is, what that means.
Andrew: Sure, sorry. That’s basically if a hacker which is usually not like some kid drinking Mountain Dew in his parent’s basement, that’s not what brute hackerism is for. What a hacker usually is is they create a script or a web program that goes and tries to guess passwords and they will do it super fast. You can’t type this fast. They can literally guess thousands or hundreds of thousands of passwords a second if they’ve got enough computing power. What they’ll do is they’ll start by guessing … They’ll have lists of known popular passwords.
Bjork: Sure.
Andrew: Like the word “password” is one of the most common passwords that’s used or 1, 2, 3, 4, 5, 6 and that’s what they’re going to try first because something like 20% of passwords are one of those. It’s really kind of embarrassing when you look at that. If you were to look up on just Google like popular passwords and you look at a top 100 list you’ll look at that and your jaw will drop because … You feel like how can I be so silly because you don’t realize that it’s not some kid in the basement. It’s some script coming out of some crazy server in eastern Europe that’s like … It’s all about the repeated brute force … Brute force is like … It’s like trying every key on a door, but if you go really, really, really fast.
Bjork: Right, and the example that I think of was … This was a few years ago. We installed a plug-in which is now … It hasn’t been updated for a while, but it was called Limit Logins and it was a WordPress plug-in. We installed it on Pinch of Yum and the idea is if somebody tried to log in multiple times and didn’t get in then they would be blocked from trying to get in. We installed it and then within minutes I started getting these email notifications of failed logins to the WordPress site.
Like you said my jaw dropped, but it was because I had no idea that that was something that was existing because you don’t see it, right. It’s not like somebody’s knocking on your door over and over. It’s a silent process that happens in the background. With that, specifically this is shifting a little bit, but around WordPress security, so people that have their site they have to keep it secure. They have backups, they’re using unique passwords, are there other steps that they can be taking beyond just the secure password that will help to
keep their site or maybe their online life safe and secure?
Andrew: Oh, there’s so much stuff to do, but if you do the backups and the strong passwords that’s 90% of it.
Bjork: Great.
Andrew: Some basic stuff in WordPress. WordPress used to when you’d install it, the username would be admin, a-d-m-i-n, right. They’ve stopped that I think a couple of months back. If you were logging in with the admin user or if that still exists because that was a default all these hacker scripts know that. Usually, like most common when they’re doing this brute force attack, rather than having to figure out the username and password they start with the username admin. If you change your username that gets you a good chunk of the way there and they can figure out your username even without that, but it’s an extra step.
Bjork: Right.
Andrew: What that’s doing is good security works in layers, so this is one more deterrent and it’s like adding … It’s not necessarily adding another lock on the door, but it’s moving the lock. If they’re used to putting it at arm’s length maybe it’s a little bit higher up out of reach and they have to reach a little further.
Bjork: Exactly, yeah, yeah. It’s not leaving the key in the lock for them.
Andrew: Exactly, yeah.
Bjork: That was something that was interesting that I learned was … The username can be found, right. You can go to the blog URL and then I don’t know what the URL is, /users or something like that. You’ll be able to see what the username is, but like you said there’s a little bit more of a process involved with that and it makes it a little bit more difficult for people to find that username. I think that there are plug-ins that you can install that actually remove that. Does that sound right?
Andrew: There are although it’s actually pretty easy. You can’t change a username, but you can do it without a plug-in. All you need to do is create another administrator account. If I wanted to change it from admin to Andrew, I create a new admin account called Andrew, give it administrator privileges and then I’ll log out of WordProcess, log in under that new Andrew account and then what I’ll do and this is the scary part, I’ll go to the users, I’ll click on the admin user and click delete.
Bjork: Sure.
Andrew: That’s the user that has 500 blog posts on it, right, so it’s really scary because you’re like what’s going to happen to those posts.
Bjork: Make sure you have backups, going back to point number one.
Andrew: Make sure you have backups. WordPress is like … You think it’s going to delete right away, but what happens is it goes to the next screen and says hey, there’s 500 posts associated with this account, what do you want to do with them and you can reassign them to the new user and then you can delete the user.
Bjork: Got it.
Andrew: It’s scary, but it actually is a couple of clicks and you’re done.
Bjork: Got it and one of the things that I think is interesting about WordPress and for a lot of people that are single blog sites they don’t really have this, but there are those different levels of users. This doesn’t really have to do with … Maybe it has to do with security, but can you talk about the users in WordPress. I think a lot of us just assume everybody is an admin user, but the fact that there’s different titles that people can have, how do those work?
Andrew: One of the strategies with security is you want to give people as much access as they need, but no more. Say you’ve got a virtual assistant who helps by editing your blog posts, she may need access to your posts as an editor and that’s the title in there is editor. She doesn’t have to be an administrator because she’s not installing plug-ins or changing other high-level settings. If you set her as an editor instead she doesn’t have as many permissions and that way she can’t muck something up or it’s not necessarily that she’ll screw something up, it might be that her username and password gets compromised because she hasn’t used a strong password. That way if the hacker gets in through her account the hacker can’t do as much.
Bjork: Got it, yeah, so there’s just this idea of restricting access, not necessarily because you don’t trust that person, but there’s no point in giving people more access if they don’t need to be able to update plug-ins, for instance, or run WordPress updates or anything like that. It makes a lot of sense. Speaking of that, I’d be curious to know your stance on plug-ins and WordPress updates. A lot of times we’ll get a question from people and they’ll write in and they’ll say I see there’s a new WordPress update, should I install it, should I wait?
We’re so used to updates in our life whether it’s on our computer or on our sites or on our phone and all of those different places have a different reputation for the stableness of an update. When it comes to plug-ins and WordPress updates what is your stance on that in terms of how frequently people should update and if they should wait when a new update comes out or if they should install it right away.
Andrew: Such good questions. Yes, absolutely update. That’s probably the third most
important thing in terms of security is to update WordPress and your plug-ins. I just want to say that right now, don’t be afraid to update. Part of that is sometimes updates introduce new functionality, but a lot of times they’re patching password security holes. Somebody discovers a problem with the plug-in, it gets reported to the plug-in author and they release an update. You want to make sure you’re plugging those holes as they become known, so it’s really important to stay on top of your updates. The other reason it’s important is if you wait too long and you update 20 plug-ins at once you may end up leapfrogging too far and something may hiccup and you may be more likely to have a problem.
Bjork: Got you.
Andrew: I don’t like to update immediately unless it’s a security … a known, urgent security update. What I’ll usually do is wait 24 to 48 hours and what that does is it lets somebody else be the guinea pig and I know if everybody did this it wouldn’t work so well.
Bjork: Our audience doesn’t cover everyone, so for everybody listening they can do it and we don’t have to worry about it.
Andrew: Right, so if there’s a new update that comes out and it’ll tell you how old the update is if you click on details. It’ll pop up and in the top right corner it’ll say last updated seven hours ago. Generally, you want to wait a day or two and that’s because sometimes new bugs are introduced and so let somebody else find that bug. Often the plug-in author will fix that and push out a new update within a day or so and so then it’s safer to do the update and you’ll have a lot fewer headaches that way.
Bjork: Got it, that makes sense. One of the things, this always goes back to that first point that you made that’s so important is those backups because if you do install a plug-in or a WordPress update or something that is a little bit off, let’s say you installed it right after or maybe you waited 24 to 48 hours and there’s still something that was a little bit off, one of the things that’s always so nice to have is that ability to go back and say hey, restore my site to this point when things were working. We’ve had to do that a few times and we’ve installed an update and something has been … There’s some type of conflict that involves with that.
Great, so one of the things that I wanted to ask that is going back a little bit. It has to do with some of the password stuff. One of the things I’m starting to see more and more and we’re starting to get some questions around is this idea of not just passwords, but then a password that is sent to you via your phone or there’s also this application called Google Authenticator that you can use. Can you talk about what those are and how we could potentially be using those to
keep our sites or to keep our accounts extra secure.
Andrew: Sure, so it’s often called two factor authentication and two factor just means there’s two ways to prove that you are who you say you are. The first way is the password and the second will be something like a six-digit code that’s sent by text message to your phone or through the Google Authenticator app which is now if it’s running on your phone that generates a six-digit code that you have to type in. The reason it’s so good is that that way if your password is hacked the hacker still can’t get in without verifying on the second factor. It can be a hassle I’ll be honest, but it’s totally worth it on certain logins.
The places where I think it’s really important, on your WordPress login it’s great because that way you don’t have to worry quite as much about all these brute force attacks. The other place that I think it’s really important is on your own email. Google has had a big push for this. I think they led the charge and now if you use it on your email your email’s going to be a lot more secure. One of the reasons I talk about that is if somebody hacks their email or hacks your email account they can reset your password on pretty much every service you use.
Bjork: Right.
Andrew: Your email account is actually the master account, right.
Bjork: Because you can do the reset password process where you say hey, I need to reset my password and they say, okay, we’ll send you an email. If somebody has your email address they’ll just be able to reset everything, is that what you’re saying?
Andrew: Yeah.
Bjork: Yeah, okay.
Andrew: Exactly, and so that’s where the two factors is worth the extra headache. With all the security stuff you’ve got to always balance the pros and cons of how much extra effort is it versus the extra security.
Bjork: Right.
Andrew: You’re not going to want to use two factor authentication on, I don’t know, some website you barely ever go to that’s just a joke website or …
Bjork: Your Angry Birds login.
Andrew: Exactly, and it’s a videogame website where if it’s compromised eh, whatever, it’s annoying, but it’s not going to be the end of the world, right. Your WordPress login and your email account are definitely worth it.
Bjork: Okay, great.
Andrew: There are some ways to make it a little easier, too. If you’re using your home computer like on your email you can check the box that says remember this computer for 30 days, so you only have to do it every so often.
Bjork: Okay, sure, that makes sense. If you have two factor authentication set up you can click that box and it won’t trigger for 30 days. It’s interesting, we have that set up for all of our email accounts and it’s not often, but occasionally I’ll get a text to my phone with a two factor authentication. It’ll say here’s your login code and it’s like oh, that wasn’t me that tried to get that. It’s a great reminder that in this crazy world there are people that are trying to log in and get information. Although it’s a little bit annoying I think it’s really worth it to go ahead and do that. Let’s say this, you are starting from scratch and you’re setting up your blog. What are the things that you would put into place in the order that you would do them? I’m curious to go from nothing to maybe publishing your first post. Can you walk us through what that might look like?
Andrew: Sure, that’s like a 12-hour podcast.
Bjork: Yeah, right. SparkNotes version, yeah.
Andrew: We’ll narrow it down to just security. There are a few plug-ins that if I’m installing a fresh WordPress installation I’ll just install without even thinking about it. The first one is the Securi plug in. That’s s-e-c-u-r-i. That’s from the Security.com folks. They changed their plug-in recently. It doesn’t do as much as it used to, but I still really like it. There’s a couple of other plug-ins that would be good choices as well and so you’d want … If you’re not going to do security, you may have heard of Wordfence or another one called … I think it’s called better … It used to be called Better WP Security, now I think it’s iThemes Security.
Bjork: Okay.
Andrew: All three of those do the same thing where they have certain things where they harden WordPress to make it a little harder to get into your site and they do some scanning to make sure it tells you if something is compromised on your site. I like those three plug-ins, but you’d only want one of each. Then I do like to protect the login page because that is the most … I won’t say it’s the most vulnerable necessarily, but that’s where the hackers go first. You mentioned … was it limit login attempts? Is that the one you used, which I don’t think has been updated, but I think it still works.
Bjork: Yeah, and we don’t actually have it, but I think like you said it still works. We’ve since uninstalled that and we use the Jetpack … Jetpack just recently added in the ability to essentially do the same thing, limit logins and brute force attacks,
so that’s what we use now.
Andrew: I think the Jetpack module is called Protect Jetpack.
Bjork: Yeah, yeah, yeah, that’s right.
Andrew: I think that’s the one that says prove you’re human or prove your humanity, what does two plus four equal, so that’s a low barrier to prove you’re human. The other plug-in I really like for that is called Login Security Solution.
Bjork: Okay.
Andrew: It’s the most robust I’ve found because it looks at both usernames and the IP address which is the location of the computer that’s doing the attacks. It also enforces strong passwords, so it requires you to have a ten-digit password that has a certain amount of randomness to it. That’s really good if you have a few editors and administrators because then you can set a password policy to make sure you’re using strong passwords. If you’re going to have an e-commerce site where people are creating accounts like a membership site or something like that, I found it’s a little too strong for that and it becomes a customer service nightmare.
Bjork: Yeah, because people do get angry and they can’t use their favorite password or yeah.
Andrew: Right, because they can’t say butterfly123.
Bjork: Yeah, right, 1979, yeah. Cool.
Andrew: I also do like to install two factor authentication.
Bjork: That’s a plug-in. Yeah, I was going to ask.
Andrew: Yeah, that’s a plug-in to do that, too. You mentioned the Google Authenticator and that’s probably one of the most supported because it’s using Google’s authenticator app. What I don’t like about it is it’s kind of annoying. You have to sit there and open up your phone, login, get to the right … key in the six-digit number. I’ve been using Duo Security, that’s D-u-o, Duo Security. It’s a third-party. I think it’s free for up to 10 users and what I love about Duo is you log in and after you log in it says hey, we don’t recognize this computer, we’re pushing a request to your phone. Your phone pops up with a hey, are you trying to log in and it gives you a yes or no and you click yes or you tap on yes and it continues the login process with no other intervention.
Bjork: Oh, cool, slick.
Andrew: It’s very slick, so I’m a big fan of Duo Security.
Bjork: Can you talk just for those that are curious, Google Authenticator, how that works, what that process is. I think it’ll probably become more and more common and I think it’s really cool, a little bit cumbersome, but just for people to know in case they ever come across that.
Andrew: I think it’s called Time-Based Key. It basically gives you the six-digit numbers that every 30 seconds change. The idea is there’s so much randomness in it that it’s hard to spoof, I guess. You go to the app store or the android, what is it play store and you download the Google Authenticator app which is free and once you set it up for your site, I think you can scan a barcode to link it to your site and you get multiple sites that do this. You open up the app and it gives you a list of all of your sites where you would use it and it has a different six-digit code for each one. You scroll through the list and you find your blog and it’ll say that six-digit number and you literally look at it and type it in onto the login form.
Bjork: That’s cool. It reminds me … Lindsay’s dad has one. He’s a doctor and it was maybe 10 years ago he had this little key that he would use to type in to get access to medical records. I was like oh, my gosh, that’s the coolest thing ever. It updates every minute and then that syncs to this database that allows you then to login. Now it’s like I can do it for a WordPress blog or there’s all these different options where you can start to implement that and it feels not only very cool, but very secure that they have that option. Like you said there’s a little bit of work involved in that you have to take your phone out, open the app, have it reset and then enter it in, but a pretty cool thing.
We’re coming towards the end here. I feel it’s one of those podcasts where people have to go back and listen again and take notes and put a little strategy, a plan together for what they want to do. Another option and I want to make sure to give you time to talk about this is to partner with you. I know that you have some options that you’ve built out on Blog Tutor to really help people take care of these things. People can do the DIY method or if they want to say, you know what, I don’t want to worry about this, I want to have Andrew help out with it, have him implement it and take care of it. What would that look like and what are the options that people can have if they want to partner with you to help make their site more secure and implement backups?
Andrew: I am so glad you asked me that question. In my work on all these sites, I’ve worked on dozens and dozens of food blogger sites and I started to see these patterns of things that people feel they know they should be doing, but aren’t. It’s all the stuff we’ve been talking about today where it’s a hassle, it’s a headache to set up and there’s a steep learning curve if you don’t know what you’re doing and it’s not very satisfying frankly. Setting up your sites so that it doesn’t get hacked is really like a letdown because nothing happens when it
doesn’t get hacked. It’s not like this positive reinforcement.
Bjork: Right, right.
Andrew: The best thing that happens is nothing happens.
Bjork: Yeah, right, if you’re doing a really good job then you don’t really hear anything back, yeah.
Andrew: Exactly, and it’s what you want, but again not sexy at all.
Bjork: Right.
Andrew: I’ve started offering a package to take care of all of this and help people go back to focusing on what they love doing which is developing recipes or photographing recipes or going to restaurants and talking about food. Spending more time on stuff they love about their blog and less time on the stuff that they don’t love about their blog. I’ve built out actually three tiers of a monthly subscription. The first level covers the important basics and that’s, of course, the number one thing is backups.
Bjork: Nice, yeah.
Andrew: I set up two levels of backups for the site like I was talking about. I do use CodeGuard and UpdraftPlus. I set that up super securely, so it’s going on the cloud on Amazon 3 and that’s totally locked down. Then part of the plan is if you ever need to restore from a backup I’ll help you with that no extra charge and that’s a big part of the thing because a lot of people are making backups and they don’t know what to do with the backups.
Bjork: Right.
Andrew: Or if you’re talking about a plug-in update and you get a white screen of death. Getting the backup, retrieving it, reinstalling it, all of that is included in my plan, so then I add another layer of security protection. I’ve actually partnered with Securi and they’ll do nightly security scanning on the site. That way usually I’ll get a warning if something seems compromised or wrong and sometimes it’s a false positive, but sometimes if somebody’s site is hacked and they don’t even know it yet and I bring it to their attention and say hey, I’m already working on fixing this.
Then the third part and we haven’t talked about this, but I think it’s really important is uptime monitoring. That’s just making sure your site is actually online. If your site is going down shortly for brief periods you may not even know it and your visitors may or may not tell you. You could be using a web post that’s underpowered or something is glitching and so I set up a Pingdom uptime monitoring that will check your site every 60 seconds 24/7 and kick out an email if your site’s down for more than a couple of minutes and then we can help get it restored. That’s my basic plan. It’s pretty much automatic, but it is your first code of armor, I guess.
Bjork: Awesome, yeah.
Andrew: With that plan people still need to do their updates themselves and that’s really important because that’s where the security holes can be introduced.
Bjork: Right, right.
Andrew: My second tier plan, I take care of the updates for you. I’ll do the WordPress updates and the plug-in updates and the really valuable part of the plan because anybody can click the update, but the valuable part is if something breaks I’ll fix it for no extra charge. Most of the time if something breaks, a plug-in doesn’t complete or there’s a conflict I’ve usually fixed it before the person even knows, so it’s a nonevent again for them. Then I’ve just recently introduced a third-tiered plan which is more for e-commerce sites or the people that are making their entire living on their blog.
Bjork: Sure.
Andrew: I’ll add things like the two factor authentication and an SSL Certificate which we didn’t actually get to, but making sure your login is through HTTPS which makes sure all the information is being encrypted as it goes back and forth and I’ll set up a web application firewall. It’s like the third code of armor to make sure things are like the Fort Knox.
Bjork: For sure, yeah. Absolutely, cool, and those are … If people are interested in checking those out they can go to BlogTutor.com, is that correct?
Andrew: Yep.
Bjork: Okay, great, cool. Awesome, I would really encourage those that are listening if nothing else take that step forward, do backups, to implement secure passwords and if you have the ability I think that as quickly as possible if you can start to have other people come onto your team and help out with that stuff. It’s a really big win because it allows you to do what you love doing. Andrew, thanks so much for your time today for coming onto the podcast, for talking about this stuff. I know that it’s going to make a huge difference for people and like we talked about at the beginning it’s so, so important and it’s not necessarily sexy, but it’s so important. I really appreciate your time and your expertise in sharing some of your knowledge today on the podcast.
Andrew: Thank you. Hey, maybe what we can do is I can jump on the Food Blogger Pro
forums …
Bjork: Oh, yeah.
Andrew: … if people have questions. I’d be happy to do some follow-up if anybody wants a clarification on anything.
Bjork: Awesome, we’ll plan on doing that and Beth, our community happiness specialist will keep an eye out. If anybody’s a Food Blogger Pro member, if you have a specific question, you can go ahead and post that and address Andrew in that question. What Beth will do is she’ll follow up with you and make sure that you know.
Andrew: Awesome.
Bjork: Hey, great. Thanks, Andrew, and thanks for offering, that’s really cool. I think that’ll be a huge help for people.
Andrew: My pleasure.
Bjork: All right, have a good one. Thanks, Andrew.
Andrew: All right, thanks for having me.
Bjork: Yep, bye. That’s a wrap for today’s podcast. Andrew, again thank you so much for coming onto the podcast today. I really, really appreciate that. A quick note here about BlogTutor.com. We actually have a section on Food Blogger Pro called deals and discounts and this is an exclusive area for Food Blogger Pro members to get exclusive deals on different software tools or services, things like that. Andrew was actually nice enough to set up a specific coupon for Food Blogger Pro members or a specific discount, I guess, for Food Blogger Pro members that you can access in the deal section of Food Blogger Pro.
If you’re a member be sure to check that out and he’s also said that if people have any questions about anything you can go ahead and ask those in the forum. We’ll make sure that he sees those, so he can answer those. Be sure to check out that deal. If you have questions hit the community forum and again, Andrew, thank you for coming on the podcast today. One last reminder that we’re closing down the doors on Food Blogger Pro on November 19th which is coming up close. I don’t know when you’re listening to this podcast, but it’s probably a week or less away. That’s a wrap for this week’s podcast. As always thank you so much for checking it out and make it a great week. Peace.
Listened to this episode during my morning commute today and it was invaluable! Lots of new things I’m pushing to the top of my To Do list, but that’s a good thing!
Yay! So glad you found it helpful, Leah!