(Transcript continued from the Episode 121 show notes and audio podcast)
This Week in Internet Marketing
Just this morning at 8:00 AM Eastern Time (Thursday, January 5th) ConvertKit is releasing their State of the Blogging Industry Report. This is a very interesting report. I suspect that as ConvertKit continues to do this in the years that follow, this will get even more and more interesting. You can get your very own copy of this report at LateNightIM.com/ckreport.
Basically, it’s a report where they surveyed 850 bloggers with a 20 minute survey and asked them all kinds of questions about the ins and outs of their blogging business in 2017. There are some really interesting results. Now, I’m not going to spoil the whole report for you. I really want you to look at it. It’s a beautifully formatted with awesome graphs. It will really help you figure out where you fit in compared to everybody else in this online business industry. This focuses on bloggers, and I think they’re using that term pretty loosely here. People with a blog.
They found that, surprisingly, 15% of people who consider themselves to be bloggers also earn more money than the median United States household income, based on the Census data that is available in 2015. That’s just the high water mark that they used. That’s amazing information. They break all of their responses down, these so-called professional bloggers that are actually making this more than average kind of U.S. income money.
They also find that the other 85% of people are not earning more than the median household income, but as the future of blogging, as the up and coming bloggers, their data is also very interesting as well. They look at the diversity of this population and what it is that makes these bloggers happy, what gives them a sense of accomplishment, what platforms they’re blogging on, how many visits they have, all of this kind of stuff.
You may be surprised to know that most bloggers in this big survey had between 1,000 and 10,000 visitors. If that describes you, that makes you normal. If it doesn’t describe you, if you’re in the below 1,000 visitors category, that tells you where you’re headed, because that’s what’s typical in this survey.
It talks about how many hours a week they work and all kinds of interesting stuff like that. I definitely recommend that you go and check this report out.
17 Hacked Websites
As I alluded to, I had a very eventful holiday break. My intention was not to work on my stuff too much. I had prerecorded a bunch of podcasts, I was taking time off with my family, and trying to get some work done on the Late Night Affiliate course. Out of the blue I get this email from Google Webmaster Tools (which is now called Google Search Console) and the subject line is, “Hacked Content Detected on Website,” with the URL for one of my affiliate sites that I maintain.
The URL has something to do with ninja gold boy panjabi sing and a bunch of other stuff that I did not recognize the slug in the URL, but the domain was definitely mine.
I’m thinking that doesn’t sound good. Then another email comes in, a second site of mine has been hacked.
Then my wife’s site over at BallcapMom.com has been hacked. I searched my wife’s site on Google and sure enough, in the search results it says, “This site has been hacked. May contain malware.” I’m thinking, “Great.” I knew I needed to get to work, because once you’re in this situation the only thing you can do is roll up your sleeves and go solve the problem.
What I wanted to help you with today is, one, I wanted to tell you exactly what I did. My fix in my case was very straightforward. Then, number two, I wanted to go over with you the low tech recommendations for how to keep your WordPress website from getting hacked, because this is a pretty common problem. This happens to a lot of people. Admittedly, it has never happened to me, but there’s a first time for everything and I know the statistics say lots and lots of WordPress websites get hacked.
When I say low tech things that you can do, I wanted to help you do the things that you can do without being a turbo geek. If you’re a computer guru, you know you can go Google ‘hardening WordPress websites’ and you can do a bunch of things that are too complicated for the average WordPress user. But, there’s sort of a list of straightforward low level things that everybody should be doing and I want to make sure that we cover those on this podcast.
When I found out that my site was hacked I looked at the nature of the hack. What happened was hackers had compromised the website and added a tremendous amount of content to the site that they were serving to other places and using to hack other sites. The CPU load on the server had gone through the roof because there was an enormous amount of traffic through this. Basically, the sites were being used as bots and other things. When I did an audit of the files that were on the site, started looking around in the directories on the sites, I found there was just a ton of information on there that I didn’t own and the disk was almost completely full.
It was a total mess, a total takeover of these 17 websites that were on this one server. Luckily, this server happened to be hosted at SiteGround, which I’ve been talking to you guys a lot about lately. I put in a ticket at SiteGround and said, “I have this server load problem, it looks to me like the site has been hacked. Can you confirm?” They were able to confirm that the site was indeed hacked and they agreed with my conclusion.
I started looking back at the logs and stuff and I was able to determine that this happened a couple of days ago. Very simply I was able to put in a ticket at SiteGround and ask them to roll the site back and restore a backup from several days ago, prior to when I thought the hack occurred based on the activity.
This is not a surefire thing, because in some cases the hackers know that this is what you’re going to do. They’ll exploit the site and then they’ll let that sit dormant for a long time so that your backups are too old to be of much use to you. If you’re blogging all the time and adding content, the last thing you want to do is backup two months.
In my case it had only been a few days, so I backed up a week and told them to restore the entire server, all 17 sites that are on this server, to its condition a week ago. They did that very quickly. I must say that the customer support at SiteGround was really good and they handled this very quickly in the middle of the night. It was the middle of the night for me, but probably the middle of the day for them. Excellent customer service and I was back up and running pretty quickly.
But, I was back up and running with a website that had been restored to its previous state, which we know can be hacked. We knew that was the case because it had been hacked. So the next thing that I had to was harden the website. What I wanted to do for you is give you a list of things that you can go do right now today without a lot of technical expertise, with practically no technical expertise as a matter of fact, so that you can harden your website. If you want to get hardcore you can do this even more than what I’m going to tell you. I’m just telling you the minimum level of things that you could do.
There was an article that I ran across that was based on data from 2014, from WP White Security, this is a pretty famous whitepaper that had been published a couple of years ago. I don’t have any more current data, but back then 41% of websites that were hacked were hacked through security vulnerabilities on the hosting platform and 50%+ were hacked through security issues in WordPress or plugins. So most of the hacks, the vast majority of WordPress hacks, either come through the hosting platform or they come through out of date WordPress or out of date plugins. Based on that, I think it’s pretty clear the kind of things that you need to go do and I’m going to give you a list of things here.
The first thing is for recovery purposes you want to make sure that you have good backups and that those backups are recurring on a regular basis. There are plugins to go do backups. There’s a Dropbox plugin. There are backup strategies that you can pay and there are free ones. If you go to the WordPress plugin repository and search for backup plugins, you’ll find several options. I’ve tried most of them. They’re all sort of okay, but there is really nothing that is going to beat a server backup from your hosting provider. You might choose to also do your own backups, I do that as well just as sort of a belt and suspenders sort of thing.
When it comes to reliable backups that are reliably stored and easily restored, it’s really hard to beat your service provider that is doing your hosting. So check in with your host to see if they provide backups and see if you can afford that; sometimes they charge for that, sometimes they don’t. You’re going to want to know what your backup situation is and make sure your site is backed up and that it’s backed up in a way that you know how to restore it easily. That’s the first thing.
The second thing I need you to do is make sure WordPress is up to date. At the time of this recording the current version of WordPress is 4.7. I recommend that you get everything updated so that you can run WordPress 4.7. If you have a reason that you can’t update, like a plugin or theme incompatibility, you need to fix that. If you look at release notes for WordPress one of the things that the WordPress is doing all the time is fixing security issues. You need to make sure that as these exploits are identified and patched that you are up to date with that.
That seems really obvious, but when you’re live living out there on the internet where hackers can randomly search the Google index to find you and your site, and then attack it relentlessly where you don’t even know they’re doing it at 3:00 in the morning, you really need to have the latest protection for WordPress. Those guys at WordPress have a big investment in security and they are doing their very best to harden that as much as possible.
The third thing, closely related to that, is to make sure that your themes and plugins are completely up to date. You need to be rigorous about that. In both of these cases, my recommendation is to turn automatic updates on. Unless you’re really good about logging in and updating things when they need to be updated, my recommendation is definitely automatic updates. I know those aren’t for everybody. Sometimes that can break things. I’m going to give you an alternative to that here in a minute. Consider if you’re a lazy person or if you don’t want to deal with this, anywhere that you can turn on automatic plugin, theme, or WordPress updates, do that.
Related to that, you’re only running one theme and you’re probably not changing your theme very often, and you’re only running a certain number of plugins, but you may have a bunch of stuff that you’ve installed that you’re not using. Themes that you tried and didn’t like, themes that shipped with WordPress, plugins that you tried but you’re no longer using. I want you to delete all of that junk out of WordPress. Go into your plugin manager or go into your theme manager control panels and delete those themes and plugins. We don’t need that dead legacy code that you’re probably not updating providing additional points of attack. Let’s get that deleted and get that out of there.
Additionally, if you don’t really need a plugin, don’t use it. I would default to being stingy. Every line of code, even from the very best developers, that you add to WordPress is another opportunity for another point of attack. My point of view on plugins, both for security and for performance reasons, is to only use plugins if I really need them. Try not to go and use every plugin in the world.
The fifth thing that I want to offer is make sure that you do not use admin as a username. This is a commonly understood thing in WordPress. WordPress as it ships a lot of times will use admin as the default username. Don’t use that. Hackers know that a lot of WordPress installations have admin as a username and that gives them half of the puzzle. If you are using admin as your username, then they know your username. So don’t do that.
Either delete admin, or if that’s a problem add a new administrative account, like Bubba437 or whatever you want to call your account, and change that admin user down to subscriber and harden the password. Make a really difficult password on that admin account and never use it again. Make sure you’re not using admin as a username for the administrator of your blog.
Along with that, harden your password. You can change it often, I recommend that. You can make it very hard to guess, I definitely recommend that. And you can consider using two factor authentication, this kind of thing where in addition to the password you need an additional piece of information like a secret code or an authenticator application, or an SMS text message, or some additional piece of information.
If you search WordPress plugin repository there are lots of those now, or at least four or five. One of the most popular ones is the Google Authenticator plugin. You can give that a try and that will really help you lock things down.
I told you that 41% of the attacks or so were coming from hosting, so use the best hosting that you can. I recommend that you use hosting that is designed for WordPress, where people are on the lookout for this kind of stuff are running the company. A lot of times this is described as WordPress managed hosting, where they’re paying attention to these security vulnerabilities.
I definitely recommend that you go with a reputable company. Right now my recommendation for that kind of thing is SiteGround. Whatever you decide to use, make sure that you’re using someone who knows what they’re doing. If you’re using a homebrew solution or the cheapest thing you can find, that could be a problem for you and it’s going to cost you more money in the long run.
Finally, my recommendation for easy things that you can do is to add your site to Google’s Search Console, the thing that used to be called Google Webmaster Tools. They are watching your site and they will notify you as soon as it’s hacked. Some of these hacks are a little bit difficult for normal human beings to detect, but Google is constantly scanning with malware detection and recognizing that and that will help you to identify any problems that you have on your site.
One more thing that I recommend that you can consider is adding a security plugin. Personally, in the past I’ve gone back and forth on whether or not to use these. Right now I’m using one. The one that I’m using across all 17 sites is Wordfence.
I’m using the premium version of Wordfence, which is a little bit pricey in some cases. It starts off a price of $100 a year for a single website and the longer license that you buy or the more sites that you buy you can get a discount per license. It gets a lot cheaper if you buy a bunch of them, but that’s kind of expensive for a lot of people.
The free version of Wordfence security is pretty good. It has a firewall, it looks for hacking and bots, and other kinds of online threats. It’s a good one. One of the things that it does is it pays attention to whether or not all of your plugins and themes and WordPress are up to date, and if they come out of date and a new version is released it sends you an email. I really like that feature.
There are other popular and effective plugins, like iTheme Security, which used to be known as Better WP Security. That’s also very good. Quite frankly, I’ve not done an exhaustive study of what features these have and which one is best.
Securi also has a plugin that they offer. Of course, the Securi guys are like WordPress security ninjas. They can also help you if your site has been hacked. A lot of these plugins have premium services like that.
The fourth one that I can tell you about that I have not used at all is the guys at Automaticc have some security features now as part of their all-in-one plugin that they offer called Jetpack.
Those are four options that you can look at.
In summary, what I want you to do this week – I want you to do it right now, I don’t want you to delay – I want you to go make sure your backups are good, update everything you can find in WordPress, your plugins, themes, and WordPress itself, and delete any of that stuff that you’re not using. Any plugins that you can eliminate, I want you to eliminate them.
I want you to make sure that you’re not using admin as a username on your site. If you are, I want you to turn the privileges of admin all the way down to subscriber and lock down the password and never use the account again. Make sure that your passwords on your administrator accounts especially are super hardened and locked down. Consider using two factor authentication there.
I want you to make sure that you have hosting that you really trust and that your site is listed in Google Webmaster Tools. Finally, my recommendation is that you go install Wordfence and see what it has to say about your site. It will do a scan of your site and make sure that there is no malware already existing there. It’s a really nice free level of the plugin that they have and it can really help you out.
That will make you feel better about where your site is in 2017. You have these goals for 2017, the last thing you want to do is spend a week or two dealing with 17 hacked websites like I did over Christmas break.
Wrapping Things Up….
I hope that is helpful to you and I hope you’re off to a great start for 2017. Go check out that ConvertKit report, that will really help you understand where you fit in this online business sort of thing, at least in terms of where these bloggers were. There’s really interesting data in there.
Harden that website. And get ready for some actionable content in the next two weeks regarding how to get your goals actually completed in 2017. Until next time, I hope you have an absolutely amazing 2017 and I’ll talk to you soon.
