Solopreneur’s Website Security 101: Effortless Ways to Outsmart Hackers PLUS a free resource

Introduction to Website Security

In today’s episode, we’re diving into a critical topic: securing your solopreneur business website. 

If you rely on your website for generating leads or making money online, you can’t afford to miss this. 

By the end of this episode, you will know what mischief hackers can do, the different ways your website could get compromised, and the key steps to safeguard your site against hackers.

Plus, I will share a free resource that can make this whole process a lot easier.

I’ll unpack all of this after the intro.

Welcome to Macpreneur Podcast

Hello, hello, and welcome to episode 106 of the Macpreneur podcast. 

Whether it’s your first time or you’re a long-time listener, I appreciate that you carve out some time in your busy solopreneur schedule. 

I’ve created Macpreneur to help as many solopreneurs as possible save time and money running their businesses on their Macs.

Now, in order to give you the most relevant Mac productivity tips and information, I need to know how well you’re currently dealing with the three killers of Mac productivity, namely, unnecessary clicks, repetitive typing, and file clutter.

For that, just visit macpreneur.com/tips and answer a few questions, which will take you less than two minutes.

After submitting your answers, you will receive personalized time-saving tips based on your results. 

Once again, visit macpreneur.com/tips and start boosting your efficiency today.

Importance of Website Security

As a successful solopreneur, your website is likely the hub of your business. It’s where you showcase your expertise, generate leads, and connect with clients.

But here’s the thing: many of us aren’t aware of the various ways our website can get attacked.

Sure, we use strong passwords, but is that enough? Spoiler alert: it is not.

The good news is that there are practical and straightforward steps you can take to secure your website. And it all starts with awareness.

I will start this episode by reminding you of the potential mischief an attacker could do. 

Then, I will cover the most important attack vectors. 

Finally, you will have a clear mitigation plan to minimize the risk of your site getting compromised. 

Stick around till the end, as I’ve prepared a bonus resource that you don’t want to miss.

Potential Threats from Hackers

Okay, let’s start with the mischief that an attacker could do if they succeeded in compromising your website. 

First, they could redirect traffic to their own site in an attempt to boost their SEO, or Search Engine Optimization, ranking.

Second, they could export information about all the users who have an account on your site and everything they can grab—in other words, a potentially massive data breach.

Third, they could deface your website or make it completely inaccessible, then ask you for a ransom in exchange for regaining control of it.

Number four: they could change the payment processor to directly profit from the online sales made on your website.

Number five: they could try to compromise your website visitors by running malicious scripts or making them download malware onto their computers and mobile devices.

Number six: they could install a credit card skimmer by displaying a fake checkout form before the genuine one that would appear on your website.

And number seven: they could fill your website with ad banners, providing them with short-term financial gain until Google’s algorithm starts dereferencing your site, which might kill your SEO ranking for a while.

Main Attack Vectors

Okay, now the question is, how could they compromise your solopreneur website?

Well, there are three main attack vectors: your domain registrar, the website host, and your devices.

The domain registrar is the entity through which you purchase the domain name. In the case of EasyTECH, it’s EuroDNS, and for Macpreneur, I’m using Hover.

GoDaddy is a big one in the U.S., and folks in Europe might have purchased their domain through OVH.

In June 2023, Google officially sold its domain name business to Squarespace, and Google Workspace plans purchased via Google Domains are now managed directly by Squarespace.

Regardless of the registrar, if an attacker manages to get into the admin panel of your domain registrar account, they could change the DNS settings.

DNS stands for Domain Name System, and it’s like a giant Rosetta Stone that translates web domains into internet addresses so that when someone types, for instance, Macpreneur.com, the request is transferred to the server that hosts the website.

Anyone who has control of your domain DNS settings can easily redirect your visitors to a lookalike website or another site altogether.

The second attack vector is the website itself and the hosting service if they are two separate entities.

Since EasyTECH is hosted on Squarespace, the same login and password are used for everything. 

For Macpreneur, it’s a self-hosted WordPress website that is hosted by WP Engine. 

In that case, there are actually two separate login credentials: one for WP Engine and the other for the WordPress admin panel.

Here are the many ways they can attempt to compromise your site. 

They could manage to log in as an admin by brute forcing the password or by social engineering. And that would be either to the web host or the website itself.

They could also put maliciously crafted comments on your website, which is also called SQL injection attacks, that would leverage a security flaw in the backend server.

A theme or a plugin that you have installed might have a security vulnerability that an attacker could exploit.

Finally, sometimes bad actors purchase highly popular themes and plugins, then add their own code to infect the website or the visitors.

The third and last attack vector is your devices.

In episode 104, I talked about the fact that attackers can log in as you without needing to know your password and bypass multi-factor authentication if they manage to get the session cookie.

Since this session cookie is stored inside your browser, this attack could take place remotely.

If you missed episode 104, I recommend checking it out by visiting macpreneur.com/episode104.

Physical access should not be overlooked either, especially with regard to your iPhone and iPad. 

Nowadays, there is a mobile application for almost all website management platforms. 

There is Wix Owner, Squarespace, Jetpack for WordPress, Gumroad, and Shopify.

It’s super handy to be able to monitor one’s website from a mobile device. 

The bad news is that anyone having access to your mobile device could also tamper with your website, whether intentionally or by mistake.

The good news is that starting with iOS and iPadOS 18, available in fall 2024, it will be possible to lock applications behind Face ID or Touch ID.

That way, no one except us will be able to open business-critical applications from our mobile devices.

Mitigation Strategies

Okay, the next question is, how can we protect our website and minimize the risk of it getting hacked?

So let’s go through a simple and practical mitigation plan.

First up, you need a strong password and multi-factor authentication for the domain registrar, the web host, and your website admin panel if the latter two are separate entities.

I dedicated the previous episode to this topic, so if you missed it, just visit macpreneur.com/episode105.

If, like me, you have a self-hosted WordPress site, you will have noticed that multi-factor authentication is not available out of the box.

For that, you will need to install a plugin, and after testing a few, I can recommend WordFence Login Security. It’s totally free and very easy to set up. 

You can even configure which user role must enable it by default and those for which it’s optional.

Please note that if you have installed the Jetpack plugin, you will need to visit the WordFence Login Security settings and skip two-factor authentication for a protocol called XML-RPC. Apart from that, it’s very easy to configure.

Next, website protections. If your site is hosted on Squarespace, Wix, Gumroad, Shopify, Podia, Teachable, and the like, there is nothing you can do here as they take care of everything.

For WordPress sites, regardless of whether they’re hosted on wordpress.com or if we are talking about self-hosted WordPress sites, you’ll want to add protection through plugins.

At the minimum, you should install and configure Jetpack, developed and maintained by Automattic, the entity behind WordPress.

In fact, if your website is hosted on wordpress.com, Jetpack is pre-installed for you. Otherwise, just visit the plugin directory.

The free plan offers protection against brute force attacks, meaning bots trying to log in using known usernames and passwords.

The last time that I checked, it had blocked more than 75,000 login attempts on the Macpreneur website.

The free plan also periodically checks the website content against a database with known malware and vulnerabilities. 

For real-time malware scanning and cloud backups, as well as a web application firewall, you can purchase the Jetpack Security Plan, costing about $9 per month for the first year, then $18 per month.

Now, there are alternatives to the Jetpack Security Plan, one of them being WordFence Security, which offers a wider range of protections on top of the login security that I mentioned earlier.

In fact, if you already installed and configured the WordFence Login Security plugin, all the settings and two-factor authentication codes are preserved after installing WordFence Security. 

The only change is that you will need to create an account on the WordFence website to get a license key even for the free plan.

The free plan has a 30-day delay on updates to the firewall rules and malware signatures, and it only scans the website once every three days.

The premium plan, costing $119 per year, offers real-time rules and signature updates, IP and country blocking, but no cleanup in case of infection.

The care plan, $490 per year, offers the same features as the premium plan, plus cleanup and audits, and it updates rules based on the specific infection.

Talking about plugins, deactivate all those that you don’t use and need anymore, even if they auto-update.

And so, yes, make sure automatic updates are turned on for the plugins and WordPress itself.

And if you decide to turn off automatic updates for a specific plugin, make sure to get automatic alerts whenever updates are available to manually check if they are critical or not.

Next, make sure that your site gets backed up automatically and regularly.

Again, if you use Squarespace, Wix, and similar website hosting platforms, this is taken care of by the provider.

For self-hosted WordPress sites, sometimes the web host offers this service, which is the case with WP Engine. 

So for the Macpreneur website, a backup is done automatically once per day. 

And I can manually trigger backups before making any changes, like installing a new plugin or manually updating WordPress itself.

When I need to make much bigger changes, WP Engine allows me to clone my website onto another environment. 

And in total, I have three of those: Production, Staging, and Development environments. The latter two are password protected, meaning that they are not publicly accessible on the internet.

And while researching for this episode, I stumbled upon a Mac app called Local, available from LocalWP.com.

It allows you to pull a copy of a WordPress site hosted on WP Engine or Flywheel and then run the website directly from the Mac. 

I played with it only a little bit and quickly realized that it’s not for everyone. 

You definitely need to be familiar with Keychain Access and the basics of web hosting to be able to fully exploit this tool.

And not all files get pulled, which meant that for the particular Genesis theme that I’m using, the default color was used instead of the purple that you see online. 

A few other things were off too. So in my case, it’s not a perfect solution. 

However, I was able to test upgrading the version of WordPress and PHP directly from my Mac, which was pretty cool.

For WordPress sites hosted elsewhere, there is a free plugin called WP Migrate Lite that is developed by WP Engine. 

It allows you to fully export a WordPress site into a ZIP file, and that ZIP file can then be imported into the Local app on your Mac.

I haven’t tested it yet, so I don’t know how well it works. However, the simple act of having a local copy of my website, even if it’s in a big ZIP file, makes me feel it’s a good complement to cloud backups.

Securing Your Devices

Okay, the last step of the mitigation plan is securing your devices, especially your Mac, as it’s a bit more vulnerable than iPhones and iPads.

I won’t dwell on this topic today because I covered it extensively in episode 99.

On top of that, I’ve prepared an extensive Mac security checklist to accompany that episode.

So, if you haven’t downloaded it yet, remember to visit macpreneur.com/msc for the Mac security checklist. 

If you need help going through the checklist, just listen to or watch episode 99.

Before concluding this episode, there’s one more thing I’d like to mention.

Bonus Resource and Conclusion

Having a mitigation plan in place is a great start. Unfortunately, it’s not enough.

We have to be prepared in case something bad happens and our website gets compromised.

The good news is that I’ve prepared a bonus resource that will help you with that. It’s a spreadsheet designed to gather the most relevant information about your website.

There is a row for your domain name registrar and another one for your website host. Then the login panel of your website.

If you have a separate e-commerce provider, there is a row for that. There are also preset rows for all the themes and plugins that you may have installed.

For each row, fill out the name, login URL, username, where you store the passwords (not the password itself, but where it is stored), whether two-factor authentication is activated or not, and if it is, where the two-factor authentication codes are located. 

The last two columns are there to store the support email address and phone number in case they are available.

That way, you will have complete clarity about the components of your solopreneur website.

Underneath the table, I have prepared a 10-point security audit covering everything discussed in this episode.

To get your own copy of this spreadsheet, just visit macpreneur.com/wss for the Website Security Spreadsheet.

This spreadsheet will give you the peace of mind that you deserve without needing to reinvent the wheel.

Once again, visit macpreneur.com/wss today!

Recap and Next Episode Preview

So, to recap, we’ve covered the potential harm that hackers can cause if they compromise your website, and then we delved into the main attack vectors.

We’ve gone through simple yet practical mitigation strategies, coupled with a contingency plan consisting of having all the necessary information ready in case something bad happens.

Best of all, you can start improving the security of your website today by getting your free copy of the spreadsheet that I’ve prepared for you.

If you enjoyed this episode, please share it with a fellow solopreneur and DM me on Instagram. My handle is @macpreneurfm.

That’s it for today. In the next episode, I will discuss how safe it is to beta test the upcoming versions of Apple’s operating systems.

Make sure to subscribe or follow this podcast to get it automatically next week.

Season 5 Finale and Future Plans

Before saying goodbye, I wanted to give you a heads-up about what will happen at the end of season 5, which will conclude with episode 107, released on July 25th.

Since I take a few weeks of vacation beginning in August, there will be a break in the regular programming.

It doesn’t mean that the podcast feed will be empty, as I will rebroadcast the most popular and evergreen episodes from season 1, which many of you haven’t listened to yet or have most probably forgotten about.

For season six, which will start in September, I have decided to switch back to an interview format with one episode already recorded and a few more in the preparation stage.

In fact, if you’d like to be a guest on the show, just visit macpreneur.com/apply, fill out the application form, and I’ll get back to you within a few days.

I’d love to chat with you about how you run your solopreneur business on your Mac and what tips, tools, and strategies you have put in place to be more efficient.

Once again, visit macpreneur.com/apply. I can’t wait to feature you in an upcoming episode of the Macpreneur podcast.

And until next time, I’m Damien Schreurs, wishing you a great day.

Thank you for listening to the Macpreneur Podcast. If you’ve enjoyed the show, please leave a review and share it with a friend right now.