Episode Transcript
Monica Pitts 0:00
So today, I have with me two of my top tech experts at mayecreate, Rebecca and Stacy. Say, hi,
Stacy Brockmeier 0:08
hey, friends, it's Stacy.
Rebecca Thomas 0:10
Hi. I'm Rebecca.
Monica Pitts 0:12
Thank you. Okay, so you guys field a lot of the challenges that we're facing right now out on the interwebs involving security and technology. So what are you seeing right now? What is the even reason that we're having this podcast?
Stacy Brockmeier 0:28
So many reasons,
Rebecca Thomas 0:32
on a personal level, inside our company, we have what like 300 we said, safe site clients, and it's my job to make sure that they say happy and unhacked. In the last few months, both Stacey and I and the entire team have noticed an uptick in malicious attacks on websites, login attempts, comment hacks, a lot of Russian text and less than appropriate comments from people who are definitely not who they're saying they are. And it's definitely comes the attention of the entire just web sector that bots are here. AI is trying to get into your website, take your data, do whatever it wants with
Monica Pitts 1:21
it. Now you say AI is trying to get into your website. So it has been people creating bots, and then those bots were trying to hack into websites. Because this stuff is not like necessarily new things. We've seen it before. It's just a lot more of it. So how do you think they're using AI to make this happen now,
Rebecca Thomas 1:44
similar to the way that we see people sort of automating like their emails, they're also doing that with malicious attacks. So we've got aI now able to write a million different emails and send it to a million different people or a million different authentications to try and get into a website, it's making these attacks faster and broader
Monica Pitts 2:07
and smarter and smarter. Ew,
Rebecca Thomas 2:15
very unfortunate, especially for people who aren't very savvy with making sure that they're not leaving themselves vulnerable to these sort of attacks.
Stacy Brockmeier 2:25
I think the other thing that we're seeing a lot is with AI specifically, is like Alexa and all of these other services are coming websites for information, and so we see a lot of bot traffic, not necessarily malicious by any means, but we see a lot of increased traffic for these, for the AI bots that are combing the websites for information so that they can serve answers when somebody asks their device, Hey, what is XYZ? So I think we're also seeing some increased traffic from bots that aren't malicious just to gain knowledge for AI.
Monica Pitts 3:10
I agree with that. And yeah, that's one of the results of all this yuck. So we are going to dig into that more in a second, because we review, I don't even know how many websites a week I feel like I'm in Sometimes I'm in data to my neck, right, or sometimes over my head. But we are seeing some different trends that we're not used to seeing, and they've been manifesting over the past, I'd say, six months. So it
Stacy Brockmeier 3:38
makes making marketing decisions based on your data, a little bit hard, because you kind of have to weed through the information before you can Yeah, you have to know how to make a decision, yeah, because it really, I mean, if it's a bot, it's usually on your second on your site, just a second or two, and so that can really skew your data. You definitely have to
Monica Pitts 3:58
filter it out. I agree. So why are people doing this? Rebecca,
Rebecca Thomas 4:05
so the main reasons that people try to either get access to your website or your credentials, we're talking financial we're talking data. We're talking identity theft, basically anything that they can take from you to benefit themselves they are going to try to get a hold of, even for extortion purposes. I mean, we've seen cases in which private information is stolen and then you get an email saying we've got this, if you don't give us this in 24 hours, then it's going out there, whether or not that's like your social security number or pictures you probably shouldn't have had on your phone in the first
Monica Pitts 4:51
place. Just don't take those pictures. You'll avoid the problem, right? Yeah. Okay, yeah, so people are vulnerable. They're trying to hack into your website so that way they can steal data, right? And then other reasons that they might hack into your website is to promote their own products, creating backlinks. They might also be trying to send out emails using the server side email software, but I feel like that's happening a little less now. For a while, they were really attacking those email, you know, plugins and features of a site, but now that everything has to get authenticated to the nth degree, I don't feel like that's happening as much anymore. We don't have quite as many attacks on, you know, form plugins and that kind of thing. So that's good, but yeah, and I think, too, they're just trying to be a pain in the butt. Sometimes, I was
Stacy Brockmeier 5:51
gonna say, I think sometimes, like, there's not even really anything for them to gain by hacking a website. It's like a pet project or something, you know, it's like, not even for a purpose, it's just to cause chaos. Like, can you?
Rebecca Thomas 6:05
It can feel like that. And sometimes even service interruptions is all that they're looking for. If they can interrupt you, then they get to you, they can get to whoever else is on, maybe your hosting plan, ooh, maybe,
Stacy Brockmeier 6:17
or maybe you're the, like, test subject. Yeah, we're the training wheels
Monica Pitts 6:23
hacking. Well, reasons why we have to be so dedicated to keeping all these websites safe. It's like, if one website gets hacked and they figure it out, then now, using AI, they could be attacking all the stuff. And so everything from the way that we set up the hosting with our hosting provider, to the way that we structure the websites, to how people log in, to how we actually update them and protect them, all of it comes together in that we don't want one leak to cause a flood. Yes, yeah, be horrible.
Stacy Brockmeier 7:00
And we have had that where sites have been hosted on the same server is like, not necessarily another site of ours, but if there's like, a web developer who's not as diligent, and it's hosted with the same hosting company, like that, can cause an issue. And so we try to be really careful about where we host and how we host and stuff like that too.
Monica Pitts 7:21
Well, that actually is a great segue into what happens. So when these bots are attacking sites, obviously we're scared that they're going to steal data or steal identity and put people's livelihoods at risk, but also it results in really bad website performance. So the example that Stacy just gave is, if a website that's in a shared server space with you is getting hacked, it's sucking all the resources from that particular server, and so the server doesn't have the resources anymore to allocate to your website. So now your website's running slowly, and your users are not able to log in in a timely manner, and so they might be rejected, right? And so that that sucks. That's not good. What else
Stacy Brockmeier 8:06
is why you don't want to choose the cheapest hosting plan possible, like, at least have some hosting plan with some security. Please. Hand support, please. Yeah, yeah, that'd be great.
Monica Pitts 8:20
So decreased performance in hosting is definitely a problem. And then we said, at risk for security breaching and data loss, data loss, Rebecca. You were like, Rebecca, can go all gloom and doom on us some days. And so one of the things that she said is that you can potentially get sued and fined for data breaches, like, how does that happen? So
Rebecca Thomas 8:51
think about it, if you're someone who is dealing with maybe payment information, or if you're dealing with medical information or any sort of private data in which you are responsible as the website owner, say you get hacked. Medical data is leaked. Private Social Security numbers are leaked. Contact information is leaked, if it is a large enough breach, and we see this pretty often, unfortunately, particularly in the health sector. That's why I keep bringing up health stuff. I personally not for our clients. No, no, not for our clients. Let's back up there. We don't
Monica Pitts 9:35
actually deal with that kind of information. So if you need a company that's going to help you manage that information, we are not your people. Please
Rebecca Thomas 9:43
go. I'm talking like recently, I personally had my health insurance company. They had an off campus, basically data server that got hacked, and everyone who had their information leaked. There was a class action lawsuit. They have to basically, sort of compensate you. And how they compensated us was that we got a free year of identity, staff, protection and monitoring,
Monica Pitts 10:13
nice.
Rebecca Thomas 10:15
But for other people, say it's in the government, or say like you, you can get sued if you lose someone's data, if you are proven to be held liable for not keeping stuff up to date, or potentially not doing your due diligence in making sure that you have to the utmost possibility kept your clients safe.
Monica Pitts 10:38
So if you own your own server, and you are hosting your website on your own server. Or if you have a website that has lots and lots of information on it that could potentially harm your clients or your website users, if it is breached, you need to have insurance people, seriously, there's actually insurance for this. We don't even host our own websites. We have a third party provider that does it for us. But we carry this kind of insurance, even though we're not even technically liable for it, like, if you have that kind of stuff, you should have insurance. I yeah, I would get
Stacy Brockmeier 11:19
your cyber insurance policy, yeah, keep it up to date. I know it's expensive, but it's important. In case you ever had that problem, good luck filling out that paperwork.
Monica Pitts 11:30
It's
Stacy Brockmeier 11:35
glad I only have to do
Monica Pitts 11:36
it once a year. Yeah, we jumped. We were like, what does this even mean? We're going to get there. And then the other thing that Stacy mentioned earlier was inflated analytics scores that don't have many meanings. So if you're using your marketing data to make decisions, just know that the bad bots and the good bots are making your data not accurate. It like your time on site isn't going to be accurate. The number of users is going to be extremely inflated. So the number of users is going to be extremely inflated. The time on site is going to be really low. And that's what we're seeing across the board. And so you just have to filter out all of the visits that are, you know, two to three seconds, and just look at the rest of the data from there. And then you'll actually have much more functional data. But it used to be that we just saw them from, like where Michigan and like one place in Virginia, we'd have a whole bunch of bot traffic, and it was because the servers that we use are there, and they were just checking to make sure the website was up, but now I see them from all over the place, like they're just, they're from everywhere. It's nuts, like it makes them as sad. And you get used to that traffic, you're like, Oh, look at that. We had 1000 visitors this week. And then
Stacy Brockmeier 12:59
you filter it out. It's like crushing. It's like soul crushing, because you're like, oh, seven people, cool,
Monica Pitts 13:08
well, and then two because of the AI services. You, Gosh, I really think that you almost have to have a different analytics report, because one version of success is these AI services are using the information on their on your website to be able to inform people about what you do. I think that's successful, right, in a way, because they can actually link out and get to your website through most of these, AI, you know, search platforms. But then two you want to see like, because of that, there's not going to be as much direct traffic to your website now. So it's almost like you need two levels of measurement, like good bot traffic and people who actually got to your website, and just realize that it goes down every day. But that does not make your website not important. Your website's still important.
Rebecca Thomas 14:00
It's still the brochure. It's like giving people information. Yeah, I
Stacy Brockmeier 14:06
think so. Rebecca, if a website gets hacked, what did it? What do people do? What happens?
Rebecca Thomas 14:12
Well, hopefully, and this is hopefully because we've mentioned it, you have a good hosting plan, and your hosting plan hopefully takes backups
Stacy Brockmeier 14:22
if, hint, hint, if you're hosting plan doesn't take a backup. Make sure it does
Monica Pitts 14:27
get backups. Just logged into a site yesterday that we're like taking over from another company, and it hadn't been backed up since September 2024, yeah,
Stacy Brockmeier 14:40
during a year that's closer to a year than and not,
Monica Pitts 14:44
not. The plugins hadn't been updated either, and I was just like, updating things one at a time, double checking and hoping to God, I didn't crash everything. Oh, but I backed it up first. I backed it up
Rebecca Thomas 14:55
as you should. Good
Stacy Brockmeier 14:56
girl, good girl,
Rebecca Thomas 14:58
good girl. Good. Now making sure that you have a backup and something that you could potentially maybe roll back to our server actually takes daily backups, and when we make large changes, we make manual backups. And if you're lucky, you can roll back, and you should be fine, and you just make the necessary changes after doing a risk assessment of, like, where did they get in? Let's go ahead and fix that, and then block whatever tried to come in. If you don't, there are services you can pay for in which they can unhack you, or maybe you have a really cool dev like we do, which is me and I'll unhack you.
Stacy Brockmeier 15:42
I think the cautionary tale on rolling your site back is, if you have like a members only section, yeah, where you have a lot of form submissions or registrations that are coming through your site like you, you just have to be really careful about the data loss that can happen there as well, so
Monica Pitts 15:59
you manage that careful stuff before you might want to talk
Stacy Brockmeier 16:03
to somebody about the risks and benefits of rolling back. Yeah,
Rebecca Thomas 16:09
not many
Go ahead. Go ahead. Not many
people have the literacy of knowing how to get into their FTP space, which is where you would be able to access your files. And so, I mean, I would highly suggest, like, make sure you've got someone you trust, or a company you trust, like mayecreate, to be able to manage your files. Because, I mean, you have a whole business you're running, more than likely, or you've got a life you're living, and you need your blog safe, because that is your livelihood in some way. I mean, make sure you've got a team behind you that cares as much as you do. Yeah,
Monica Pitts 16:51
for sure. And some of these bots are going to be coming in and attacking just by making form entries, comments, that kind of stuff, and they're just generally bogging your site down. Others are actually trying to inject code into the like theme files of your site, which is a different problem. And so the reason that we would roll a site back is because it takes care of both problems, and it would hopefully replace it with a clean backup. Because if you just, you know, have take all the stuff out of the database, but it's actually in the files, and it doesn't solve the problem, really. And if you're just trying to solve it in the files, a lot of these things are smart enough that they just re inject. It's weird. They replicate.
Rebecca Thomas 17:32
It's it's tough,
Monica Pitts 17:36
flies. And
Rebecca Thomas 17:37
that means you need to have someone who knows how to find like there is one file somewhere with one line of code that is making this self replicating file in another part of the site. We've had hacks like that before, in the distant past. Thank you. Haven't had one since, knock on all the wood. But yeah, you need to have some literacy in your files to be able to know like, this isn't a WordPress File. Yeah, that's where we have friendly little plugins like defender hashtag, not sponsored. There are website plugins, particularly with WordPress, that will go ahead and scan it for you. If the hacks not too bad, and they will be able to find out like, oh, this line of code is suspicious, go ahead and check it out. Or, oh, this file is not from WordPress core. Are you sure it's supposed to be here? It can also list vulnerabilities like, Oh, this is the plugin that probably got you hacked. Updated
Monica Pitts 18:40
well, and you've seen these types of softwares in your computer, like, you know, if your computer gets hacked and you start noticing weird stuff going on, you would install a software to try to clean it up. And it's not a whole lot different on your website, except that you can have data loss and all that kind of fun stuff as things get cleaned, yay. So when it happens, the first step is go back stuff up, see if you've got, you know, files that you could roll back. But then also, the thing that we tell our clients is, first and foremost, let us know, like the second that you get a weird email, you need to let us know. Don't let us know. Like, the thing that is so painful that makes me want to, like, just have a complete meltdown. And usually I do have a complete meltdown. Let's be real. It's me is when they let stuff go on for like, three weeks, and you know that they've gotten like, 10,000 like, failed login attempt emails a day, and they've had to clean them up from their inbox, and they never thought to tell us, and then they're mad. Like, like with the first please at the first sign of distress in your website, even if it's not distress, we. Had someone email us just the other day that was like, Oh my gosh. What is this? This is terrible. Are we getting hacked? And I talked to Rebecca about it. Actually, it's their cookie plug in letting them know that someone had set really extreme like privacy settings on their data, and that person just needed to be contacted. So it was just keeping them compliant with laws in California. It wasn't a hack at all, but it hadn't been a hack, we would have been able to, like, take action right away, right? So I'll get off my you know, pulpit now, but dang it. Call the people that need to know. Don't ignore it. Don't back burner it. Terrible decision. Terrible decision. We can't fix crap when it's been broken for
Rebecca Thomas 20:40
weeks. Take action the first moment you notice something is happening, whether it's a email, like Monica said, or maybe you think, like, my site's a little slow, or this is a weird number of contacts in my form. Yeah, yeah, because
Monica Pitts 20:56
there's a lot of things that can be done about it. And then the second one would be, and Stacy, you actually intake all and plan all the forms a lot of the times for websites. So what? What's the second one? Well,
Stacy Brockmeier 21:08
I think just like moving to proactive things, right? So we're not so really, ultimately, you want to proactively prevent your website from getting hacked. Yes, and so, um, just be being careful about what you're collecting in your site. So don't collect sensitive information if you don't have to. If you have an employment form, you don't actually need every applicant's social security number, because you don't need that until you hire someone. So just be careful about what information you collect and the sensitivity of that information, and also just making sure, if you do have to collect sensitive information, that you're taking the proper precautions. But if you don't have to collect it, just don't make sure that it's in the proper spot in the process. So
Monica Pitts 21:58
yeah, and don't be afraid to invest in a solution that will then protect that information like, it might not be in WordPress, it might not be in your website. It might be that you use a different processor to get that information, to keep it protected, like, that's okay, it's worth the investment to make sure that you're not, you know, losing it. So another proactive one? Rebecca, you just helped me install one of these yesterday. What's another proactive thing you can do?
Rebecca Thomas 22:31
ReCAPTCHA, that is right. We did install that yesterday, didn't we? Yes, if you have a form, you should 100% always have some kind of security, particularly the easiest thing you could ever set up, give or take, depending on what you're using as a plugin a reCAPTCHA, is the first line of defense on a website form. What it does, basically to kind of extrapolate on the science Google or whoever is running cloud, flare, H, captcha, whoever has created it has information on how bots behave and humans behave very, very differently than bots, if you ever look at like maybe how you use Your mouse. What some recaptures are actually watching is what direction and how the pattern of your mouse moved before it got to the reCAPTCHA box. So a bot would be straight line, but humans have a tendency to meander, whether that be the eye or the hand. We're going to take a little bit to get to that recapture like, where is it? Oh, there it is. For silent reCAPTCHA again, is watching things like how you behave in terms of your keyboard strokes, in terms of where your mouse is going, and then the image ones pretty straightforward. You're both training a bot to know this is what the picture looks like. But also you as a person, can tell the difference between a motorcycle and a bicycle.
Monica Pitts 24:07
So MBA and they are, it'll catch up. They did update some stuff with the Google CAPTCHAs, so that's BS not as user friendly as it used to but we believe in Google, and we believe that you will smooth this back out for us. Yeah,
Stacy Brockmeier 24:25
fingers crossed.
Monica Pitts 24:28
So the next item on the list, number four, is both offensive and defensive, and we install this on every single one of our websites. Rebecca, you mentioned it earlier, tell us about what defender does.
Rebecca Thomas 24:41
So defend. Defender is a plugin that we use. I do believe that the developer is WP engine. It is basically an all in one defense plugin for our websites. We use it for auditing activity on the website so we can see when I've logged. In or if Stacy's logged into our website, I can see if she's updated a post or update her profile. I can see if someone's updated or deleted the plugin. I can also block IPS directly, or Whitelist IPS directly. I can block usernames. I can block country IPS all over. It also has firewall auditing, so if someone gets locked out, you see who they are, you see where they're from, some basic data. And you can also get security headers, which I won't go too deep into, but it is something that we add on basically every website now to make sure we're not getting any kind of pros script hacks or any sort of injections or click jacking. It's, it's really my security best friend, again, not sponsored. I'm not being paid to say this. I'm in love with this plugin. We pay this my job easier.
Stacy Brockmeier 26:00
Yeah, yeah. I would say actually, we pay them. Oh,
Rebecca Thomas 26:03
well, yeah, we pay them. We pay them to use their Yeah,
Monica Pitts 26:07
yep. It's awesome. And it's kind of like, if you've ever known had compromised that Facebook account, No, dear, oh, raise your hand if you've had that. And then you have to go through all those steps, you know, to like, revalidate yourself and look and be like, did you make this post? Did you add this picture and then? So it's kind of like that. It sounds like Rebecca,
Stacy Brockmeier 26:29
yeah. One of the cool things about defender is a lot of times bots will try to exploit either, like, URLs. So for that don't exist on your website, so they'll just continually try different URLs. And so we can block any IP that tries a specific URL, because it keeps a log of that. And the same thing with usernames, they'll try to exploit certain usernames. So if you have the username admin on your website, you should probably delete it right now as a proactive thing. But we can also block any IP that tries to log in with the username admin. And that makes that's a cool thing for defender, is we can block things that are malicious or suspicious automatically without having it be a problem.
Rebecca Thomas 27:20
And it also does like the malware scanning and it'll block XML, R, P, G, which is a file used for, traditionally, cross posting to social sites. I might have said the name wrong, but it'll also prevent information disclosures by updating your WP config. And like you said, for an admin user, you don't want that if you have your number one user listed, its admin defender has a setting in which it will rename it for you so you don't lose any data. Yay.
Monica Pitts 28:00
Yeah. So I, what I hear you guys saying is that what we try to do is look for patterns of what's happening and then create a block. What have you a change in defender in the website, to be able to stop a pattern. So be it that it's a specific location or a specific page, or, you know, a forms being submitted a billion times, then we would have a block, whether it's defender or a CAPTCHA or something like that,
Stacy Brockmeier 28:34
yeah, essentially creating rules to block certain activity for sure. Yeah.
Monica Pitts 28:40
Now another thing that we actually have on our website, and we do have on quite a few client websites, really, but it takes a little doing to set up, is Cloudflare. Remember when we first learned about it? Yes, oh my gosh. We were like, no way. There's a system that does this. It was years ago, wasn't it? At a word camp, yeah, yeah, and then maybe 2019, or something like that. Like Monica stopped talking about it. I'm like, but I am really it's so cool. Tell us what it does.
Rebecca Thomas 29:12
So basically, what Cloud for does is, let's say, put a wall between your website and any sort of malicious attack. We'll see this more and more on websites. I see it on some personal websites I use. We see it on our hosting website that we use. There are instances with attacks called DDoS, attacks in which large number of bots or persons go to a website and try to use the website, essentially creating a lot of traffic and PHP requests that will bog down the system and totally turn off the service, because there's just too much going on. What cloud. Does is kind of have a CDN, which is a
Monica Pitts 30:06
content delivery network. Thank you. Slip
Rebecca Thomas 30:09
my mind. There content delivery network and which it has, like a duplicate of the site, sort of a cached version of the site, so you they're not accessing the direct one, and then they can also start blocking immediately large traffic numbers. And you'll have to go through like the reCAPTCHA in which you say, Yeah, I'm a human. I'm trying to access the site for legitimate reasons. And so it'll make sure that you don't lose any data. You won't lose any service time. There might be a little bit of a slowdown, but you won't completely crash, which is super, super nice, especially if you have a lot of data on there, or you have a lot of users or information you're trying to get out. Like we said, our hosting service uses it. It is a great source of protection. CDNs, in general, whether it's Cloudflare or Nexus, also uses its own CDN and also works with Cloudflare. It's It's good in multiple ways, from
Monica Pitts 31:15
what I understand, too. It has a version of your site deposited on multiple servers throughout cyberspace, whatever, but they're in physical locations, right? And so if whatever server I'm closest to physically is the one that it would pull a version for me. So if one like, if there's a bunch of IP addresses from one location that are trying to do this bot attack on you, then it probably wouldn't be locked down from all locations. It could just be from this one location. So it also speeds up load time, because just like sound or light, the internet travels faster over shorter distances, and so when your website is cached on a server that's closer to where you are, it's going to load faster. So it has all kinds of really fun benefits to it. And is it still, like, it's free for some people, like, at one point it was free, like, you know, I don't know. I know we pay for it because we wanted, like, the big, bad mama JAMA, but I think they even have a free service. So I can see Rebecca typing. She's looking it up. She has to know that. She just can't stop I need to know, okay, Stacey. And one thing that I know that you walk people through a lot is choosing the right payment collection. So this is another way to keep all your information safe. Tell us about this. Yeah,
Stacy Brockmeier 32:43
so there's a number of I think the the accessibility of payment processing for credit cards is a lot higher than it used to be. So websites used to collect payments directly on the website and store credit card information, which is terrifying. It's totally terrifying, but now you have services like Stripe or authorized.net that actually connect to most website platforms, and so the actual processing and the credit card storing is in a company that specializes in that, not on a web server. And I think that's just super important in keeping your clients safe, but also allowing for the ease of use, for registrations or payment collection. I mean, you want to obviously provide that for your clients, but also protect yourself and them by choosing an appropriate, secure third party service. And many of them, the client or the website viewer doesn't even know that they are being processed through a third party. Like, it's just it goes through very seamlessly and works really well. So
Monica Pitts 33:53
yeah, and it doesn't store any of that stuff on your site. Like, we use stripe for a lot of our clients. Also, they do not pay us for this. We pay them to process every credit card, but we use it because it's great. And when you look at the the payment logs in the site, it'll be like it was processed through stripe using a stripe token. So if you want to learn anything more about this, you have to go over to stripe and log into your Stripe account to see it. It is not in your website, so therefore it's not having the same liability on you for taking the payment. So it's pretty rad. Okay, so another thing that I noticed really recently, and I asked Rebecca about because I was like, What is this? Every website that I try to log into recently is like, Hey, you should set up two factor authentication, and I'm like, Rebecca, should I do this? Yes? Your answer, yes,
Rebecca Thomas 34:47
yes, you should.
Is it hard
depends? So loaded question, let's just say depends for the most part, no. No two factor authentication is actually pretty quick. You just link, maybe your phone number, which, yeah, that's, I mean, you don't just one more text, but anytime that you log in, then you're going to get a text message like saying, hey, is this you? Here's a code if you're logging in you need it. Go ahead and use that and you can keep going. Or some will just be like if you're logging into Google, if you You two should have two factor authentication turned on for your Google. I don't care who you are. Do it, please
Stacy Brockmeier 35:32
turn it on for your Google, your social media, the things
Monica Pitts 35:37
turn it on. Don't even log into my paypal with my password ever? No, I like I'm typing my password in,
Stacy Brockmeier 35:46
but that's even more reason to have your two factor authentication on on your Google because, and not to click on strange websites, like, if you get a DocuSign and you weren't expecting to have to sign a document, do not click. But if you because if you do, they will immediately access and download all of your passwords and everything that's connected to Google. So great. It's even more critical that you keep your Google account safe, or Microsoft or whatever you're using to log in if you sign in with that service on other platforms.
Monica Pitts 36:19
I'm so sorry I did it the other day. I
Rebecca Thomas 36:22
will say, just to get on my pulpit, hey, don't use the same password for everything. I don't care if you can't remember it. Get a password book. Write it down. Don't, don't do it fine.
Stacy Brockmeier 36:33
Rebecca, I have started changing mine. I know. Thank you.
Monica Pitts 36:39
Okay, so that that, like the next one is like popping us right back up to the top, like we said, hey, as soon as you're hacked, you need to go to your hosting space and see if there's a backup, because that is a very viable way to replace your site easily. But in order for there to be a backup, you have to take regular backups. None of this last backup in September 2024 crap, right? So regular backups, if you're using a WordPress site, there are plugins that do it for you, and you go any but you gotta click it, or there's some that do it automatically. So just make sure that you either have a hosting space that you pay enough for that they'll do it for you, or that you are diligent and take care of it yourself. And then, then the last thing Rebecca is something that you do for our clients every single week, multiple times a week. What is it? Hey,
Rebecca Thomas 37:32
update your plugins.
Stacy Brockmeier 37:36
And you get on a megaphone. Please, update
Rebecca Thomas 37:39
your plugins. One of the easiest ways for a site to get hacked is unmanaged plugins and unmanaged core like WordPress or I don't know really how Wix or Squarespace works, but everything on your website needs to be updated. Your theme, if you're using a downloaded theme, your plugins, your core, you need to make sure those are updated, because those release security updates regularly. If it is a good developer, you need to keep up on that, because if you get behind, you're gonna end up losing something you
Monica Pitts 38:21
basically like a hole in your site, because this bot is now powered by AI, and it's checking the change logs. And in the change logs they they tell people where the flaws and the vulnerabilities are. So the AI bot reads the change logs and then can change itself to go attack your website and only target websites that have your version of the plugin. Is that scary or what? Update? Okay. But even with all of these solutions, both proactive and reactive, can your web like? Is your website ever like? 100% secure? Rebecca
Rebecca Thomas 39:01
the only way to have a truly secure website is to have no website at all. But with all of these steps, you really ensure that you are as secure as possible.
Monica Pitts 39:15
I told you all, she was a little gloom and doom. She's like, if you really want to be safe, just don't have a website, hey. But here's the deal. Well, even if you just have a Facebook page, you're still not at risk. Or a Facebook group, you're still at risk. It's called,
Stacy Brockmeier 39:31
I think it's like, you can be the safest driver on the road, but you can't prevent. Like, I mean, you can prevent, but you can't ever with 100% certainty, say I will never have an accident because I followed all the rules, and I always use my blinker, and I always drove the speed limit. So you can do all the proactive things, but you and prevent a lot of things from happening by not driving like a psycho. But it's the same. With your website, you can't say it's 100% secure, and you can't ever say you can 100% will never have an accident. You know, the same drivers
Monica Pitts 40:09
on the road, right?
Rebecca Thomas 40:13
We made a really good analogy. I think, recently, your website is basically your HVAC system. You need to service it. You need to maintenance it. If you don't, you'll have problems, and even then, as often as you maintenance it, sometimes maybe something goes wrong, but having a good team behind your back means that someone's there to help you, and you're not alone in this. We're all swimming through these bots, 51% of data.
Monica Pitts 40:49
Well, we got this. You won't be stuck in an un air conditioned house with your entire family, extended family, staying with you for the Fourth of July weekend. Let's, let's, yeah, yeah. That's not what we want. That's not what we know. Well, that wraps up our deep dive into this new bot territory. Thank you so much. Rebecca for being our Digital Guardian today and sharing such valuable security insights. And Stacey, too, as we've learned with bots now accounting for over half of all internet track traffic like staying vigilant is more important than ever. That's why we're talking so much about these offensive strategies and not just about defense, because honestly, sometimes when you get to defense, it might just be too late, especially for an unexperienced user like Rebecca, can handle a lot of it, but Rebecca has been doing this for her whole career at this point, like she's she's never done anything else. So remember, you need to pay attention to the unusual site activity and act quickly. Don't make me throw a fit three weeks later when you send me the email telling me that something's broken, tell me right away. Right away. You're not bothering me. You're not bothering Stacy. Tell us right away, consider security tools like defender or Cloud Flare. If you don't have them, get them implement two factor authentication, because Rebecca loves it, and you will too maintain those regular backups just in case block suspicious IPs and keep your freaking plugins updated. And even then it just because they're updated doesn't mean that they're actually updated. I'm using air quotes because sometimes they just get really old and the developers don't work on them anymore, and then you're still vulnerable, even though you don't have an update plugin tag. Okay, so while Rebecca has told us that no website can actually be 100% secure, we really think, and this is why we do this for our clients, that doing these things will dramatically reduce the risk of an attack on your website and a potential happening. So for all of our listeners who want to explore this topic further, we put together, I will, this is actually what I'm doing this afternoon, putting together a comprehensive blog post on the mayecreate website with links to all of Rebecca's recommended security tools and services. Yeah. So you can just go on over to mayecreate.com forward slash blog to find it, along with, of course, all of our previous episodes. And subscribe, because next time we're going to talk about website ADA compliance, oh my gosh, all of these wonderful, riveting topics, I know, but we actually really love talking about compliance, and we did an episode about it a year and a half ago, maybe two years ago, but it's it's being improved, just like everything else on the internet, And there are new laws going into effect. April 2026 is when the first due date is so for certain websites to be ADA compliant before they release fines. So this is another like, can't miss conversation if you do own a website and you know, don't want to get fined.
Stacy Brockmeier 44:02
But when Monica says, April of 2026 Do not wait until March 15 of 2026 because your web developer will not be able to get you compliant in two weeks. It takes time. You should start today, if you want it done by April of 2026 Yep,
Monica Pitts 44:19
and I'm really excited which I'm going to say, I'm going to say this, and everyone's going to be like, what kind of psycho are you? I'm really excited because I just read the government website about this law
Stacy Brockmeier 44:29
said no one ever
Monica Pitts 44:32
like it was understandable. It was at least and, and I so I am really excited that they have documented what they've documented, and that it really is this understandable, so that way we can help people do this. We we've been passionate about it for a long time, but I
Stacy Brockmeier 44:49
because people deserve to you be able to use your website no matter what ability they have. Yes,
Monica Pitts 44:55
and I'm excited that there's finally some clarification out there for. Or how do you take a site that's already existing and make it compliant for the future? Because, I mean, we've looked at some sites and then, like, I wow, this is going to be a huge undertaking, right? But now they have clear cut rules, and we will go over them in the next episode of marketing with the best Yes. So if you enjoyed today's episode or learned a thing or two, subscribe to marketing with purpose on your favorite podcast platform so you don't miss these upcoming episodes, and remember, in the battle between humans and bots, a little knowledge goes a long way now. Go forth and market with purpose.
