So again, welcome. If you are just joining us, open up the chat and say hello and let us know what your biggest takeaway from day one of disaster week was something you learned that maybe you didn't know or just a big aha moment. We'd love to hear from you in the chat with that. Right captions should now be working for everybody.
Jeffrey needs to convince clients to make security a priority. Yes. We'll be talking about that in the second hour today. So, Doug learned yesterday, Timothy that you were born with a keyboard in your hands. There Is there truth to that rumor.
You know, it's just that there's Apple keyboards. They're very good, very portable.
Love it. Oh, gosh. Welcome back, everybody. Glad you're here. If you're just now joining us in zoom, open up the chat and say hello. We're asking what your biggest takeaway was? From yesterday. Head David needs more Swiss cheese in his life. Yeah, maybe so. The slide button on the link bundle is going back in the chat. Now if you want to download either slide deck from either hour today you can do that. The replays are up from yesterday. If you want to go back and rewatch those it's also a discount code for disaster week. Use that code disaster week for 40% off the solid things. We'll have more information about that at the beginning of the next hour. Hey Tanya, welcome from Finland. Good to see George from South Africa. Missing Dan welcome Kenna. Doug. George. Yeah, welcome, everybody. Glad you're here. Hey, Stephanie. Manu. Alright folks for about three and a half minutes away from getting started officially welcome back. To tea Sherry, Melissa. Bonnie. Good to see everybody. We're asking the checking question today is what your biggest takeaway from day one of disaster week was? You learned something interesting last. Yesterday in the last sessions we'd love to hear from you. I'm also going to drop in the chat the link bundle again for today's session one and two slides are there waiting if you want to download those. And of course the discount code disaster week 40% off all the solid things. Be the cat. That's great. So we're just about ready to get started. Just a few minutes away Timothy is going to be talking in the first hour about reducing our risk to nearly zero with solid security. Augustine welcome Glad you're here. Hey Sue Kay glass. Welcome everybody. Phoebe yes Sign Out of all the websites. That's really a good thing. After Thomas rave came on a few months ago and scared the pants off of me with that session stealing cookie hack. I am logging out of everything religiously. That I had a bad habit of not doing that. Hey, Rob, welcome. Murray. Welcome. Glad to see everybody. If you're just now coming into zoom, open up the chat. Say hi. We'd love to hear what your biggest takeaway from yesterday was. Yes, sim porting Sherry That's another big one. The link bundle is in the chat if you're just joining us and you'd like to download the slide deck for the first or second hour today. Those links are there waiting on you in the chat. We're gonna get started here and about a minute and a half from now. Timothy's got a great session lined up about walking through the settings and solid security that can help you reduce your risk to nearly zero for your WordPress site. Yes, Sue great idea. With Kathy's hint, hurt her pro tip on the four digits of the password. It's good stuff. I Kathy's checklist was excellent.
Just about a minute to go now, folks, glad you're all here. We've got a couple of great hours of security conversations coming to you today. Timothy in the first hour talking about solid security and the settings that can help you reduce your risk to almost zero. And I'll be talking in the second hour about talking to clients about security, the business side of all of this so we should have some fun today. The slide decks are there in the chat. If you're just joining us open up the chat and say hi, all those links are there waiting on you as well as the replay link from today. If you missed yesterday, we had an excellent presentation from Kathy Zant giving the state of WordPress security. I'd invite you to go back and rewatch that it was quite good. Also, we had a great panel of security experts. Really good discussion and comments on some of the big issues going on in WordPress security. So if you missed that yet, the replay is up from yesterday. And we'll have today's replay up about an hour after we finish as well. Welcome Christian from Quebec. Just about ready to get started. Hi Eddie. Yes watch the replay. It's out there ready to go. Really good stuff from yesterday. All right, it is now three minutes after so let's get the recording started and we'll dive right in. Welcome back to day two of disaster week for 2024 here on solid Academy. My name is Nathan Ingram. I'm the host here at solid Academy joined today by Timothy Jacobs, the lead developer for solid WP Welcome back, Timothy. How are you? I'm doing good.
Thanks for having me, Nathan.
Yeah, we appreciate your wisdom on the panel yesterday we had a great discussion with you and Kathy Zant and David Johnson and Thomas ray from we watch your website, a really good conversations there. And today, you're going to be talking to us about solid security and what we can do to reduce our risk to nearly zero. We want to give us kind of an overview of where we're headed in the next hour or so.
Yeah, so we're going to spend some time talking about some of my favorite features in solid security. We're going to talk about some of the threats that are facing your website and how you can use those features to help protect yourself. And then we'll have plenty of time for questions and answers either about cybersecurity in specific or security in general. Yeah,
very good. I saw our lineup today Timothy will speak and we'll do questions for about an hour here and right around the hour mark at two o'clock central time or however that translates to wherever you are in around the world. I will take about a 10 minute break and then I'll come back for our final hour and talk about how to talk to clients about WordPress security. So just a couple of bits of housekeeping the replays from yesterday are up we've mentioned that I'm going to drop in the chat once again, our link bundle if you'd like to download the session slides for this session or the next those links when they're waiting on you. And that we invite you to ask questions because we will have a good time of q&a at the end of this session. And next session, please use the zoom q&a link which if you mouse over the shared screen, you'll see that q&a icon you can click that ask your questions there rather than the chat please. Because as the questions come up in that q&a, you'll be able to upvote the questions of others and we'll take those questions in the order of up votes when we get to our time for q&a. All right, Timothy, let's get started. I'm looking forward to this.
Let's do it. Yeah, so we're gonna be talking about how you can reduce your risk to nearly zero using cloud security. And to do that we need to take a look at what are some of the threats and vulnerabilities that your site might face. So one of the ways that attackers can come at you is just through your front door through your login page. And so this is all about bog and security. It's probably the stuff that we know about the most. If your users are using weak passwords, well that leads to brute force attacks. If your users are reusing their passwords, let's say they have a favorite password. We mentioned that phrase a couple of times yesterday. That's not very good. Or they have similar passwords. Let's say they have a password formula or a password pattern that's like, you know, five random numbers and the name of the website or something like that. That's not great. That's gonna lead to credential stuffing attacks. Those are when an attacker finds a database of passwords that were leaked from another service and tries vo Pat those passwords across your actual site says, Hey, this user is using this username and this password everywhere. Let's try it and see if we can get into the site. thing that you might not think of immediately though, when it comes to login security is the reputational damage that your site can experience if you have issues like this. This isn't just about an administrator losing access to your site. Obviously, that's kind of a huge problem and administrators account gets compromised, you got malware, etc, etc, etc. But this is also risk if you let users log into your site. Let's say you are a e commerce shop or you are a buddy press install that has a membership base component. Anything like that. What you'll often find is that people blame the website when their account is hacked. It's rarely that someone says oh, I messed up my Facebook account got hacked because I had a weak password instead. It's Oh my God, my Facebook account got hacked. Facebook. Why did you screw up yada yada yada? We saw this with 23andme earlier this year, and last year where attackers ended up accessing personal data for millions and millions of users. This was because of in some ways the fact that those users were compromised. Were practicing poor security hygiene. But the users didn't see it that way. Certainly the larger internet news media didn't see it that way. You have a responsibility to mandate security best practices not just for yourself and your site administrators. But if you're an E commerce or WooCommerce install for your customers as well. If their site gets compromised, if their account gets compromised, and their credit card details are able to get accessed or their address and personal information or orders are able to be placed. They're going to blame you they're not going to blame themselves. We watch your website earlier this year published some really interesting statistics about how sites are getting compromised that he sees through his service. And he found that 7.2% of hacks were coming through the front door with login security. And in some ways that's a small number which I think is a good thing. It means that you know we are making progress, but in other ways, the fact that that 7.2% number is even 7.2% that in some ways just seems very very high to me that still yet we have people not following the best practices. So what can you do? Well in South security pro we have a number of different features that help in this regard. One is just enabling brute force protection. You don't need to let an attacker try as many times as they want to log into your site. You can stop them after they try a couple of times in a row and make it more difficult for them to get into your site. You can require strong passwords. I saw it security has a really great feature where it will detect that a user is using a weak password and force them to change it during the login flow. So this isn't just something that is only for you know new accounts going forward. It's a great thing that you can enable and solid security will take care of upgrading users and forcing them to put in best security practices. You can also prevent using breach passwords through the half I've been poned integration. So this is where credential stuffing attacks occur. Let's say your account got compromised on some other website, some forum something like that, and they then retry and use that password. Well with have I been poned will say hey, has this password ever appeared in the data breach, and if it has will prevent you from using that password on that site, which is another great way to help your users protect themselves. You can also use Capture features. We recently launched an update to capture that adds in a couple of new providers as well. So it's not just a google recaptcha if you don't want to use Google you can use Cloudflare as turnstile feature, which is excellent and the one that I recommend the most or you can use h captcha and this helps slows bots down. If you're able to say hey, you need to complete this challenge to try logging in. It's a significant deterrent so they can't just try millions and millions of attempts at once. What else can you do? Well, you can enable two factor the two factor features in solid security they let you enforce two factor. So you can say hey all of our administrators are editors, people who can do privileged things in our site, we can force them to use two factor. And when you do this, you'll use a feature in solid security that I think is pretty unique, which is our two factor onboarding sequence. So this automatic onboarding flow lets users get up and running with two factor without your assistance you don't need to get involved. All you need to do is say, hey, solid security, make sure all my administrator is using two factor. And the next time the user logs in will prompt them to set it up. We'll tell them what the future is about. We'll make sure that they understood how two factor works. They need to enter in a two factor code before they can continue. And you will get all of that happening for you in the background without you needing to code from user use the user and say, Okay, I set up two factor for you or you know, let's go into the Zoom call and show you how this works. You can use these automatic onboarding features. And when you use all these features combined, you can see this is data from Google that showed how attacks were able to be prevented using two factor challenges using things like security keys as well. Now, I know what you're probably thinking, which is that okay, well two factor is great. I know two factor is great, but it's really hard to convince my clients to use two factor because it's confusing or it slows you down. And so for that I say let's use password of this login. So I gave a talk a couple of times now about killing the password that really dives into it. But passwordless login using past keys is a faster and more secure way to authenticate. It lets you skip your password and lets you skip entering in two factor authentication. And it provides basically a one click login experience. You can see here I just clicked use my passkey and I logged in my device authenticated me my device made sure that I was logging in to the site that I thought I was logging into. So it's also phishing proof. We're not going to dive into all about passwords today. There is a whole hour about it if you want to check it out on the academy and you can take a deep dive into why password this login is important using past keys, but I'd say it's a good option if you have it if this if this demo doesn't convince you read the whole hour or watch the whole hour and we'll really dive into it. Another thing that you want to consider is access management. You don't want to be in a spot where everyone on a site is an administrator you just give admin access out willy nilly. You want to make sure that when responsibilities change people's access changes if someone needed an administrator account to do some initial setup, but now they're done with that. Consider changing the roles and changing their capabilities. You also have to make sure that you have a plan for when employees leave you know where no one sticks around in the same company forever. And you want to make sure that when an employee leaves your company or leaves your agency that their access isn't maintained anymore that they no longer able to log into all of your sites. So how can you accomplish this with a solid security? Well, there are a couple of things that you can make use of one is just make the liberal use of roles that exist in WordPress, right? We're not limited to just an administrator or subscriber. We've got five that are built in. If you want to go further than that you can there are great plugins like the user role editor that lets you get very fine grained and say, hey, I want to use that that can do exactly these. Couple of things. Do that. That's awesome. We have some really cool features in solid security too, though, that can help you one is the privilege escalation feature. This lets you say hey, normally this user they just need to author access, but I need to give them some temporary access they need to do something special, but only for the next few days. And what privilege escalation will take care of is saying hey, once that period has expired, they'll revert back to their previous access. This is good both for you know when you have a team member who needs to take care of a special task but also if you're reaching out to support either our support at Southern WP or the support for any other WordPress companies. Instead of giving them an administrator account that sticks around forever. Create them an account, set it as a subscriber or an author and then temporarily give them privilege escalation for a week, let's say to an administrator and you can rest more easily knowing that hey, there isn't just administrator accounts hanging out there that are waiting to be compromised. You can also use some other cool features and solid security for the site scan. So our site scan feature takes care of looking at vulnerable software for instance, but it also looks at inactive users. So if you have users on your site who haven't logged in recently, you can easily use the site scans feature to identify those users and demote their capabilities. If they aren't logging in every day, maybe they don't need administrator access anymore. Maybe you can demote them to an author.
Another general tip that I recommend though is just centrally document when you're giving out access, if you're getting privileged access, write that down startup, a spreadsheet, a Google Doc that saying hey, this employee has access to these systems. Whenever you give that out so that you know what different things to go through and revoke. It's not just WordPress sites. It might be you know, email accounts, marketing, automations, all these different tools. Start with that in place. So you're not saying hey, two years from now when they leave, oh gosh, what are the 1520 3040 50 different services that I invited them to? You have one place to consult So what's another aspect of how attackers can compromise your site? One of them is through the backdoor. And by this I mean vulnerable software. Patch Jack identified nearly 6000 issues last year, and the majority of these are in plugins over 97% The remaining 3% We've seen themes and it's just a fraction of issues that are in WordPress core. Every so often we just had six point 4.3 get released, I guess a month or two at this point, which was a security release that fixed a couple of issues. But really the primary issue and we talked about hey is WordPress insecure. It's not WordPress core. It's WordPress plugins. We watch your website identified that nearly 33% of attacks that they saw on their sites that they clean up were due to vulnerable software. There are some things that you need to understand about vulnerable software. We talked yesterday about how there are 100 150 200 different vulnerable software issues that are reported every week now in WordPress. And so that means you kind of need to take a look at vulnerabilities and say okay, let's not get too overwhelmed. One of the things to keep in mind is that not all vulnerabilities are equal a remote code execution attack. Where an attacker, let's say through the bricks vulnerability is just able to execute PHP code arbitrarily on your server that is way more severe than for instance itself cross site scripting attack where an attacker needs to trick you into clicking a link or entering in some data into a form. If you just look at the reports at a glance you might see oh, these are all the same. I've got 15 issues here, how am I ever gonna resolve them, but you can use things like the CBSs score. This is a score that ranges from zero to 10. And the higher the score, the higher the severity. And you can also use providers like patch stack who we integrate with to help you determine a priority and say this is when you should patch it. For example, this is the WP formance vulnerability that happened earlier this year. It has a high severity but it wasn't known to be exploited to patch stack. And so they came up with a patch priority based off of how likely it was to be exploited, how easy it is to be exploited and say hey, you should patch this within seven days. So these are kind of tools that you can look at to help you identify what fixes need to be made. Now. What we found with solid security is that at I checked the data last night that 45% of websites that are reading sense sites, yes, right now have at least one bit of vulnerable software installed. So what are some things that you can do with solid security to help this one is we have an awesome vulnerabilities page that tracks all the vulnerabilities that are affecting your site. So this gives you one view you don't need to watch your email or look in the logs it gives you one place where you can log in and see all of the vulnerabilities that are affecting your site. It'll automatically scan for you multiple times a day to find new vulnerabilities. You don't need to remember to go back and click Scan and click Scan and click Scan. It'll take care of that for you. We also give you recommendations on how to resolve the issue that are specific to whatever vulnerability is actually present on your site. So for instance, this ancient WooCommerce plugin vulnerability, a fix was officially released by WooCommerce. So we recommend you to update that plugin right away. If you can't, you can deactivate it will give you those choices there and let you know what actions you should take depending on the vulnerability. Another really cool feature is that it lets you view the historical vulnerabilities that have affected your site. So let's say this ninja forms vulnerability we can see here that hey, we updated this plugin on February 15. The vulnerability was reported on this date and so you can go back and if a client asks you hey, whatever happened with that Brix vulnerability, you can see oh, we automatically updated that or we manually updated that or we deactivated and switched away from it. You can see all of that data inside of solid security. So you don't have to be guessing or trying to remember what happened. And as you've been running the plugin for a long time, you'll see over the period of months and years, what vulnerabilities have affected your site in the past. There's another really cool feature that I want to talk about though, which is virtual patching from patch stack. The thing to keep in mind and we talked about this yesterday as well with a bricks vulnerability is that sites can start getting compromised within hours or days with a vulnerability being published. So think about hey, what if this happens when I'm on vacation, or if I'm away from the computer? Or I just didn't know about it. virtual patching is there to protect you when you're not able to update. Now, it's not just when you're not able to update because hey, you're AFK right now, but 25% of the virtual patches that patch stack publishes, they cover you when there isn't even an official fix yet. out for the plugin. This is a vulnerability that's out there, the plugin author hasn't been able to fix it yet or is unwilling or unable to. And there's a virtual patch to protect you. So this isn't just Hey, okay, I'm gonna pay I'm gonna be on my site 24/7 And the second I see a vulnerability I'm gonna update to the fix. These are also important because they can protect you even if there isn't effects. Even if you want to do the best thing possible and update immediately you might not be able to. So how do these virtual patches work? Well, they're targeted firewall rules that are deployed to your site to block attacks from being executed. And so what that means is, if you can't update yet, let's say there is a severe WooCommerce vulnerability, and you just can't update that right away without doing a lot of testing. Well, this targeted firewall rule will protect you by blocking that specific attack vector from being executed. These are also highly targeted. So this isn't just a general vague rule. And what that means is that they have a much much lower false positive rate. There are some tools that will kind of offer broad general blocks where they try and say okay, anything that kind of looks like this, well, we'll block that. But those can have false positives where suddenly you're just trying to use your site, and oops, it didn't protect you, or you're trying to use your site and it triggers one of these false positives and you get blocked from trying to do something normal or innocuous. But Pasternak creates virtual patches for every single specific vulnerability, not just broad patches, they have I think over 6000 vulnerabilities with V patches at this point, which is way more than pretty much any other provider out there. And if you're using solid security or the solid patch stack head on for our older customers. You don't get that protection automatically. It's important to keep in mind that patches are mitigations. So you still want to update don't just be running an ancient version of WooCommerce forever, but they're there to help you when you can't update either because you're AFK or you know, a fix just hasn't been released yet. So what does this look like in cloud security? We can see an example of this with this WooCommerce vulnerability. You have this badge up in the top right, that tells you hey, this was patched automatically. And in our Status section, we tell you that hey, a virtual patch was automatically applied to mitigate this vulnerability. We still do again recommend that you update don't keep things inactive forever. But this patch automatically installed some firewall rules. And you can see that if you ever go to the firewall section in solid security, you'll see that hey, here are these different firewall rules and they came from packstack if you want to you could deactivate them, but we don't recommend that they're there to keep your site safe. What else can we do to manage updates? Well, I would keep in mind at this point, their sites have lots and lots of plugins and updates are important. So you should schedule the time to do them. Don't make this just a thing of okay, I decided to log in today and I have some free time. I guess I'll apply some updates. Make it intentional that you say hey, let's apply these updates this day. And don't do this too infrequently. It's easy to say okay, you know, every fifth, every fifth every second Tuesday, we're going to apply updates. I don't think that's a good idea these days. You need to do it more frequently, I would say at least once a week is when you should be saying okay, let's look for updates and apply them. The longer the they sit out there. The more updates you have to apply, the more complicated it gets anyway, but that also helps with security updates. You'll see for instance from packstack a lot of their issues, they say hey, patch this within seven days. So if you're applying updates once a week, you're gonna be on top of that. You should prioritize high severity issues. So if you have a huge list of updates to apply, and you see that some of these are security related, work first on the ones that are high severity, you don't need to just go in the order that they were received. Look at their severity, look at the priority to help you determine which updates you should install. You can also use hosts like Nexus that provide automatic updates for the visual regression tests. One of our fears with turning on automatic updates is okay, what happens if my site just breaks but using tools like these that do automatic regression tests can say, okay, there was an issue with this update. We're not going to apply it to the real site or we're gonna roll it back and we're gonna notify you that you need to do manual intervention, but for everything else will take care of it automatically.
You can also use solid central to apply updates across all of your sites and that gives you one UI where you can work them down and we're bringing some really cool updates soon to that screen as well. You also have the option to enable auto updates for security fixes. This is a feature in solid security Pro and the version management module that will let you say okay, we detected that this patch is a patch that is resolving a security issue. So let's just automatically update it to it, even if you wouldn't ordinarily apply automatic updates for that plugin. So the last threat to be aware of that I want to talk about today is under your nose. And so this is about session stealing attacks. So this is something that we did a webinar a couple of weeks ago that really dived into it, and did some cool demos about our features in solid security. But if you haven't heard about session stealing attacks, this is when malware is installed on your device, and it steals the actual cookies that you use to authenticate with WordPress. These cookies are then sent to an attackers botnet or they're sold off. And with these cookies now an attacker is able to fully impersonate you. They have your full capabilities for all intents and purposes. They are you it is your actual login and a big thing to keep in mind. Here's because they're stealing the cookies and these cookies you get after you've logged in. It means that usual protections like brute force prevention or two factor aren't able to effectively block this attack, because you actually logged in and you completed two factor and then the attacker stole those cookies. Thomas from we watch your website found that this affected nearly 60% of the websites that he was cleaning up, but it is a huge number. So what can you do? Well, the first thing is keep your computer secure. If your computer is safe if you're not using untrusted devices. If you're always connecting over HTTPS on secure Wi Fi, you're not going to be subject to this attack. If you're just you know, using your home computer, you're up to date you have no malware installed, and an attacker isn't able to magically steal your cookies your device must have some way been compromised, or you're using a compromised network. Or let's say you go to a computer cafe and you're like hey, I'm gonna log into my E commerce WooCommerce site and you know, nothing will go wrong. I'm sure that's fine. Don't do those things. Keep your device up to date. Use the firewall tools or anti malware tools that are installed on your devices Windows Defender, Mac devices, gatekeepers those types of tools to keep your computer safe. You can also implement additional controls on sessions. And so this is where the trusted devices feature and solid security comes into play. With trusted devices lets you do is it alerts you when a login has happened on a new device. So this can be Hey, I'm just now traveling for work, let's say and normally I based in New York City but now I'm in Huntington apparently from this demo. And you'll get a email that says hey is this you are you're trying to log into this device and you can say yes it was me or you can secure your account and change your password. If it got compromised. But it comes with additional features as well. One of which is restrict capabilities. So if someone is logging in on a new device will restrict their access instead of being able to do everything like Install Plugins create new users edit your passwords. Instead, they only have limited access so if you are on the road and you need to, you know make a quick update to your posts, you can do that. But when you don't want to take more sensitive actions or more secure actions, you will be prompted to actually confirm that new device. Another feature is session hijacking protection. You can see a cool demo that we did with David a couple of weeks ago in our webinar, where we said hey, what would it look like if someone stole your session cookies? And you can take a look at that to see how solid security would stop that attack from taking place. So in summary, you have to think about the weakest link, one admin account with a weak password can result in your site getting compromised. One unpatched login with a critical security issue can result in your site getting compromised. We need to stay ever vigilant. We need to be making sure that hey, if one thing slips through, that can be you know a disaster so use every tool available to you. This isn't something I think once you're managing more than one site that you can reasonably stay reasonably expect to stay up to date on all by yourself. Use tools that help you and of course, the tool that I like is solid security. So I'm now at this point ready to open up the questions Nathan.
All right. Excellent overview of all the things that solid security has to offer and we have plenty of time for your questions. There are 10 questions currently stacked up in the queue. Folks, if you have a question about anything regarding WordPress security, including of course the solid security plugin, open up that Zoom q&a and drop in your question also about the questions of others and we're just about to start taking our first questions. The first one being from Paul, Paul says in the past moving the WP config file to the root level of hosting I get the same level of public html help to protect a site is that still something that helps?
I guess I'd say Does it hurt? I mean, is there like originally some of this was how do we make sure that hey, WP config is not exposed in the public HTML directory. It was kind of the idea. So we would move the WP config file a route above public html actually. So you'd have public html slash index dot php, and that index dot php would be the WordPress and then WP config would be below that. So it'd be web, config, public HTML, everything else on one level, and then your WordPress and so the idea is that, hey, if we move that out of the web route, it could prevent some attacks. I'd say at this point, you know, it doesn't harm anything, but unless your server was misconfigured in the first place, it probably isn't going to really it isn't going to be a problem to begin with, if that makes sense. So it doesn't harm anything. It's an easy thing to do, but it's probably not actually preventing an attack. Especially these days. I think those types of server configurations are much rarer.
Yeah, so one of the tools in solid security allows you to check out file permissions, and it shows you what the recommended permissions are of things like the htaccess file and WP config. So if I know just from using the product that the recommended is the 444 write for WP config. So if the P config lives in the regular WordPress directory and public html and it's set for 444 You said that's pretty secure.
Yeah, there's no issue there. So like if you had a scenario, where PHP files were not being properly executed, which is kind of part of where this attack lies. Then if someone went to your site slash WP config that PHP, it could then return the plain text of that PHP file. And then they would have your database credentials and your salts and things like that. And that could be an issue. That could be these days, though, that is not really a thing where servers are configured in such a way that we only say hey, only index dot php can be directly executed. So yes, I would say putting it in the root level is totally fine. And yeah, it's great to use that file permissions tool in security, to help you identify what permissions aren't what they should be. Task anthropods question I do this on some sites. So for a couple of sites, I have like a pretty specific custom setup of how web config dot PHP works, and they are better than others. I don't. I'd say at this point, it's just not, not on the top of my list of security improvements. I think there are more significant things that you can be doing. Yeah.
Good. Next question that was from Kenneth Is there a class or video on how to set up the free parts of Cloudflare I see a lot of areas there but I don't know how to set them up. And Timothy, before I turn this to you, let me just mention that actually the premium course for the month of April, which will be about a month from now. I'll be doing a course specifically for WordPress agency owners on setting up Cloudflare basically all the stuff we've learned in my agency over the last year and a half or so of muddling through Cloudflare and getting things set up both with settings and processes, with how we migrate things, and just what we've learned from moving 100 sites into Cloudflare. So that is the premium course for April, you could register for that if you're a member of solid Academy. It's up there on the courses now but so let me pivot back to you, Timothy, anything that you would recommend on that or how effective even is Cloudflare as part of a holistic security approach for your website?
Yeah, um, so I would say that sounds like a great academy training to check out for this I think we've talked about in the past of offering like more content through solid WP about how you can most effectively use Cloudflare. And that sounds like a great session. Um, in general, I'd say Cloudflare is definitely a great tool in your tool belt and if you are able to use it, I highly recommend it. I would say it works very well in conjunction with some of the other features with solid security. So Cloudflare offers for instance, graph functionality. Their raft functionality is more broad than patch stacks, virtual patches, so they're applying things like Okay, let's try and prevent a large set of cross site scripting attacks, or a large set of SQL injection attacks, things like this. And you'll find that those have those trade offs right where sometimes they're not able to protect against an attack. Like patch stack is able to patch stack is dedicated to WordPress specifically. And so they offer create new patches multiple times a day, that Cloudflare often won't be you also see because of Cloudflare is kind of broad based support that you might actually run into issues with Cloudflare. I, for instance, writing about security, sometimes you can try and publish a blog post and Cloudflare will say not ah, because you're describing a SQL injection attack and we're like, oh, that looks like a SQL injection attack. We're gonna block that. How on earth do I publish this blog post? Cloudflare I get off me. So you'll see kind of the difference between how to like five learn how to like patch stack works. I think they work excellently in conjunction with each other. But patch stack is able to go beyond that and say, okay, you've detected you have this specific vulnerability we're going to create a patch that protects against this specific vulnerability.
Yeah, it's really good. I think this is a great illustration of the analogy that Tomas made yesterday with this holes of Swiss cheese lining up actually patch stack is just another layer of CI a patch stack is a layer Cloudflare is a layer server level, security layer WordPress security with solid security and they all hopefully can block all the holes so no hole goes all the way through. Really good. Okay, questions from Vern, we get this one a lot. Hide the back end, which refers to changing the WP login URL changing dopey admin URL to something else. Is that effective in today's WordPress security landscape?
I do not use this feature on any of my sites. I will say if I could, I would remove it. And we know this is a feature that a lot of people like so we haven't don't have any plans to currently. But what we always encourage people if they reach out to our support desk and ask about this feature is use things like I talked about in the login security section. Those provide real security oops, these slides went away. Those provide real security. So those are things like saying hey, two factor CAPTCHA lockouts. Those are much better than just making your login page something different. You're adding like one small step but oftentimes Hey, if you're an e commerce Store with WooCommerce, your customers need to log in. So there's going to be a login page that is exposed out there and that feature isn't going to protect you. So no, it is not a feature that I really recommend it. It falls under these kind of warm and fuzzy type of features, I guess you could say. But I don't think they provide the real security that we want which is you know, use two factor require two factor, prevent people from logging in 50 times from the same IP address in a minute. Use CAPTCHA all of these different things.
100% is so much better just to have a CAPTCHA between the world and your login page no matter what that URL is having a CAPTCHA Exactly. That's that's really the thing. Okay, question from SU Timothy. Which plugins do you use feel comfortable setting to auto update
so I may be controversial in this i auto update most plugins? Solid security has a really cool feature in the version management module, which lets you delay auto updates. So for instance, let's say you have a plugin that you know, releases updates that sometimes breaks things you can say, hey, don't auto update this immediately, but auto update two days after it was released or three days after it was released. And the idea behind that is saying okay, if there was a bug, they caught the bug, identify the bug, fix the bug, and now auto update to it. So it can still be something that happens in the background, but I'll be honest, I auto update most plugins, I think. You want to make that decision when you're setting up the site. If this is a plugin that I'm not comfortable auto updating, should I be using that plugin in the first place if this plugin author is so frequently releasing updates that just completely wreck my site? Maybe that means it's a different plugin for the job. Now I say this as a developer who you know, very much happily will build everything in anything from scratch. But yeah, I have you know, Yoast SEO to auto update. I have a lot of different blocks plugins to auto update. And yeah, I try and keep keep my plugin list down not at 50 Plus, so it helps in that regard. But I totally understand if that's not something that you're comfortable with doing either because the complexity of the site, and that's where you know, virtual patching and those types of tours come into play. So, let
me dig in and push back on something on that. I think maybe I need some education on this too. But or a different way to think about this. But sometimes well known reputable, I guess plugin developers, certainly big ones that everybody would know will push an update. And they'll some it'll break something unintentionally. And they'll push you know a dot one version of it within the next couple of days. Does it what what what danger Do you have does that worry you just having everything set to auto update?
So I would say yes, there are plugin authors that release plugin updates that just totally break everything and those are on my list. of plugins that I try not to use Yeah, without without Without naming names. I guess that would be my general approach, right is that I I much rather when I do do client work these days. Usually we're building something very specific and we could build it with you know, a combination of six different plugins, but kind of the value that I'm able to bring to the client and say, Hey, we architected this special. We have developed it for your specific use cases in mind. We're not using you know 5% of a plugin, and fibers are another plugin for fibers and another plug in and that's where things kind of like start to break down. So I would say it's a different kind of approach for building things where it's more okay. What are other plugins that I'm very comfortable with and then I think they're bulletproof and you know, set them and auto update, and I'm not particularly worried about it. And if those aren't ones, whatever the thing is that I should just build instead, and write the code specifically for that client. And I know that their site will be more stable, because they also didn't, you know, get a new feature that they didn't ask for that completely changes the UI, things like that. So I would say it's a different approach. But it is not at all uncommon to have that feeling around auto updates, which is again, why you know, patch stack and things like that are helpful tools. Also, because there's the 25% of cases where there just isn't a fix available for the security release. But yeah, that's that's generally my attitude is how can I reduce the plugins that I'm using that are just breaking things all the time? And for the ones that do send an auto update delay, say like, Hey, five days, and if the plugin has been stable for five days, then it's probably good enough to auto update at that point, you would hope that if they break everything, it gets fixed pretty quickly. And
that delay is part of the solid security version management feature. And let's just say there's also a setting on that version management page. That allows you to auto update if a vulnerability exists. If that's the case, then that delay doesn't come into play, right? It auto it auto updates no matter what. It's a fantastic feature. Okay, question from Dan. How resource heavy is solid security with its constant scanning and so forth?
It's pretty late. So we don't believe that a plugin should be doing things like individual file scanning for malware. It doesn't make sense to happen in a plug in Thomas, I think has done a couple of different discussions about this. I think on our solid the VP Academy where he finds malware, that one of the first things they do is turn off a file scanning feature and say, Hey, I'm all good or they whitelist their plugin things like that. So we don't believe that plugins should be doing that type of heavy scanning. Instead, we do things like hey, checking for vulnerable software. And that's very fast. That's very minimal. We make API requests out to our servers, and it contains the list of plugins. You have installed the versions and it does a really quick check so it doesn't really add any weight to your site. Things like checking for inactive users, all of these things are pretty resource light. So that is a really key thing that we keep in mind when we're building solid security is we don't want to slow your site to a crawl. If your site is slow, slow that no one can use it doesn't matter if it's 100% secure. But yeah, we don't believe in putting those types of super heavy features. In the plugin. They are best left for other services focused on preventing an attacker from getting into your site. As opposed to okay an attacker has gotten into my site. Now I need to scan my site for malware every single day and for infected PHP files because then you are talking about a very intensive process. And it's something that smart malware these days can just disable.
Yeah, and it seems like especially a file level malware scanner seems like that should be something that lives at the server level, right? Yeah. So
Thomas is tool for instance. That's one of the things they do is they send the files over off to his servers and then his server is able to very efficiently scan them. It doesn't make a lot of sense to be doing that from WordPress, both for the performance reason for the security reason if it's happening in WordPress, then any plugin can stop it from happening. There's a lot of reasons why that doesn't make a lot of sense. For virtual patching with firewall tools. That's another thing to keep in mind. So that's why virtual patches from patch stack, they only apply if your site has that specific vulnerability. They don't apply you know 2030 4050 100 generic firewall rules that apply with every request. We only apply specific firewall rules and only if your site is vulnerable. If your site doesn't have a vulnerable version of Timpson, there is no reason why you should be looking for attacks against him from and blocking them. It doesn't provide you any security benefit, the attacker wasn't going to get in there anyway. What that as doing is things like DDoS protection, stuff like that. But that shouldn't live in the plugin to that's where you want to use Cloudflare in conjunction with solid security. Solid security isn't going to protect you. If 10 million requests hit your server within an hour and no WordPress plugin can but that's where it was like Cloudflare come into play. And again, the Swiss cheese analogy
is this it's such a great point I don't want to zip right past because this multi layered approach is critical. And honestly correct me if this analogy is wrong, Timothy But you know, back in the day, there was this season of WordPress theme development where people were selling themes on a giant marketplace and the way they found to sell themes was to cram all these features in there that really should have been in plugins but now they're kind of rolled into this giant kitchen sink type theme. And they ended up being a bloated monster that was just really difficult to manage long term and slow. And so a lot maybe in some security plugins for WordPress are kind of adopting the same approach like we like a scanner, we do these things, but we should really separate those out. To have a lighter, more efficient site. Am I right on that?
I agree. I think the things that were should live in WordPress should live in WordPress, the things that should live at the network level should live in in network level. The things that exist in your server should exist on your server. There are things for instance, I don't think Cloudflare is going to offer pass keys as a login method, right? If you have a credential stuffing attack Cloudflare probably isn't going to prevent that. Because someone the first try they log in and they know your username and they know your password because if you're in a breach, there's no opportunity for Cloudflare to protect you there. But if you're using solid security prevent a user from using a password that has appeared in a breach. That's the perfect thing that should live in WordPress, right. It wouldn't make sense for Cloudflare to you know, somehow be operating on your WordPress site and prompt up and update password page or change how your login process works. That wouldn't make sense for Cloudflare to do so. Use the tools for what those tools do best. And take advantage of the fact that some of those tools can live in WordPress and can provide a context knowing that this is a WordPress request with this user and this password and they're trying to do this specific thing. Yeah,
really good. Okay, moving on to the next question here from Nate. Does solid security provide a way to have a two factor code sent to a phone via texts like what Facebook does?
No. So we do not we do not plan to SMS two factor is convenient. It's a way that you can kind of get people a little bit more used to it. But I would say at this point email, in my opinion is just as convenient. But the issue with two factor via text messaging is that SMS is not a great protocol and a lot of mobile phone providers don't have the best security practices around things like preventing sim sim swapping attacks. So I would say SMS in my opinion is a legacy two factor method. It was helpful for getting people used to the concept but I think at this point everyone is familiar with email based two factor. And my big push really would be Hey, use past keys. That gives you a two factor experience that exists on your phone or not a two factor experience a well it's kind of a two factor experience. The point is that it has your phone and your biometrics and it accomplishes that same bit, but does it rely on a text message being sent and all of that happening? It just provides you with one simple login flow that is protected with face ID or touch ID things like that. So no, we do not we do not plan to right
answer. Okay, here's a good question from Stephanie. So Stephanie, I'm guessing you're you're a legacy AI iThemes member she's asking how to activate virtual patching. I have patch patch stack in solid sweet it's on the dashboard, but the firewall is inactive. So
if you go to Security, and on any of those things, you can click into the licensing page. It's under Settings and then solid to VP licensing. And there'll be a section there that says passionate enabled sites. And so if you are a new customer, when you activate an license, solid security will automatically enable patch stack for you. But if you are new, or you don't have enough patch stack licenses, let's say you are a legacy customer that had a gold subscription for instance. You then need to choose to enable a patch stack for that site. So the thing you want to do is go to settings, solid WP licensing and enable patch stack for that site. If you're still having trouble, that's an excellent reason to reach out to support. If you go to solid wp.com There's a link to support and they'll be able to help you out. But that is probably the bit that you're missing. Make sure your plugin is licensed.
Yeah, very good. And I'm also dropping in a link to a live stream we did back in December on that covers a lot of the how to even position if you're a legacy I iThemes customer for example positioning an upgrade with a patch stack firewall is a better layer of care plan. So that that that link is there in the chat. Yes, definitely. So if you're still having trouble with that reach out to support and they'll give you some help right away. KENNETH is asking what is the 40% off deal for so Canada that I'm going to go into a lot of detail about that in the first of the next hour. It is for any purchase from solid WP other than the solid central monthly and it does also does not apply if you're adding licenses, patch stack licenses as a legacy I iThemes customer, but anything else the solid suite any of the products the 40% off is good if you are a new customer. Let's see. Manu has a question here. Monica says my email has been pawned so I changed my password. Is this good enough? And when does their database update so you can see if the pond email is updated?
Oh poned yep, yep, is what's going on there with that spelling. So the service that we use is have I been poned and that relies upon a Troy Okay, now there are two choices. We're both Australian. One of them is a WordPress person. And the other one is a security person I think Troy Dean is the person who runs haven't been honed and Troy hunts the person who runs the other way around is the one that is to Australian people both in this space is very confusing. Troy hunt kind of collects data and is responsible for ingesting things into have I been poned so it isn't really specific to your email address but more about the password. There's also a have I been poned service where you can just enter in your email. And I'll like show you hey, here are all the places where we find your credentials in a database breach, which is awesome. But what we specifically use in security is their password feature. So it checks whether a password specifically has been entered into that database.
Yeah, very good. So Manu, if you update your password, it's not going to remove it from that. Have I been poned database? Right that it's that's basically letting you know that your email address has shown up in a breach. And that's always going to be there. Tina, how does two factor work if your sites are on solid Central?
I don't know what this is driving yet.
I think the question is, if if I'm accessing my site through solid Central is there a way to turn on two factor is two factor needed in that case?
Okay, so the two factor in cybersecurity what? Yeah, what she was answering basically, um, so when you authenticate for the first time with central against your WordPress site that has solid security installed you're actually doing go through a specific onboarding process that shows you hey, you're gonna connect with solid Central, and it will give you a big purple button to click on and you'll get connected. If you are then for further API requests that solid central makes over to your site and it's not going through the login form. So it never runs into two factor. And there are some specific features in solid central that do help you with two factors. So for instance, you can bypass two factor by clicking a button in solid Central. And if you saw that Central's feature to automatically log you into your WordPress site, you don't need to enter in your two factor code. But yeah, there shouldn't be any confliction. There. You don't need to turn it off or anything like that. It'll just
work. Good. Question from Nate. Does solid security provide a recommended set of settings like by an export json file or something? How do you figure out what are the best recommended settings? Yeah,
so we don't specifically the general thing is that we like our defaults and then it is just up to you to what more things you want to apply. So for instance, having to factor is better than not having to factor. Having, you know, more protections available, having more checkboxes checked, so to speak, is just oftentimes more secure. We try not to have any things. It's like, Hey, if you missed this, this is a complete disaster. It's really it's up to you what kind of security features you want. To have enabled. There are docs that talks through like global settings and things like that. But generally in the plugin will say hey, these are the things that we recommend. The defaults are things that we recommend, and it's just up to you to say hey, what more features do I want available? Do I want to have past us do I want to have two factor and we can't make that decision
for you. And what is the onboarding wizard? factor into this? Yeah.
So when you go through onboarding, it's an ask you some things like, Hey, do you want to use two factor and if so it'll automatically configure it for you. If you want to use strong passwords, it'll automatically configure that for you. My recommendation model is basically because you enable everything there's nothing that we have put in the plugin that we're like, Hey, this is something that we don't recommend you using. This stuff that is you know, more legacy is kind of like hidden away, hide back end. It's under the advanced section. I don't recommend it. It's there because people love it. But yes, I My recommendation is to enable trusted devices enable two factor enable password login, enable pass keys, enable virtual patching and enable enable, enable enable enable.
I'm going to hand pick a couple of more questions and we'll wrap this up and go to a break. Great question. From Joan. Does solid security pro come with patch stack by default?
Yes. So if you are a new customer and you go on over to solid a VP and you make a purchase, you are going to have patch stack what you're going to want to do is after you install the plugin you want to license it and that licensing process will automatically set up patch stack for you so yeah, all new plans come with patch stack. And if you are a I iThemes customer you can add patch stack but yes all new plans come with patch stack automatically. You don't need to do anything else besides just licensed the plugin.
Awesome. And last but not least Tina does your page speed suffer with all the blocked IPs that accumulated over the years?
Um, so not really, um, we do specific queries to get a list of banned IPs. There are also setting for htaccess where IPs that are banned get put into the htaccess file and if you go into the settings, there's the limited defaults to 100 of how many of those IPS actually add into your htaccess file. So if you had you know, 10 million could be an issue. But even on my site that is many years old at this point it gets quite a lot of traffic. I don't have anywhere near that many banned IPs. So I haven't seen banned IP is specifically become a Page Speed issue. I just haven't seen someone get that high, where we're making such a large query that it would be pretty ineffectual. And it's pretty quick to compare IP addresses and just do a search for saying this IP addresses here or it's not there. If you do have millions, I'd be curious to know more about your site, and then maybe it would make sense to remove some. But yeah, I have not seen that to be the case in any other sites. I've come across. A very
good Alright, excellent session. Timothy, thanks so much for your wisdom. As usual. You always have excellent answers. Folks, thank you for hanging with us last hour. We're going to take about a six minute break here. We're going to come back I'll be talking about how to talk to your clients about security taking plenty of time for questions. If you have specific things you'd like to talk about in regard to how in the world do we make our clients understand these things? So that's what's coming up in our next hour. We're going to pause the recording and go dark for the next six minutes and we're back at 205 Central time. We'll see you back then.
All right, we're back for the final hour of disaster week. 2024. Hopefully this has been a great time for all of you who've been part of the whole thing. We will again have the alright we will again have the replays up in about an hour as soon as we wrap up here and I'm dropping once again in the chat the session slides for today. You can download Timothy slide deck as well as mine which is now available there. Alright, so across the break, we had several questions about upgrades. And I just want to address those briefly before we get into our actual content here. So first of all, we do have this deal that's going on disaster week is the coupon code for 40% off of solid WP products now this is for new purchases only. So you can't extend or add a new subscription to an existing account. It's also not available if you want to purchase solid central monthly plans. Or if you're a legacy I iThemes customer and you want to add on patch stack licenses, it does not apply to individual patch stack licenses. So those are the caveats on that deal, but it's a great deal if you've not yet become part of the solid WP family 40% off is an excellent deal to take advantage of that. Now several questions that came in about updates. The patch stack is included if you buy the solid suite or if you purchase solid security pro individually. Hatch stack is bundled if you're a legacy I iThemes customer patch stack is an add on for the legacy I themes security product that is now solid security. So there is a live stream we did that walk through how do I add patch that licenses if I'm a legacy I iThemes customer and that link that I have dropped in the chat and I will just invite you to walk through that it goes it takes you through the whole process. Matthew Why isn't an add on because there's a light well I mean to be frank it cost solid WP money for every site that licenses patch stack. And so that sort of the cost involved in that was not factored in to the you know, the price that a lot of folks paid for I theme security. It's an extra feature that was added with the solid move and when solid rebranded for my themes. And so there wasn't a way to include that in older legacy plans. I don't think it's mean I think it's just it's an additional feature that could not be included. You know, if you want solid WP to be around for a while. So you know, it's I think it's a pretty reasonable upgrade, particularly with the pricing per site is very reasonable can be easily passed on to a client. That's actually what that livestream was about the link that I gave you in the chat. All right, so let's talk just a little bit now about how do we talk to clients. And actually, before I go there, let me just mention one more thing. I know there's a lot of you who are maybe new to solid Academy, and we're grateful that you're here and hopefully this live stream has been helpful to you over the last couple of days. Here on solid Academy. We actually do two or three live streams every week on all sorts of WordPress topics. You can access all the upcoming training here at Academy dot solid wp.com. You can search for upcoming live streams and see everything that's available. Also there's a handy calendar view here that shows you all the things that are happening and allows you to register right here. So Tuesday, Wednesday and Thursday of most weeks we have a live stream about WordPress things and we invite you to come be part you can become a member of solid Academy by purchasing the solid suite. That's the only way you can become a solid Academy member now and if you are a member not only do you get access to all the free training and replays, you also get access to a weekly office hours with me where we answer all sorts of WordPress questions, whether it's technical questions or business related questions. We always have a lot of fun there. It's a good community of folks that gathers every Thursday. We also do one premium course every month and I've just lost my window. But our premium course for this month is a WordPress accessibility crash course with Amber Hines from equalised digital. Next month's premium course is the Cloudflare course which I'll be teaching. So we always have a two day four hour course every month. That's very helpful. I'm hearing reports in the chat that coupon isn't valid. I'll look into that after we wrap up with our marketing team. Or David if you're still on the stream. Maybe you could ping somebody see anybody from the iThemes team on Sara disaster week. 40. Okay, it's possible I typo that. So the coupon code Sarah is from the iThemes team, solid MVP team. The coupon code is disaster week. 40. So I apologize about that. That was likely my fault.
All right. So for those of you again, new to solid Academy, just a little bit about me I've been working with clients on the web since 1995. I started with WordPress in 2008. All WordPress since 2010. For the last 10 years I've been a growth coach for micro agency owners, people who are doing WordPress things for clients. I've had hundreds and hundreds of coaching conversations over those years. And a lot of those things are around this topic that we're talking about in this last hour, which is building recurring revenue talking to clients about security to grow our businesses. I'm also the creator of monster contracts, which is a proven contract for WordPress client work. So let's start out with the foundational idea here which is recurring revenue is critical to our business. It is the foundation of a successful agency. It's virtually impossible for us to survive in the long term without some sort of recurring revenue. And if you're doing WordPress things the natural place to start is with a WordPress care plan. It's a WordPress care plan and all the products that are associated with that, that actually brought me to eye themes many years ago as a customer long before I started doing any sort of live streaming on our educational side here so WordPress care plan is absolutely the place to start to build recurring revenue. It's what all the products that solid WP offers are built around is helping us do care plans better. So you've built a client relationship to maximize that relationship for the long term we want to build in recurring revenue with some sort of care plan. Now the challenge with a care plan is explaining to clients why they even need one right? So we understand it but getting a client particularly a non technical client to understand the value of a WordPress care plan. can be a challenge sometimes. So what I'm gonna do in the next several minutes is just basically give you how I explain things to clients, and some of the common mistakes that I see happen and hopefully give you some language that maybe you can use as you're trying to explain care plans to clients and how to do that. So a couple of things I want to start off with are two very common mistakes that I see that people in our position make when we are explaining care plans to clients. The first is presenting care plans as an option. So I would encourage you to consider care plans, not an option, but a necessity. So a care plan is not like an extended warranty that car dealers try to sell you just in case something goes wrong. Instead of better analogy is that a care plan is like regularly scheduled maintenance that helps to keep your vehicle healthy for the long term. Matter of fact, in my agency, we don't take any website build projects that don't include a care plan. It's just part of our pricing. So and I'll even tell clients if they have a budget challenge. It's really better to spend less on building the website and a phase one than it would be you know, spend less so you can afford a care plan within your budget. Your plans are that important. So the second mistake that I see clients or the see people in our position make as we're explaining care plans to clients is waiting until launch to add a care plan. Surprising a client with a care plan at the very end oh by the way, you really need to purchase this additional monthly thing that's going to keep the site that you've just paid for healthy that's a bad idea. It never works out it rarely works. And it can often it can cause the client to become very agitated. You didn't explain to me that a care plan was needed after in all these conversations we've had. So what I've learned over the years is that the key to selling a WordPress care plan is education. And that education has to start in the first conversation. So we need to include care plan pricing in our proposal. That's my advice as part of the total cost of the project. Now something I moved two years ago was in my proposal for years I used to have the care plan to the little checkbox and you'd check the box if you want the care plan. Now it's just bundled in. There's a cost to build. There's a cost to manage and one sign here box that agrees to all of those things. So if you're struggling to get clients to buy your care plan, maybe it's because you're waiting a little too long or not talking about it early enough in the process. I recommend that you start talking about the management of the website in the very first conversation you have with the client, when you're starting to talk about pricing in general position, the care plan, as you know, the cost to bill a cost to manage. We're going to be here for the lifetime of the project to help you note you know, as things come up, and it's just all part of the conversation from the very beginning. I think you'll be much more successful at selling care plans. If you position it that way and don't offer it is an option in your proposal make that part of the price. So how do we educate clients education is key in selling care plans. Many clients don't understand why they need to have a care plan to begin with. And so one of the first things that I would recommend is that as you're talking tech with clients about anything, focus on benefits, not features, save the technical talk for people that are you know, that love the technical stuff, most clients that you're going to work with our you know, they're busy professionals or their business people or that they're not as interested in technical things as we are I generally speaking, don't talk about gigabytes as much as we love packstack I don't talk about patch stack with clients. As much as I love solid security Pro that never comes up in a client conversation. As technical people we love those details about our care plans. We love to talk with each other about those things. But in most cases, features features don't sell but the small little things like patch stack and solid security. Those are things that are internal for us. Clients generally aren't as concerned about those things. What they're concerned about are the benefits. If I you know, with this care plan, what does that mean for me? I'm busy doing my business and doing my thing. I don't care about all these little technical details. What does your care plan benefit me? And the primary benefit of a care plan is simply peace of mind for the client. I cannot tell you how important this is. It's very easy for us who love technology to get into conversation with a client and we take them to death. It's just it's not a good idea. It's much better just to explain to the client the benefit. The reason we do this is so you can go about your business and not have to worry about the health and management of your website. That is absolutely the reason and the way to most effectively sell well sell a care plan. And part of this is just learning to determine what is the most important thing to a client. So we're going to see this pop up at several times during the next few minutes in my talk, but you may have a client who for whatever reason, they're all about backups. Now backups are important. We know that and a lot of and I will mention that as part of our care plan explanation, but goodness, they don't need to know where we store backups and how often necessarily run it or keep an archive that most clients don't care about that level of detail. They just want to make sure the site is backed up. But I've had conversation with clients who've been burned by backups and a lot of times they have very granular questions. So when those things happen, absolutely engage with the client on the sorts of technical details but in general, stick with peace of mind and that's really what the client is after. The next thing to consider just another guiding principle in educating clients is to position security as a partnership. So keeping a website secure as you've heard throughout all of disaster week, there's a lot we can do on the website to keep a website secure, but the weakest link in the chain is typically the user right? So we need that security is a partnership between us and our client. We can secure their website, but the client has to do their part too and by the way, your contract needs to reflect this and explain what the client's responsibilities in web security are. And those can be conversations as well as you're onboarding the client into your management service and the kinds of things they ought to be paying attention to the things that we've talked about throughout the course of disaster week. I'm going to give you a few ways to talk about those things later on in the talk today.
Another guiding principle is this question that clients always seem to have. Yeah, but why would a hacker even go after my site to begin with? This is something that most clients don't understand. Like I'm just a small business or we're just a little nonprofit or, you know, why would they even care about me? And my encouragement to you would be find a hacker analogy that connects with this particular client. See, it's not personal hackers. Don't care if you're a small nonprofit, if you're a mom and pop shop someplace, whatever. They don't care about you personally. Usually, they just want you to use your website for gain. And there's some reasons for this. So try to find an analogy. That connects with your kinds of clients. The story I always tell when I'm talking about or if a client has a question about why would hackers hack me is I would tell a story that happened several years ago in our neighborhood. Now we live in a very safe neighborhood. But several years ago, we had a string of car break ins and it turned out, you know, people's cars, they weren't being damaged, but things were being stolen out of them. And it turns out that there were a bunch of teenagers walking around the neighborhood late at night, walking from driveway to driveway trying the door handles of cars that were parked, and if a car was left unlocked, they'd go through the car and steal contents out of the glove compartment or purses or anything that were left in there and they take those and that's what they would do. And that's very, very similar to what hackers do. They're just checking doors and windows of your website to see if anything is going to let them in to give them easy access. But a hacker they don't just try one door at a time. They've got software that scans the web looking for 1000s and millions of open doors and windows. It'd be like the hacker pressing one button and checking all the doors and windows of all the houses and all the cars in my whole neighborhood and that's what they do it again, it's not personal. They want to use your website for their gain. Now, what do they possibly have to gain from my little website as a little nonprofit or a little mom and pop shop? Well, they want your server resources, all the spam messages that you and I get. Those are generated a lot of times by compromised servers. Oftentimes as a hacker will go in and add some some code to use the server resources to help generate cryptocurrency. It's not about you. It's about what they can use your server resources for. Sometimes they'll do content injection where they'll inject ads for products that you probably don't want on your website, or they might redirect your website to other websites. And they do that very cleverly. So it's again, it's not personal, they're just trying to use your website for their own gain. synonyms. They'll also inject malware that can be used to further infect the visitors to your website. So all these are reasons they don't care who you are. They just find an easy target that they can leverage to use for their own purposes. So find it an easy analogy that connects with your customers, for me at the car break and one always works well. And then explain that it's not personal. They're not after you. They're after your server resources. So how do we then go about presenting a care plan to a client I always use this. This lingo actually came up accidentally one day as I was meeting with a client in a coffee shop face to face back when we used to meet face to face with our clients goodness, it's been a while since I've done that. But I actually took a napkin and I drew out this box with a big WordPress w in the middle and I called it the four walls of protection. And here's what's included. I still use this explanation today. It's an acronym hubs H UB s. These are the four primary things that our care plan does. We provide hosting. We provide software updates, we provide backups and we provide security. And those are the four walls of protection that keep our WordPress sites safe. And this is what we offer as part of our care plan. Now as you're presenting this concept to your client, there's a few things to keep in mind. I'm gonna go into each one of these and kind of how I talk about them. The first as throughout this whole process, pay attention to your client. If you're like me, it's really easy to geek out and go down a tech rabbit hole the client doesn't care anything about so I'm really careful as I'm talking about anything technical with the client to watch for eyes glazing over. You know, the client starts you. You're talking and you're really excited about what you're talking about. And you realize the client has checked out. They don't care about any of this. So you have to pay attention to your client and just ask yourself, what are the what are the parts of this conversation the client is really interested in and you want to give just enough detail to satisfy their interest without going into depth by details in technology. Right? Remember, the big picture of all of this is your selling peace of mind. And if you think I'm oversimplifying that I promise you add not. I've been selling WordPress care plans since about 2010. So, you know, 14 years I've been selling this and doing a pretty good job of it. It's about peace of mind, folks. This is ultimately what clients buy. That's why they want a care plan. They just want to know that you are going to be there to take care of the website if something goes wrong. Some clients may have particular technical concerns to ask about Awesome, let's get into it. But in general, they just want to know that you are someone they can trust buying a care plan is a trust based decision that the client makes. So again, throughout this try to create analogies that the client can understand. You know, technical things can be a little hard for some folks to grasp. Nothing wrong with that but just try to make them practical with some analogies. I'm going to give you a few throughout this.
So when we get into the first wall of protection, which is hosting for us in my agency, hosting is included as part of our care plans. We do not manage sites that we don't host so if you want to bring your own hosting, that's not an option for us. Now you as an agency owner can make that decision. I strongly encourage my coaching clients especially to don't do this don't have websites on lots of different platforms with hosting that's all different and some have different requirements and the control panels are different. It's it's a killer, for efficiency in your process. It's much better to have all the sites you host on a server that you control. Now, that's the benefit from my side. From my client side. The benefit is what I tell clients literally as I will as we build your site and manage it, I want to be able to look you in the eye as a business owner and say, we're going to take full responsibility for managing your website so that you only have one person to call if there's ever a problem about anything. What we don't want to do is get into a blame game between between your hosting company and what we're doing and they might blame us will not blame them and you get caught in the middle. We want you to be certain that no matter what you have one person to call one one business to call one neck to strangle if there's a problem, and we're going to take full responsibility we can do that. Because we control the whole situation from end to end from hosting to site. It is all we deal with all of it. We have a private server that's optimized for WordPress and our process that allows us to build the site efficiently for you and to manage it successfully for the long term. Now that's the way I position hosting and in general, I don't have to do anything more than that. Our clients in general and honestly most clients, they're well good good clients especially are not going to push back too much on you on hosting if you have your solution because they just again, they want someone they can trust who's gonna be there for the long term. And if you bring hosting to the to the conversation, and you have a solution for that is much better for the client because they don't have to worry about it anymore. Now occasionally a client might bring up well what about you know, I get hosting on fill in the blank name of the host for $5 A month or $8 a month? I don't get that much anymore but I used to a long time ago. And the way I would explain that situation is look sure there are there are $5 hosting out there. You can also go on Facebook marketplace and buy a car for $500 I wouldn't recommend either. If you're serious about your business. You know, you can buy a car for $500 on Facebook marketplace. I wouldn't put my family in it. Just like you can go and get hosting for $5 a month I would not put my business website in it. So it's not just you know there's there are huge differences between the level of hosting that we offer on our server than what you're going to get at on a cheap shared hosting. Shared hosting is like an apartment building. Here's an analogy. It's an apartment building where you can't control who your neighbors are. So you know the people next door to you on that server. And there are 1000s of sites on a shared hosting platform, all sharing the same IP address. So you are at risk of misbehavior by your neighbors over which you have no control. Or you might find that your speed goes down because what other sites on the server or doing your system resources are unpredictable because of what other sites on the server are doing. You may find that one of the sites on that server gets compromised and they're hacked. And that server is sending out millions of spam messages every day. Well guess what happens? That server IP gets blacklisted in some banned list on a spam list. And now you have problems with your deliverability because you're wrapped up on the same IP address. hacks on other sites affect you. So it's much better like if you have a premium website you're paying for a professional to build your website, get professional hosting to go along with it. Don't put yourself in a situation where you're an apartment building with neighbors who you can't control and that's going to affect your business. As we turn the page to software updates as a feature of our care plan, we're talking about WordPress core theme and plugin updates. Now I call these software updates when I'm talking to the client as to avoid any confusion with content updates. I found that I found this is really important to do that phrase software updates make sense. It's something a lot of folks can relate to because we do software updates on our computers. And I found actually when I start talking about updates, the clients thinking about you know, we're adding text adding things to their website, which we do that's just another conversation. So I always talk about updates in using the free software updates. And I explained to the client, we have a scheduled process that we do every week. It's reliable for doing software updates across all the sites we manage so your site is going to stay secure and healthy. Now when it comes to software updates. Sometimes non technical clients don't understand why this is important. Why would you have to do that anyway? Can't you just build a website and there it is, and it's good. Unfortunately, no, that's not the way websites work anymore. Good analogy is the software updates on your computer can you just buy a computer and you're good? Well, you could. But the software on your computer has to be regularly updated because of vulnerabilities that are found. If you're not updating your web browser to the latest version, or at least have those auto updates turned on. Super important. Or you're gonna find yourself with a security vulnerability on your website. So people even non technical clients tend to understand the software update analogy. And I'll often ask why Okay, so be honest. How often do you ignore the software updates on your computer delay? Remind me tomorrow or do it next week? You know, it just get rid of the thing because I'm trying to do something right now. You can't ignore when it comes to web updates. If you ignore those software patches on your website, your site could be compromised. So you know what would happen if your computer gets infected. You might get malware, you might get some other things. But if your website gets infected, your business is at risk. It's a big, big deal. Now there's also the approach of semi technical clients. Maybe some of your clients have done WordPress before. And they're familiar even with going in and hitting update and watching all the things update. And they think it's just as simple as clicking a button. And that is sometimes true. Sometimes running WordPress updates are as simple as clicking a button. But what happens when something goes wrong? And how do you know if that's that might happen? So if I have a client that pushes back, I run my own WordPress updates. The question I would ask is, How sure are you that you're going to do this regularly? Because it needs to happen at least weekly, just like Timothy said in the last hour. How sure are you that you will do this every single week without fail? When you've got a business to run, oh, well, my secretary will do it. Oh, adding that job on to someone who already has a bunch of things to do you know how sure are you? This is going to happen regularly. Most clients that I've talked to are not sure so they begin to think about this. Also, do you investigate major plugin updates before you run an update? Good grief before we update WooCommerce on any sites or any big plugins like that we're looking at the developer blog making sure that there's nothing here that might impact what's going on on that site already. You need to investigate major plugin updates before you run them. That's my opinion. So a lot of times it is as simple as just clicking a button if you know what you're doing and what's being updated and if it's on a regular basis. And so what I tell clients like this is listen, for a small monthly fee. We're going to take care of all this for you hosting updates, backups, security, you don't have to worry about it at all. And you can just do your business. You don't have to think about the website you can offload that whole piece of your business for a really small monthly cost. That is a strong sales pitch to a good client.
All right, the next part of hubs is the backups. So in general, very few people these days that I've come across that don't understand the importance of backups, we get that backing up things as good we want to have a backup of our website. So there are two key reasons that I tell our clients that we have redundant backups. The first is human error. If you are Mr. And Mrs. Client if you're logging in, you're making updates and you break something you don't have to worry we have a backup from at least 24 hours ago that we can roll back and fix anything that was broken. We also have redundant backups in the case of disaster recovery. So if your site might get hacked, and they get through all of our layers of Defense's, we can roll back a backup and patch the things that need to be patched. Or, you know, let's say something happens and there's a broken update and we can roll back and keep the site it gets the site backed up very, very quickly. So we do these redundant backups to keep the site secure just in case anything might happen. Now, hopefully you do have a backup strategy and you have a consistent backup strategy that you use for all the sites that you're managing in your care plans. And if the clients interested, this is a good time to explain what that backup strategy is. And so we have a multi tiered backup strategy where we have a hosting level backup is our first line of defense. And we run a daily full site backup that's stored off site with a six month archive that gives some clients peace of mind and they want to know about that. But again, it's you have to kind of figure what is this important to the client how many details do they need? And give them what they need to be satisfied. All right, let's talk about security. We've been talking about security but now security as a service. I explained that we have a multi level strategy to keep your website secure. So security is critical when it comes to your website. And that used to be a hard sell these days with all the website hacks and compromises that are in the news regularly. In mainstream news. People are more and more understanding and this is much less of a even an explanation that's required. I'm noticing these days with my clients than it used to be in years past. But we have this multi layered strategy that we use to keep our sites secure. We provide a free industry standard SSL certificate as long as we manage your site that you might think is a no brainer but it is it is amazing to me how many clients that we have that come to us that they're paying annually for a security certificate still It blows me away. SSL the industry standard SSL has been free for years. And we provide that of course so sometimes we can save our clients money. So here's what I mean by layers of security. If a client wants to know more about this, again, for many clients, we have a full strategy to keep your site secure, so you don't have to worry about it. And a lot of times that's all they need to know if they want to know more. Here's what I'll explain. We start with architecture. So I'm going to start at the core of the security and work my way out to all the layers. So the first is architecture. We're only going to use reliable themes and plugins to build your website. So many many of the vulnerabilities that are associated with WordPress, and a lot of people say well WordPress isn't secure. And like Timothy said in the last hour, WordPress is very secure in the core. It's these plugins or themes that are added that are from maybe questionable sources, or developers that may not be as on top of things as others are. That's where a lot of the vulnerabilities come. So we only choose the best themes and plugins to build your site. Then we go through and our launch, we have a 40 point lock or fill in the blank number lock in process that we use to launch your website. Well Nathan, what is your 40 Point lockdown process okay, go through and count the number of settings that you make in solid security. And if there's 40 of them, that's your 40 Point lockdown process as you're launching the website, and any other changes that you make. It's it's a really good line to use with clients and it's 100% True. I don't feel like this is shady at all. There's 43 points that we go through to lock down your website using the security plugin. So the clients no this is a detailed process. There's a lot of things that are being considered in this situation. Also, now that the site's locked down now we move out to the next layer of user security. So built into the security that we have for your website. We offer two factor authentications past keys, password compromised protection, all the things that Timothy talked about in the last hour. We've got the way it's built the way it's locked down user security now on our server itself, our server, which is ours, the private server, it has security protocols and intrusion detection in place. What is intrusion detection? We watch your website our friend Tom right there watching the website and seeing what's going on with anything you know that's malicious or malicious intent. So our intrusion detection system is in place and even above our server there's another layer of network protection which we use Cloudflare we have network level filtering the block many of the bad guys before they can even get to the server in the first place. So starting with the core and working all the way out. We've got these layers of security with that wonderful analogy that Thomas raised us yesterday of like stacks of Swiss cheese, and it's going to be very difficult for any one hole to make it all the way to the bottom to let an attacker in to our network. I just love that analogy. All right. So this is what we do. This these are our things and what we do to keep your website safe. Now there's also some responsibilities that you as a client are going to have in keeping your website safe because like I mentioned, security is a partnership we will keep the website secure, that you have the responsibility of keeping your computers and logins secure any computer that logs into the website. So a great analogy here is that we can put the best security system in the world in your office building, but if you leave the front door unlocked, it's not going to help very much. So just like in Timothy's presentation in the last hour, there's still a large percentage of attacks that are coming right in through the front door because of user security. And so yeah, that's the part that client really needs to take to take a look at. So security is a partnership, we do our part, you do your part, everything stays secure. So by the way, again, very, very important that your contract should explain the client's responsibilities and security. So they sign that as part of their agreement with working with you and then maybe you have some training or little video or you know, a little guide that you give to them on launch that explains those things. So what does the clients responsibilities entail? What what does it include? Well, the first as we've talked about a lot through disaster week, good password practices are critical. So what I tell my clients is you're going to log into the website as an editor who has the ability to edit pages, you must use a strong password as shown by the WordPress password indicator for any account that edits the website. This password can only be used on the website and nowhere else and we recommend using a password manager and we'll give them your recommendation. We as an agency. Use the keeper Password Manager. We love it. I think it's awesome. That's the one we settled on after the LastPass fiasco a year and a half ago. We love keeper we're an affiliate for keeper and if a client buys you know we have an affiliate link we give the client and then we can share passwords easier and so forth. So I see there's a lot of great questions in the chat. If you'll put those in the zoom q&a. We'll get to those at the end. So good password practices use a password manager complex, unique password that's only used on that website. Also use multifactor login and trusted devices. So explaining two factor authentication and pass keys. Huskies have gotten a lot easier to use now than they used to be trusted devices. We've talked about that at length and disaster we've shared with you the links in the chat where Timothy walked through that whole flow of setting up a trusted device and what it looks like if a non trusted device has intercepted your session cookie. That was a really excellent webinar. So go back and rewatch that if you haven't already. And again, solid security pro makes all of this easy so the client has to practice good password hygiene. They also need to keep their individual computers protected. So as part of our agreement in our contract, any computer that logs into the website must be protected by maintaining updated security software. So you have to have malware protection that's updated on a regular basis. And only using the latest browser versions. Make sure your browser is has auto update turned on most browsers do these days, but also your operating system other apps on your computer all have to be up to date because all those can be used to inject malware, which can steal your passwords or session cookie. So practice good hygiene. Keep your computer safe. Those are the two primary areas of client responsibility and website security.
All right, one last thing I want to cover today because it's always a question and I just think this is a helpful thing. How do I price my care plan so if I use all the products that solid WP offers, and by the way, I hope you caught on to this, all the areas they're the hubs strategy the four walls or protection other than hosting the the the products from solid give you all that you need to offer a great care plan. So doing updates using solid central putting all your websites in a dashboard so you can see an overview of what sites need update and execute your updates their backups using solid backups, security, using solid security. All of our products are created to help you have a good reliable WordPress management system. So what can you do now to charge what should you be charging your plans for your clients? So the one kind of rule of thumb that I give here is that the price that you can charge for your care plan is often based on the price that you're charging for the site. So here's some general guidelines. And by the way, what I mean by that is, if you're building really inexpensive websites, it's going to be very unlikely you can sell a very expensive care plan. Because your customers aren't at that level. So your care plan price often depends on website build price. So this is just a basic guideline. Okay, if your typical website price is under $2,000, then you could probably have a typical care plan starting about $50 a month, roughly. If your website price is 2000 to 3500, you might be able to charge around $75 a month. If you're 3500 to 5000, maybe $100 A month above 5000, maybe $150. But again, these are just guidelines and thoughts. We did a poll on this and a recent premium webinar with our members. This was about where everybody landed on what they were charging between 100 and $150 a month for most sites that fell within this price range. And so again, this is not a rule that says you have to do it this way. But if you're wondering, Am I charging too little? Am I not charging enough? This will give you at least some guidelines as to what other folks are charging. So hopefully that's helpful. Now we have plenty of time for questions. We've covered a lot. I've been talking a lot, plenty of time for questions here and I see that there's a bunch stacked up in the q&a if you've asked a question in the chat, if you would please just drop that in the q&a. It'll be a lot easier for me to just scroll down and take those one by one. In the meantime, I will reflect back to the discount code. This should actually be disaster week. 40 out of 40 there and that gives you 40% off of all solid WP products if you're a new customer, it is not available for renewals or to extend an existing subscription. It also doesn't work on solid central monthly plans. It does however work on the solid suite which includes solid Central. It does not work on patch stack add ons if you're a legacy I themes customer, those are done site by site. All right, so disaster week 40 Gets you 40% off of all of our things. Okay with that. Let me turn my attention to questions. And if you folks will also open up the q&a and upvote the questions that you would like to see answered. We'll spend the next 1015 minutes talking through some of these. All right, first question from Dave. Does the care plan pricing that I suggested include hosting? So yes, I include hosting in the care plan and in that pricing. And so what I typically recommend for folks is depending on whether you know how technical you are, how comfortable are you with dealing with server related things. If you're not technical, then go towards a managed WordPress hosting situation like Nexus, you can buy a bundle of sites and put your clients into those. If you are more technical and you're okay with you know, a few server technical things, then get a VPS from a good reliable web host that has excellent support like liquidweb and you can stack your clients on a VPS there's usually more profit margin on a VPS than there isn't managed hosting. But I roll all that into one price and the client pays one price. Yeah, so hopefully that that answers your question there. All right, next up is sue an upgrade question. I bought a single solid IP license in addition to my toolkit while I decide if I want to keep the toolkit or buy another solid license on sale, does it add to my account? No. So So you would be an existing customer in that scenario? Yeah. So it does not work to extend or add to existing customer licenses that is tied to your email address. Ah, question from an anonymous attendee, instead of me educating about the care plan, can you just create a video that talks to all your clients that are onboarding? Absolutely, absolutely. So you know, well, okay, let me back up. The talking first of all, talking about care plan should be part of the sales process. Okay. So as I'm talking to the client, in that first conversation, which I call a discovery call in my world, where we're talking about the all the things that the website needs to do the functionality, you know, all the factors of this project. I also have a section of that conversation in which I talk about the ongoing management of the project. There's a question in my discovery form that asks the client do you need I forget exactly how it's worded? It's basically do you need an A, how will the site be maintained going forward? It's, it's more elegantly worded than that, but that's basically it and it's a it's a it's a jump off point to have this conversation about a care plan. So that education and talking about the need for care plan, I think best happens in a sales conversation, just the basics, right? And what you don't want to do is at the very end of a project or just drop it into a proposal and you've never talked about it before. You want to let the client know that the way you approach website building and management is as a holistic process. There's a cost to build the site. There's a cost to manage the site. It starts around this amount for website management, and we include that in our proposals. That's what I would talk about in the context of a sales conversation. A lot of times what you'll find though, is that it will help you sell a website, when you talk about your lifetime approach to the website. Like you're not just gonna build it and disappear. That's what many web developers do. I'm constantly surprised by this. They just want to build sites, they don't want to manage them. The long term money in website work is the management. It's recurring revenue. That's what lets you stay in business for a long time. Anyway, I'm getting off down a tangent but the education piece starts at the beginning to introduce them to the idea of a care plan. Why it's important. I think it makes a lot of sense to have a video right at site launch when you're onboarding them out of the development process and onboarding them into management. This is what our care plan covers these again, are your responsibilities having a video or a little handout? A downloadable with that super helpful. Yeah. All right. Next up is AJ. AJ, what hosting do you use in your agency is an in house solution or do you contract hosting companies? Great question, AJ. My goodness, I do not want to have a web server in my basement. Absolutely not. There was a day in my life where I probably thought that would have been cool, but Good grief. All of the intricacies that are involved in website hosting are there's just too much it's too much to know and be doing web and know all about web and WordPress. It's just too much to know. So my suggestion is always have a hosting partner. You have your sites with this host, whether that's a single managed WordPress solution like Nexus, or a host that's more traditional that has dedicated servers. VPS like liquidweb. We had a dedicated server at liquid web for years and we did that because the support was awesome. So if there's ever a problem, you reach out support takes care of it. And otherwise it just works really well. So you have to decide which situation is best. Next S is a liquid web company. Solid WP is a liquid web company. So I'm mentioning those. There's there are many good hosting options out there. But I would advise you to look at liquid web and nexus to start. Alright, next from anonymous attendee, how much time is involved in the care plan small monthly fee what is it? Okay, great question. So anonymous. Let me let me ask you if you could to clarify in the chat. What do you mean by how much time? Do you mean how much time does it take to manage a bunch of websites? Or how much are we building? Are we billing the clients for time if you can clarify that in the chat? I'll try to answer it. So, the, the
I'm going to step up and put my coach's hat on here, okay. As a business coach for micro agencies, what I what I advise people to do, it's what I've done for years in my agency, it's you don't want to build by the hour. billing by the hour is no fun. You end up losing track of time it takes forever to do I as an agency owner want to be in QuickBooks as little as possible, right. And so a change that I made years ago, instead of having to just kind of track time on all these things and build little bitty invoices that I never seem to do. What I did was when we raised our prices on care plans, I bundled in too fast tasks built in with every plan and every month so every client is on a care plan has included in the care plan up to two fast tasks every month, they don't roll over every month has up to two of them. And a fast task is something that we define as something that we can read a ticket, do the thing and reply to the ticket in about 15 minutes. So these are things like hey, I'm attaching a blog post in word when you post this on my site, hey, can you add this new staff member? Hey, can you update this wording or add a sale price to this product on my WooCommerce site is small tasks. If a client needs more than that, then we'll increase their service level agreement to have more fast tasks. If a client asks for something that is a few, you know, like build me a landing page, that wouldn't probably be a fast task. And so we would give them a flat price for that amount. So that would be more of a project instead of billing by the hour. Matthew's asking about what a half a fast task not so fast task of the past tense. So just try it. My advice as a coach is to make the billing part of your business as simple as possible. I cannot tell you so over the years in the last 10 years I've been coaching micro agency owners, hundreds and hundreds may be found out you know, probably getting close to 2000 conversations I've had over that time, maybe more. I haven't done the math. But in those conversations, when I talk to a coaching clients about the frustrations they have in their business, it almost always comes back to billing and finances and keeping all that stuff and they've created for themselves. A billing environment that is hard to manage. So simplify that billing, the whole process of billing and the way you're tracking work, and life gets a lot simpler, I promise Okay, next up is Jeffrey. Does your recommended price including hosting. Yes, so we answered that question a bit ago. Matthew, can you share the link rack and by the patch stack add ons for legacy customers? I've been looking but I can't find it out. Okay, so Matthew, I don't. Since I'm broadcasting right now I can't go back and look for that. It is like the link that I shared earlier that talks about? Well, it's in the chat. I shared it earlier about and I marked it as this talks about patch stack upgrades. We went through that whole process it's in the solid licensing portion I believe and you just click and it takes you to the solid cart and you can add licenses one at a time. Like you can buy three or one or 52 if you want and then you'll have that bulk, that bundle of licenses which you can then apply to an individual site. So I'll go through that whole thing in that live stream. If you'll just go you can kind of scoot through the live stream and you'll find it Thank you, Doug. It's under security and firewall. And again, if you have questions just reach out to support and they'll walk you through all that. Anonymous attendee is asking how are hours and billable hours related to starting prices? So I answered that a little bit a minute ago, and whoever you are anonymous if there's more texture to that question, then just drop it in the chat and I'll try to elaborate more. All right, Jeffrey, what about training? Do you offer any sort of training in your package or is that extra? That's a great question. So Jeffrey, we have a set of training videos that we have in every site that covers basic WordPress things. If the client needs additional training that is billable. Now, a lot of times we'll cover this in the build project. So one of the questions we'll ask and in defining the scope of work is are you going to be getting in and editing the site or is this something we're going to do? Do you need training on how to use WordPress, if they if they need that training? That's that's an itemized addition to the scope of work that's going to affect the cost of the project. There's a cost for training right? hourly cost will usually record that training, make it available as a video link in the dashboard. If they sometimes what will happen is they'll have a new staff member come on board and they don't know they didn't go to the training and they don't know how everything works. Well. They can either watch the video that we provided or they can schedule training, but that is going to be an additional cost that they have to pay extra for. So we don't include training in a care plan package. But it's something they can they can purchase extra if they want to do that it's billable. Doug, all of my clients were on board with a care plan some many years ago, all before patch tack was available as an add on. How would you approach extend existing clients who are on your care plan about paying more money? Great question, Doug. We should have a live stream about that. Oh, wait, we did. That's that link I mentioned in the chat a little bit earlier. So that whole the whole webinar that I talked about that I gave that link a little bit ago scroll back it's up there about onboarding, it's all about creating additional recurring revenue with patch stack. So I talked in that livestream about creating a an extra level of security, where you charge more, it's, you know, you could probably add 10 $20 a month and the license cost you know, a couple of dollars a month, I think per site, it's a big profit center. So I talk all about that in that process there. So I would just recommend, go back and rewatch that website. I Jeffrey's asking, are those training videos available? No. i But what I will tell you is the bundle that I use is called Video user manuals, video user manuals.com. There's an annual cost and embeds right into WordPress. It's great and even has some premium plug in it they have videos for all the premium plugins we use we have a lot of sites on Beaver Builder they have videos for those. We have we use Gravity Forms, they have videos for that. They have videos for WooCommerce. They have classic editor, block editor, all the things and we just pay one fee for that every year. And those basic videos are in every site dashboard. It's excellent. Matthew, you mentioned you do coaching for agencies, is there a community forum or slack channel for designers or web hosters that you recommend? Where we can chat with peers? Absolutely. Matthew so my favorite group, well aside from our solid Academy, Slack group, of course, which you can get access to if you're a member of solid Academy, the Facebook group called the admin bar, it's run by my friend Calvin Dusen. Awesome. admin bar is great. I cannot cannot recommend it enough 1000s of WordPress folks just like us doing agency stuff with clients. They're in there. It's a brain trust. It can often be a firehose of information, but also become a solid Academy member. All you have to have is a solid suite license. It starts at 199 A year 40% off your first year. You get to be a solid Academy member come into office hours every week. You can ask whatever questions you want about business, about technical things, become part of the community. There's a lot of fun folks that Hangout every Thursday with me during office hours. And we have that slack group for offline conversations as well. So check that out. Last question. from Matthew, will this webinar be archived? Absolutely. I'm dropping the link for it again in the chat. The final link there is the replay link. It takes about an hour maybe a little longer today because it's a two hour video. It basically as long as it takes for zoom to render that video and push up to Vimeo we'll have the replay posted. So Umberto, if you are a member, reach out to solid support and they will give you the link to join the slack group. Matthew, so legacy license owners can be part of solid Academy. So here's the history on that Matthew. And when you say legacy members I'm assuming you mean like you have an an older I think security license like IBM Security gold or something like that. We use that so this training used to be called I iThemes Training and it was a product that sold by itself. So it was you know something you could purchase individually or it was included in our toolkit or I think Toolkit, which included a whole bunch of things. So if you only had a security license, then you wouldn't have had access to training and you won't have access to a cat the premium Academy. We do a lot of free Academy events also, though, that anybody has access to but if you want access to the premium pieces of Academy, you can get that now through the solid suite. Any member of the solid suite has access to the solid Academy. So all right a lot of stuff today. Any final questions, drop them in the chat and I'll try to answer those and then we'll wrap things up otherwise.
Well, I do appreciate you hanging out with me and lasting through the last four hours of training. This has been fun. We do this at least every year and disaster week, where we take a lot of time and talk about WordPress security issues. We started off with a great state of WordPress security from our friend Kathy Zant. Great WordPress experts panel if you missed that panel yesterday, that was quite a discussion with a lot of insight a lot of fun. I was some really smart people that WordPress security go back and rewatch that that replay is already up. And then today we had a great talk with Timothy and then the stuff that I talked about as well. Hopefully it was useful. Well that's gonna wrap it up for us for a disaster week. 2024. Again, the replay will be up later today. And if you remember hopefully I'll see you back here on Office Hours. That's tomorrow starting at 1pm here on solid Academy where we go further together