Cleaned Isn’t Fixed

Operation Endgame’s SocGholish takedown was good news.

It was also a warning.

Law enforcement and private-sector partners disrupted SocGholish infrastructure, took down 106 servers and domains, and cleaned 14,971 compromised WordPress sites. That’s real work. Those sites were being used as part of a malware delivery chain, and removing that active abuse protected real people from real harm.

But this is the part that can’t get lost in the headline:

Cleaned isn’t fixed.

Removing injected malware from a site doesn’t necessarily change the condition that let attackers put it there in the first place. If the way in was a stolen administrator password, that password still needs to be rotated. If the way in was an unpatched plugin, that plugin still needs to be updated or removed. If an unauthorized admin account was added, it still needs to be found and deleted.

The cleanup bought time. The fix is what happens next.

The Site Was Part of Someone Else’s Attack Chain

SocGholish, also known as FakeUpdates, is a good example of why web security can’t be treated as a problem that stops at the edge of one website.

The visitor doesn’t have to know anything about WordPress. They may not even care what platform the site runs on. They land on a legitimate site, see what looks like a browser update prompt, and are tricked into installing malware.

The compromised site becomes the delivery point. The site owner’s brand, domain reputation, and visitor trust get borrowed by the attacker.

That should make every host, agency, plugin developer, and site owner pause for a second. A vulnerable site isn’t only a risk to itself. It can become infrastructure for somebody else’s campaign.

This is why the 14,971 number matters. It’s not just a count of affected websites. It’s a picture of how quickly legitimate places on the web can be turned into stepping stones when basic controls fail.

And it wasn’t the whole picture. Shadowserver’s special report covered more than 1.4 million instances of compromised WordPress sites that were available for use by SocGholish between May 2023 and May 2026. The cleanup number is the urgent operational win. The larger dataset is the strategic warning.

The Doors Were Familiar

One reason SocGholish is useful as a lesson is that the entry points aren’t mysterious.

Shadowserver’s report points to the kinds of compromise paths anyone who has worked in web security will recognize: leaked or reused credentials, password guessing, vulnerable CMS code, vulnerable plugins or themes, hosting-platform issues, third-party services, and credential-stealing malware.

That’s not exotic. It’s Tuesday.

And that should shape the response. If we treat this as a strange, one-off malware event, we miss the point. The same conditions that made those sites useful to SocGholish exist across the web every day:

  • Administrator accounts with weak or reused passwords
  • No multi-factor authentication on privileged access
  • Plugins and themes that are installed but no longer maintained
  • Unknown admin users that nobody has audited
  • Domains and DNS accounts that are trusted but barely monitored
  • Sites that are cleaned after infection but not hardened afterward

The remediation guidance from Dutch police was refreshingly practical: change login credentials, enable multi-factor authentication, delete unknown WordPress accounts, and keep WordPress, plugins, and related software up to date.

That isn’t glamorous advice. It’s the work.

AI Is Changing the Time Window

The SocGholish takedown happened the same week the Five Eyes cyber security agencies issued a joint statement about AI and cyber risk.

The important point wasn’t simply "AI is scary" or "use AI for defense." The more useful point was that AI is compressing time.

For a long time, many web security practices have assumed there’s a useful window between vulnerability disclosure and widespread exploitation. Maybe that window was weeks. Maybe it was days. It was rarely comfortable, but it was something defenders could build process around.

Patch cycles, WAF signatures, support queues, vulnerability triage, customer notifications, manual cleanup, and incident response plans all quietly depend on time.

That assumption is getting weaker.

When attackers can find, weaponize, and scale exploitation faster, the old "we’ll get to it soon" model breaks down. The Five Eyes statement is clear that leaders need to treat cyber resilience as a business issue, not just a technical one. That matters because speed isn’t only an engineering problem. It’s an operating model problem.

The statement also makes a point that should sound familiar to anyone who has worked through real incidents: more tools aren’t the same thing as better resilience. The basics still matter. They just have to happen faster and more reliably.

If your organization needs three weeks to identify exposed assets, two more weeks to decide who owns the fix, and another week to communicate clearly with customers, AI didn’t create your risk. It exposed it.

Hosts Have a Different Responsibility

For a single site owner, the advice is direct: patch, rotate credentials, enable MFA, audit users, and watch for reinfection.

For a host or platform provider, the question is larger.

It’s not enough to ask whether your customers were on this specific cleanup list. The better question is whether the conditions that made those sites vulnerable exist on your platform.

They probably do.

That doesn’t mean the platform is bad. It means shared hosting, managed WordPress, agency-maintained sites, long-lived plugins, delegated ownership, and small-business websites create a complicated security environment. A host can’t personally manage every customer’s password, plugin choice, DNS provider, and admin workflow.

But a host can shape defaults.

A host can reduce the number of unsafe choices customers have to make. It can make risky conditions visible before an incident. It can give support teams clear signals instead of vague alerts. It can build security into onboarding, account recovery, plugin management, backups, malware cleanup, and customer communication.

That’s product work, not just security work. It decides what the customer sees, what they understand, what they trust, and what they actually do.

The best security capabilities in hosting are often the ones that change the customer’s path before something goes wrong. Easy MFA. Understandable patch visibility. Plugin risk presented in plain language. Malware cleanup that includes hardening steps. Recovery that doesn’t require a customer to understand the whole attack chain while they’re already stressed.

Security at this layer has to meet customers where they actually are.

Cleanup Has to Become a System

There’s a pattern that shows up after malware incidents:

  1. Detect the infection.
  2. Remove the visible malicious code.
  3. Tell the customer the site is clean.
  4. Move on.

That may be understandable operationally, especially when support queues are full and customers want the site back online. But it’s incomplete.

A cleaned site can still be unsafe. A restored backup can still include the vulnerable plugin. A changed password doesn’t help if there are two unknown admin accounts. A patched plugin doesn’t help if the attacker owns the domain registrar account. A malware scan doesn’t help if the original compromise came from a developer’s stolen credentials.

This is where the product experience matters.

After a cleanup, the user shouldn’t be left with a vague sense that they ought to "be more secure." They need a small, specific, prioritized set of actions:

  • Rotate administrator, hosting, database, FTP/SFTP, SSH, and relevant third party credentials.
  • Enable multi-factor authentication for privileged accounts.
  • Review admin users and remove anything that can’t be explained.
  • Update WordPress core, plugins, themes, and server-side dependencies.
  • Remove unused plugins and themes.
  • Review DNS, registrar, and CDN access.
  • Confirm clean public output, not just a clean dashboard.
  • Watch for reinfection patterns over the next days and weeks.

The point isn’t to scare every small-business owner into becoming a security engineer. The point is to make the next right step obvious.

AI Helps, But It Doesn’t Replace the Basics

There’s absolutely a role for AI in defense.

AI can help defenders triage faster, spot patterns across huge volumes of signals, prioritize vulnerable assets, summarize incidents, identify suspicious behavior, and reduce the amount of repetitive work placed on already-tired teams.

That’s useful. In many environments, it’ll become necessary.

But AI on top of weak fundamentals isn’t resilience. It’s a faster dashboard for an unlocked door.

If you don’t know what you host, who can access it, which software is exposed, which plugins are abandoned, where credentials are reused, or how quickly you can recover from a bad change, an AI system has very little solid ground to stand on.

The fundamentals aren’t less important because AI exists. They’re more urgent because AI changes the speed and scale of the fight.

The Practical Lesson

The SocGholish takedown is worth celebrating. It disrupted criminal infrastructure, removed active abuse from thousands of legitimate websites, and gave site owners a chance to close the doors attackers had been using.

But the durable lesson isn’t "law enforcement cleaned the sites."

The durable lesson is that cleanup is only one phase of security.

For site owners, the next step is hardening. For hosts, the next step is turning hardening into a repeatable product and support workflow. For leaders, the next step is making cyber resilience part of business continuity, customer trust, and market confidence.

The clock starts when the malware is removed.

What happens after that determines whether the site was fixed.

Start With the Experience, Not the Feature List

Product teams love feature lists.

Features are concrete. You can estimate them, assign them, build them, and put them on a slide. They give everyone the satisfying feeling that the product is moving forward.

Unfortunately, a team can deliver every feature on the list and still build the wrong product.

The problem usually starts before the first line of code. The team begins by asking, “What should this product do?” when the better first question is, “What should the customer be able to accomplish, and what should that experience be like?”

Those questions sound similar. They’re not.

I laid out this model in a talk for the WP London Meetup in March 2025, and am looping back to expand on the parts that matter most when putting it into practice.

Define Success First

Before deciding how to build a successful product, you have to decide what success means for this product.

Sometimes the answer is paying customers and profit. Sometimes the product fills a gap in a larger offering, improves retention, solves a costly support problem, or makes another product more useful. Success may mean adoption, ease of use, happier customers, or some combination of those things.

Those products won’t all be built or prioritized the same way.

This matters in hosting because the industry has shifted. Customers increasingly expect a complete solution, not simply space on a server and a list of tools they have to assemble themselves. A host may build a product to generate direct revenue, but it may also build one to help customers succeed, reduce churn, or make the rest of its services more valuable.

Name the intended outcome before debating the features. Otherwise the team may deliver exactly what it planned without knowing whether any of it worked.

Features Aren’t the Product

Imagine you’re building an onboarding flow for a security product.

The feature list might include account creation, domain verification, a scan, an alert, and a dashboard. That’s enough information to describe functionality. It isn’t enough to describe a useful experience.

What does the customer understand when the first alert arrives? Do they know how serious it is? Do they know what to do next? Can they tell whether the problem has been resolved? How much expertise does the product expect them to have?

If you don’t answer those questions, the product will answer them for you, usually through whatever was easiest to implement.

That’s how teams end up with technically complete products that confuse the people they’re supposed to help.

Work From the Outside In

I use a simple sequence when planning a product:

Product planning pyramid showing Experience, Flows, Interface, Design, and Functionality, with an arrow directing planning from the top down.

Engineering may build the pyramid from the bottom up, but product planning needs to move from the experience down.

This isn’t a waterfall process. These layers inform one another, and teams will move back and forth between them. The order is about where the product gets its direction.

A pyramid is normally built from the bottom up. Products often are too. The code, databases, infrastructure, and functionality support everything above them.

Customers experience the other end of the pyramid.

They care about whether the product helps them accomplish something, whether they understand it, and whether using it feels worth the effort or money. The top may be the smallest part of the picture, but it’s the part that gives everything underneath it a purpose.

You may build from the bottom up. You have to plan from the top down.

Experience

Start with the outcome and the customer’s state of mind.

What are they trying to accomplish? What do they know when they begin? What should they understand and be able to do when they’re finished? Where are they likely to be uncertain, frustrated, or afraid of making a mistake?

This is broader than whether the product is pleasant to use. A security customer may need to feel confident that taking action won’t break their site. A hosting provider may need to understand how a product affects support volume before enabling it for thousands of customers.

The intended experience includes the practical and emotional conditions required for the product to be useful.

Flows

Once the experience is clear, map the steps that make it possible.

What starts the process? What decisions does the customer have to make? What information do they need at each point? What happens when something fails?

Flows expose assumptions early. A product that sounds simple in a feature list may require the customer to jump between systems, wait for another person, or understand terminology they’ve never seen before.

It’s much cheaper to discover that while mapping a flow than after building the interface.

Interface

The interface is the set of controls, messages, and information the customer needs to move through those flows.

This is where you decide what belongs on a screen, what needs emphasis, and what can wait. The interface should reflect the customer’s decisions, not the internal structure of the software.

Customers shouldn’t have to understand your architecture to use your product. They have their own work to do.

Design

Visual design gives the interface hierarchy, consistency, and clarity.

It matters. A lot. But visual polish can’t rescue a confused flow, and a beautiful screen can’t answer a question the product never considered.

Design works best when it has a clear job to do.

It also works best when it respects what customers already know. If nearly every table puts search and filtering at the top, that’s where people will look for them. Moving those controls somewhere more creative doesn’t make the product more innovative. It makes a familiar task harder.

There are good places to differentiate. Common interaction patterns usually aren’t one of them.

Functionality

Now the team has enough context to make better decisions about what to build.

Functionality is still critical. The difference is that it now serves an intended experience instead of defining one by accident.

Engineering should be involved throughout this process. Engineers understand the systems, constraints, and opportunities that shape what’s possible. Early technical input can prevent a team from designing an elegant fantasy.

That doesn’t mean implementation should lead the product. Feasibility should inform the experience, not silently replace it.

Build the Team Around the Questions

Different stages require different kinds of depth.

Early on, product, research, design, and engineering need to agree on the problem, the people affected, and the constraints. As the experience and flows become clearer, interaction and visual design can go deeper. As the team moves toward delivery, engineering and quality work naturally expand.

That doesn’t mean each discipline waits outside the room until its turn. Handoffs create their own problems. It means the team’s focus and staffing should match the questions that need answering.

On one product team, our user researcher also served as the UX designer. I owned quality control. Two people divided the UI work between visual design and implementation, a dedicated project manager kept the work coordinated, and a development team built the product with help from other engineers as needed.

That wasn’t the only team structure that could have worked. It fit the product and the people we had. More importantly, the responsibilities were visible. We knew who was learning from customers, who was protecting the intended experience, who was coordinating the work, and who was making it real.

Clarity should drive growth.

Research Has to Become Direction

User research isn’t simply talking to customers.

The harder work is taking what customers say, separating the recurring needs from individual preferences, and turning that information into something a team can use. Good research doesn’t hand engineering a stack of interview notes. It helps the team understand the problem well enough to make decisions.

Research should continue after the first plan. Prototypes, moderated testing, unmoderated testing, and small beta groups can show whether the product works the way the team thinks it does.

Beta groups need care. Participation fades, people get busy, and the group may need to be refreshed. That’s still cheaper than discovering after a broad launch that customers can’t find the thing you thought was obvious.

UX and UI Aren’t the Same Job

UX and UI are often treated as interchangeable labels. I don’t find that very useful.

UX is primarily an advocate for the person using the product. It focuses on research, scenarios, information architecture, flows, wireframes, prototypes, and whether the experience makes sense.

UI turns that structure into the visual and interactive system people will actually use: layout, controls, typography, color, branding, and implementation details.

There is overlap, and one skilled person may handle both. The distinction still matters because a polished interface doesn’t prove that the underlying experience is sound.

Give Quality a Clear Owner

Before the team starts building, decide who has the final say on whether the product is good enough.

Larger teams create plenty of opportunities for individual pieces to be acceptable while the whole product feels inconsistent. Someone needs the authority to say the edges are still too rough, the experience doesn’t match the intent, or the product is ready to ship.

This shouldn’t be arbitrary control or personal taste dressed up as quality. It should be accountability to the experience the team agreed to create.

Project management matters here too. Even a small team benefits when someone owns coordination, documentation, and the reasons behind decisions. That work lets specialists focus on their jobs and gives the team something to return to when the next iteration begins.

Stakeholders and marketing also need to be involved without replacing the customer as the center of the product. Product leadership includes keeping those groups informed, earning the necessary support, and translating their needs into the same set of decisions.

Plan for Change Without Moving Everything

Most products don’t end at launch.

They gain customers, new use cases, new requirements, and ideas nobody had during the first planning session. A team that plans only for version one can paint itself into a technical corner, but architecture isn’t the only concern.

Customers learn where things are.

Moving a familiar control or reorganizing a workflow can frustrate people even when the new design is theoretically better. The team may see an improvement. The customer experiences the loss of something they already understood.

You can’t predict every future feature, and trying to do so will create its own kind of overengineering. You can leave conceptual space for the product to grow. Think about where likely capabilities could fit, which parts of the experience need to remain stable, and how new work can be introduced without forcing customers to relearn the whole product.

Plan for the future without building all of it today.

Must-Haves Before Wow

Every product has a list of features that would be impressive in a demo.

Some of those ideas may become real differentiators. The danger is building them before the product has earned the right to be interesting.

Customers need the basics to work first. They need to understand the product, complete the central task, recover from mistakes, and trust the result.

The “wow” can build loyalty. The must-haves earn trust.

This doesn’t mean innovation always waits. Sometimes the differentiating idea is the simplest route to the customer’s outcome. But when a feature competes with the core experience, the core experience wins.

The balance continues after launch.

Marketing naturally wants visible features it can show in an advertisement, capture in a screenshot, and give customers a reason to talk about the next release. Those features matter.

The product also needs work that won’t earn an exciting announcement: performance improvements, confusing flows that need cleanup, maintenance, and expected capabilities that every credible competitor already has.

In a hosting control panel, activating and deactivating plugins isn’t a headline feature. It’s still something customers expect to be able to do.

On one team, we labeled roadmap work as “wow” or “must-have” and deliberately interspersed the two. The labels weren’t a scoring system. They made the tradeoff visible so the roadmap could keep the product dependable while still giving customers something new to be excited about.

A roadmap made entirely of must-haves becomes stagnant. One made entirely of wow features becomes unreliable.

A Better Starting Conversation

Before creating the feature list, get the team together and answer six questions:

  1. What does success mean for this product?
  2. Who is the customer in this situation?
  3. What are they trying to accomplish?
  4. What do they know, fear, and expect when they begin?
  5. What needs to be true for them to trust the outcome?
  6. How will we know the experience worked?

Then map the flow. Identify the decisions. Bring in the technical constraints. Decide what interface the customer actually needs. Only then turn the answer into functionality.

You’ll still end up with a feature list.

It’ll simply describe a product worth building.

Hanging My Hat at Monarx

I’m excited to share that I’ve joined Monarx as their new Vice President of Product.

For me, this feels like coming home. I’ve spent more than 25 years in the web space and over a decade working directly in hosting. Along the way, I’ve seen firsthand the challenges hosts face when it comes to protecting their customers. Security is hard, and it’s only gotten harder as threats have become more automated, more obfuscated, and more persistent.

That’s why I’m so energized to dig into security again—because Monarx is solving this problem in a way that actually works.

Monarx isn’t just another scanner or add-on. Their platform takes a fundamentally different approach: using AI and code de-obfuscation to analyze how code behaves, not just what it looks like. That means they catch things others miss—including zero-days and hidden attacks—while keeping false positives remarkably low. Even better, they’ve built it to run in the cloud, so it’s lightweight for hosting environments, and it integrates everywhere: Linux distros, control panels, you name it.

From a product perspective, that’s exciting. From a security perspective, it’s a leap forward.

What makes Monarx especially compelling, though, is how they’ve aligned their business with the hosting world. Whether a host wants to save money (through reduced support costs and server overhead) or make money (by selling security directly to customers), Monarx has built the tools, integrations, and even white-glove services to make that possible. As someone who deeply understands what both hosts and end users need, I see the potential here—and it’s big.

My role as VP of Product will be to shape the product strategy, ensure we’re building the right things the right way, and help Monarx continue to lead as the only cybersecurity platform designed for hosting companies and resellers.

It feels good to be back in the trenches of web security—helping solve one of the hardest, most important problems on the internet.

The Introvert Brain

Everyone’s brain, introvert and extrovert alike, has what I call a peak efficiency zone. When your brain is operating in this zone, it’s easy to be productive; you’re motivated, focused, thinking clearly, and getting things done. Your brain is performing like a sports car and using fuel like a subcompact. Everyone has this peak efficiency zone, but it’s not the same for everyone – it’s in a different place, if you will.

Understanding Your Peak Efficiency Zone

For me, this zone often emerges when I’m alone, surrounded by predictable or minimal noise, and reasonably relaxed. Engaging in tasks like planning, problem-solving, or coding allows me to capitalize on this highly productive state.

Others might find their peak efficiency in social settings—perhaps brainstorming with others in a bustling coffee shop, bouncing ideas off each other and feeling inspired. The ideas are creative, high-quality, and coming easily.

Regardless of where you find it, operating within your peak efficiency zone feels invigorating. But what happens when you’re outside of it?

The Stimulation Spectrum

Our peak efficiency zone lies along a spectrum of stimulation, ranging from under- to overstimulated. The optimal point on this spectrum varies for each individual. Notably, introverts tend to find their sweet spot on the lower end, while extroverts thrive with higher levels of stimulation. This isn’t just anecdotal—it’s backed by science.

Under-stimulated

When under-stimulated, you might feel lethargic, unmotivated, or mentally sluggish, even after adequate rest. It’s important to note that it’s not impossible to be productive even when your brain is under-stimulated, it just takes more effort – more energy – to force yourself to get things accomplished in spite of your lack of motivation and seemingly sluggish thoughts.

Over-stimulated

Conversely, over-stimulation can make your mind feel hyperactive yet unfocused. Thoughts race, but none settle long enough to be actionable. Again, productivity isn’t out of reach, but it requires significant energy to channel this mental chaos effectively.

The Neuroscience Behind It!

Obviously we want our brains to be operating at peak efficiency, but how? Understanding how this stimulation spectrum works in your brain is the first step. Our brains are amazingly complex but to simplify it as much as I possibly can, stimulation levels are basically controlled by two chemicals in our brain: acetylcholine and dopamine. Both are neurotransmitters, with dopamine being dominant when we are more stimulated and acetylcholine being dominant when we’re less stimulated. Together they have a heavy effect on the way blood flows through our brains which dramatically affects our ability to be productive.

Acetylcholine: The Introvert’s Ally

Acetylcholine is our brain’s default neurotransmitter, associated with focus and attention. If you’re an introvert like me, you love acetylcholine, even though you likely have never heard of it.

It’s stored in the Laterodorsal Tegmental Nucleus (go ahead, try to say that ten times fast) and travels through the Cholinergic Pathways to various areas all over the brain. For introverts, acetylcholine dominance facilitates deep thinking and sustained attention in low-stimulation environments.

Dopamine: The Extrovert’s Driver

Dopamine, often linked to pleasure and reward, becomes dominant in more stimulating situations. It’s more popular (read: widely known), which seems fitting since it’s an extrovert-favoring chemical. (Although it’s probably most well known for it’s association with addictive drugs and behaviors, which is outside the scope of our interest in it.)

Dopamine is used in various ways all over our body, but what we care most about is that it’s created in the Ventral Tegmental Area, travels through some pathways in the brain, and arrives at the Nucleus Accumbens. This is all part of the “rewards system” in our brains (more on this to come). When the Nucleus Accumbens processes dopamine it stimulates our brains, moving us further up that stimulation scale. And in introverts, who already want to be a little lower on that scale, our Nucleus Accumbens is much more sensitive to dopamine.

Blood Flow

I said that acetylcholine and dopamine have an effect on the blood flow of the brain, and that introvert brains are more sensitive to dopamine. And this is where it gets fascinating. The difference between an introvert and extrovert brain can be physically observed by doctors and scientists! That’s right, it’s not just a preference, it’s an observable difference in your brain!

Lets look at the extrovert first. Imagine an extrovert is relaxed – laying down, listing to calming music, reading, etc – so that the dopamine levels in their brain are low and acetylcholine is in control. A radioactive isotope is injected so that their blood flow can be traced through their brain, and the flow looks something like this:

The flow is fairly centralized. It travels through the areas that control our senses – taste, touch, sight, sound, hearing – as well as the autonomic functions like heartbeat, breathing, etc.

Now imagine an introvert goes through this same test, with the same dopamine levels as the extrovert. The flow of blood would look more like this:

As you can see it flows along a much longer path, flowing all the way out to the prefrontal cortex. Now it’s flowing through the areas of the brain that control empathy, self-reflection, memory, planning, and rational thought. This is what blood flow in a brain is like when your brain is at or near it’s peak zone.

Hacking The Rewards System

Understanding the brain’s reward system—especially how dopamine is involved—gives you more control than you might think. Dopamine plays a central role in motivation. It’s what pushes you to act, nudges you to try again, and gives you that “good job” signal when something goes right. But even though this is part of the “rewards system” it’s not about the actual reward—it’s about the anticipation of reward. Dopamine is released to tell you that a reward is possible and to encourage you to pursue it.

This is where things get interesting for introverts.

Because introverts are more sensitive to dopamine, we’re more likely to push ourselves beyond our peak-efficiency zone in environments where external dopamine cues are loud, rapid, or unpredictable. That could mean a chaotic office, a packed conference, or an overcrowded meeting. These settings might energize an extrovert—but for an introvert, they can quickly become draining.

One of the most important things I’ve learned as an introvert—especially one who genuinely enjoys meeting new people and learning from their perspectives—is this: every time you meet someone, there’s potential for a reward. Your brain recognizes that, and releases a bit of dopamine to encourage the interaction.

So what if you could harness dopamine on your terms?

You can. Once you understand how the reward system works, you can intentionally trigger as much or as little dopamine as you need—rewarding yourself in ways that keep you in your peak efficiency zone rather than pushing you past it.
At a conference, for example, I’ll meet and talk with as many people as I can—because that’s what I want to do, that’s the goal. But I seek out individuals or smaller groups, where the social stimulation is more manageable and the dopamine doesn’t flood in all at once. When I start to feel my energy dip or my focus fray, I’ll step away to somewhere quiet and let my dopamine levels settle. Because I’ve found that a 15-minute break followed by 45 minutes in my peak zone is far more effective than spending a full hour outside of it.

In short: when you understand how the reward system works, you stop hoping that you’ll be “in the zone” and you start navigating yourself into it—deliberately and on your own terms.

Embracing Your Neurological Blueprint

Understanding your brain’s wiring empowers you to create environments and routines that align with your natural tendencies. For introverts, this might mean seeking quiet spaces for deep work, scheduling downtime after social engagements, or engaging in solitary activities that recharge your energy.

Recognizing that introversion isn’t a flaw but a distinct neurological configuration allows you to leverage your strengths effectively. By working with your brain’s natural inclinations, instead of against them, you can better achieve the success you’re looking for.

Understanding and embracing your introverted nature isn’t just about personal growth—it’s about unlocking your full potential.

For a more in-depth exploration of this topic, watch my “Succeeding as an Introvert” and “Leading as an Introvert,”

Looking Back at 2021

Forgive me internet, for I have sinned. It has been 351 days since my last post on here. Here’s a short one on 2021 to try to get me back into the habit.

Last year was one of self-assessment and struggle for me. I’ve heard several people refer to it as a roller coaster, but I love roller coasters and can’t claim the same affection and appreciation for 2021. I can say it had a lot of ups and downs. You could take a graph of weekly average COVID infection rates in my state of Oklahoma, mirror it on the vertical, and relabel it “Aaron’s Mental Health and Happiness”. It would be alarmingly accurate.

While most of the biggest challenges of 2021 were personal for me, professionally there were some significant changes and encouraging progress as well.

Self-Assessment

Starting even before 2021, in the latter half of 2020, I took some of my own advice and sat down to write out what was important to me, what I enjoyed, and, just as importantly, what I didn’t enjoy. It was overdue. I tell people it’s a practice you should do quarterly, yet I hadn’t done it in a year – and so much had changed in that time!

Setting aside the personal and family parts of that list, because those are for me, there were a lot of similarities to years past in the things that were important to me – the open web, making enough money to provide the lifestyle I want for my family, feeling like I make a difference, helping others to succeed beyond just the company I’m at, traveling (I have to admit, I miss this), etc.

Then came the hard part – applying these things to my life to cause changes and bring my life more in line with what I want it to be. I don’t think I fear change, but I’m certainly wary of it. I like to know all the things, and change makes that hard but it was worth it.

The biggest professional change happened very early in 2021. I was tired of pushing so hard to steer a company toward embracing and building on the basic principles of the open web and to drive home the importance of open tooling and standards. Especially as reorganizations began to reduce my ability to effect the change I saw was needed. I don’t think I even realized how exhausting it was or how much it affected my happiness, until I stepped back and eventually left.

I didn’t dramatically change what I was doing, but I moved to a company that sees the importance of the open web as I do. Even considering the massive merger that that birthed Newfold from EIG and Web.com, pushing toward the open web with a company full of people that are pushing the same direction was definitely one of the better parts of 2021.

Exploring Professional Interests

The move to Newfold was strategic for another reason as well – to further distance myself from the “developer” label I’ve long been tagged with. I was absolutely a developer – for many years that was my primary marketed skill and it’s what really kick-started my career and brought me into WordPress. I still write code for personal projects and even professionally from time to time, but it’s been a while since I considered myself a developer. Breaking free of that label has been tough, but I think 2021 finally put that to bed.

There is nothing wrong with being a developer, but the skills I most enjoy employing are guiding products and the strategies around them, bridging the gap between developers and non-developers, and building and maintaining relationships. I’ve spent all of 2021 doing those very things.

I’ve been able to split my time, running product while also being involved in partnerships and acquisitions. I even went to my first ever CaboPress, and I have to say – you’d be hard pressed to find a conference anywhere that better facilitates the building of relationships.

A Happier Path Forward

Looking ahead at 2022 the thing I hope to focus on is personal happiness even with regard to my professional life. There’s a niggling little voice inside me telling me that’s selfish, but I’m working to ignore it. For me personal happiness will mean more time with family, less stress about work, and focusing on continuing to employ and improve the skills I truly enjoy.

Hanging My Hat Somewhere New

Last week was my final week at GoDaddy. It was a little over four years ago, when I joined GoDaddy as a full-time WordPress contributor. I went in with a goal to help make WordPress better, and GoDaddy really empowered me to do that during my time there. It was truly great and I’m going to miss it in so many ways!

What’s Next?

I continue to be passionate about the open web and open source software, like WordPress, as a part of it. I still strongly believe that the internet is the single most effective information sharing tool in all of history, and keeping it open and accessible to all is critical to humanity’s ability to make forward progress. And I’m still as excited as I’ve ever been to be a part of that.

But I’ve also become increasingly focused on the sustainability of the open web and the open products that make it up. If you look at the time and resources required for these things to exist, it’s expensive! Which is why in successful projects like WordPress, we see so many people who are paid in some way or another to work on it. Without those people WordPress would not be where it is.

And it’s good when companies do this as a social good or as something tangentially related to what they do, but I think true sustainability here requires more than that. I want to help companies align their products and services, their success, with the health and success of open source software and the open web. I want to help build symbiotic relationships that bring sustainable, ongoing benefit to the WordPress community and the web as a whole.

Where?

I’m super excited to be joining Endurance and the Bluehost family, to do just this. Endurance has already shown their commitment to the WordPress project and community. I look forward to helping them continue to align with that commitment in an effort to build toward the sustainability of the open web.

HackerOne Update

WordPress officially launched the WordPress bug bounty program on HackerOne May 15 of this year, almost six months ago. The goal was to leverage the tools HackerOne provides to improve the quality and consistency of our communication with reporters, and to reduce the time spent on responding to commonly reported issues in order to free our team to focus more time on improving the security of WordPress as well as our sites and other properties.

Success

Since that launch, we have paid out approximately $14,000 in bounties for thirty-nine unique reports – an average of more than $350 for each valid report – from twenty-two different hackers (researchers). This part is exciting! People are helping keep WordPress secure.

Struggles

It's amazing that we've been able to resolve these valid reports (not all were eligible for bounties, some were sent swag as a thank you), but there's more to the story. Those valid reports only account for roughly 16% of the overall reports. About five out of every six reports are invalid. These invalid reports still take time to process, test, etc.

Time is always valuable, but when working with a volunteer team it can feel even more so. Dealing regularly with invalid reports not only consumes a lot of time, but can also feel extremely useless – like a lot of work for no reason. We need to continue to focus on improving this process, but I'm extremely thankful to the people on the team that work to triage on HackerOne for us.

What Now

I would say that the program has been a success so far, so we want to continue it. We are actively working to address the biggest struggle we face, which are the invalid reports that take up so much time without yielding useful results. HackerOne offers some tools that we're trying to leverage to help.

  • Common responses – building up a repertoire of useful responses that can be easily sent to reporters takes time. We hope this will pay off in future time savings, as we no longer have to write the same basic response over and over.
  • Triggers – these allow us to automatically show one (or more) of our common responses to reporters as "Are you sure?" interstitials, based upon key words in the report. Adding some of these has helped and we hope to build a good collection of them as we go.
  • Reputation – HackerOne has both a reputation and a signal rating for all users. We can limit the ability to submit reports to only hackers with a minimum signal. There is a balance here. We don't want to miss out on valid reports, but we do want to reduce the noise.

We are also working with HackerOne to find other ways to might be able to improve our processes. Stay tuned!

The Open Web Matters

The internet is no longer a toy. It is no longer used only for fun or even simply for research. It is now an integral part of people’s lives, of businesses, and even entire economies. Comedian and science advocate, Bill Nye, was recently speaking about his new show Bill Nye Saves the World. Asked why he thought it was so important, he said:

I want clean water for everyone on Earth; renewably-produced, reliable electricity for everyone on Earth; access to the internet, or whatever the future of electronic information is, so that everybody in the world can participate in taking care of the planet.

Bill Nye to CNN

Water, electricity, and internet. It may sound crazy, but I would argue that the science guy is right. The internet is vitally important to the future of humanity. It needs to be protected, secured, and available. This cannot happen unless it is open.

History

CERN has restored a copy of the 1992 version of the site – the earliest copy researchers at CERN have been able to find.

The internet as we know it started around 1991. Tim Berners Lee, working with CERN, developed HTTP, HTML, and the first ever web browser. The internet was much more academic at that time and looked a lot like the pages of a research paper.

Around the same time, the Commercial Internet eXchange was trying to do something ground breaking. They were attempting to connect the various stand alone networks, mostly US governmental agencies, to allow traffic to be exchanged between them. The controversial thing at the time was that they wanted a no-settlement policy between the groups involved. We take this for granted, expecting to easily access any information or service on the web without caring where or how it’s hosted. Imagine an internet where this wasn’t the case. Where you could only access a small fraction of the available sites and services.

What if Amazon were on one network, Netflix another, Twitter and Facebook still another, and none of those networks would talk to each other without additional usage fees. Your sphere of information available to you would be incredibly different. Drastically limited. This is kind of Internet we could experience if we don’t keep the web open.

History of Modern Humans

Why is this so important? Why should I care?

To answer that we need to look at how the dissemination of information has affected the progress of humanity. Nine hundred years ago, in the early twelfth century, the French philosopher Bernard of Chartres spoke about the fast progress humans were making. He said that the moderns were like dwarves perched on the shoulders of giants (the Ancients) and thus were able to see more and farther than the latter. “And this is not at all because of the acuteness of our sight or the stature of our body, but because we are carried aloft and elevated by the magnitude of the giants.”

Never heard of Bernard of Chartres but the “shoulders of giants” phrase sounds familiar? Isaac Newton said the same thing over five hundred years later.

If I have seen further, it is by standing on the shoulders of giants.

Isaac Newton, 1675

It’s easy to see Isaac Newton as a giant. He gave us calculus and newtonian mechanics. We’ve used these as the basis for calculations to put people on the moon and to build skyscrapers that don’t fall over. The jet engine, a thing that in and of itself has forever changed the world, uses his principles and mathematics. Because people before Isaac Newton shared their knowledge openly with him, he was able to add to it and share that knowledge with future generations, who were able to leverage it to bring the peoples of our world closer in a way they never could have been otherwise.

Where the Danger Lies

Isaac Newton built on the works of those that came before him. Everyone since has built on his works. Shared information make this possible. It is integral to humanity’s ability to make consistent and rapid progress forward. The internet is the single most effective information sharing tool in all of history.

Isaac Newton was able to stand on the shoulders of those that came before him, whose work he had access to. With the internet, access no longer needs to be a limiting factor. Distance doesn’t matter. The implications for the progress of humanity are both serious and exciting!

There are two things that we need to look at to understand the threats against this open dissemination of information that the internet provides – net neutrality and closed systems.

Net Neutrality

What is net neutrality? You hear the term used a lot, especially when people are talking about legislation affecting the internet, but what does it really mean? Net neutrality, or the the Open Internet rules, cover three basic things according to the FCC:

  • No Blocking. Broadband providers may not block access to legal content, applications, services, or non-harmful devices.
  • No Throttling. Broadband providers may not impair or degrade lawful Internet traffic on the basis of content, applications, services, or non-harmful devices.
  • No Paid Prioritization. Broadband providers may not favor some lawful Internet traffic over other lawful traffic in exchange for consideration of any kind—in other words, no “fast lanes.” This rule also bans ISPs from prioritizing content and services of their affiliates.

The dangers of all these really come down to the honesty, integrity, and motivations of the people enforcing these limitations. Blocking bad/inaccurate content or throttling services that are less important to give precedence to ones that are more so, both sound fine – but who makes that decision? What group of people can decide that certain information isn’t accurate? Can that control or influence the thoughts and understandings of whole generations?

Now involve money. What happens when companies are able to pay to control the flow of information? When one drink giant pays to limit access to accurate information about their competitors while spreading inaccurate information? Or when tobacco companies can interfere with the ability of people to discover the actual risks of their products?

Free and open access to information is absolutely critical to our freedom as a people. Taking away people’s ability to make their own decisions, whether by force or by limiting access to information, is wrong.

Closed Systems

Many people easily identify the risks in the loss of net neutrality, but most miss the threat posed by closed systems. A system that you use, feed data into, and rely on that is closed source and owned by a company, is a danger. Whether it’s Facebook, Twitter, or Instagram for your personal data or Shopify, Wix, or Salesforce for your business.

It’s not that these systems are bad, but they are certainly dangerous. When another company owns the platform you rely on, what happens when your goals or needs diverge from theirs? Companies controlling the dissemination of information is dangerous.

What Can You Do?

When net neutrality legislation is on the table, take action! Inform yourself though, not all legislation is good. Spread the word about the dangers of a closed web. Vote with your dollars and your support. Use open platforms like WordPress and encourage others to do the same. Above all else be aware of the danger and watch for it.

Photo credit: Barefootliam.

In Support of Stronger Passwords – Not Secret Usernames

I can discover usernames in WordPress, which means I’m halfway to compromising an account.

It’s a common security report. The details vary – sometimes they find usernames through CSS classes, sometimes they’re using enumeration, sometimes it’s from a REST API endpoint – but the real problem is that the underlying logic is flawed.

WordPress has taken the stance that usernames aren’t secret.

From our handbook:

The WordPress project doesn’t consider usernames or user ids to be private or secure information. A username is part of your online identity. It is meant to identify, not verify, who you are saying you are. Verification is the job of the password.

Generally speaking, people do not consider usernames to be secret, often sharing them openly. Additionally, many major online establishments — such as Google and Facebook — have done away with usernames in favor of email addresses, which are shared around constantly and freely. WordPress has also moved this way, allowing users to log in with an email address or username since version 4.5.

Instead of attempting to hide a public identifier, WordPress attempts to encourage users to choose strong passwords instead, through both user interface as well as education.

Note that WordPress is not the only open source project to believe this. Drupal has similar arguments for the same thing.

Why? Because knowing a username doesn’t mean you’re halfway to compromising an account. Let me explain.

[bctt tweet=”Knowing a username doesn’t mean you’re halfway to compromising an account.” username=”aaroncampbell”]

Usernames Are Public

A username is an identifier, a claim to who you are, much like your actual name. When I go to the bank to pull out cash I identify as Aaron Campbell, but then they want to verify that by looking at my drivers license or passport. That required verification is your password. I share my name with anyone, but they cannot have my verification documents. Those are mine.

Moving back to the internet, my username on Twitter is aaroncampbell and every one of my followers knows that. My username on Gmail and Facebook is aaron@xavisys.com and anyone that ever E-Mails me knows this – it even used to be on my business cards. You could discover my username on this site, but you don’t need to – it’s aaroncampbell.

Even if I didn’t have two factor enabled in all those places though, you wouldn’t be “halfway” to compromising any of those accounts. Users know they need good passwords but usernames are generally simple, easy to remember, and alphabetic or alphanumeric. To put it simply, they’re already easy to guess.

But wouldn’t keeping them secret still help? Wouldn’t having to guess both the username and password make it twice as hard? Shouldn’t WordPress help with that?

No, no, and no. And it all comes down to entropy.

Entropy

Password strength is usually referred to in terms of information entropy, measured in bits. The idea is that a password with 42 bits of entropy would be as strong as a string of 42 random bits. There can be a lot of complexity in calculating accurate entropy. Dictionary words (including ones in custom dictionaries built for the target), patterns, dates, and many other things can be used to reduce the raw entropy of a string. Best case scenario though, your password isn’t susceptible to any of those, in which case the raw entropy (H) can be calculated using this formula, where N is the number of possible symbols for each character, and L is the number of characters in the password:

H = log2 NL

Let’s calculate the entropy of my username of aaroncampbell. It’s 13 characters long (L) and each character has 26 possible symbols (N), giving ~61.1 = log2 2613. Keep in mind that in a real-world scenario, my first and last name, along with many other words specific to me, would likely already be built into a dictionary, making this number much lower.

Given a very short (too short), ten character random password of yZ3#8gPI^0, the entropy is ~65.7 (log2 9510).

Assuming that you can try to crack the username separate from the password, the combined entropy is ~126.8. If you instead increase the length of your password to 20 characters, it’s entropy alone would be ~131.4. All my passwords are 50 characters or ~328.5 bits of entropy.

The Best Solution

Don’t worry about your username, but do focus heavily on your password practices. Use a password manager like LastPass or 1Password. You cannot have good password practices without a password manager. Good passwords should be long – 50 characters is what I use; random – not a “random phrase” you use, but actually randomly generated using a large character set; and unique – only used in one place.

[bctt tweet=”You cannot have good password practices without a password manager. Try @LastPass or @1Password.” username=”aaroncampbell”]

Bonus

If you really want to secure your account, use two factor authentication (2FA). Many sites offer this option, and I personally use it everywhere I can. I use Authy as my 2FA app because I think it’s the most user friendly. It allows me to rearrange things to fit my preferences, add it to multiple devices, and even backup and restore everything for when I change devices. You can also use Google Authenticator or LastPass Authenticator. To add 2FA to your WordPress website, you can use iThemes Security Pro (paid), which is what I use, or Two Factor.

Website Security – Simple Steps to Take

Website security is important. We all know it. For many though, it’s a topic they prefer not to talk or think too much about. They don’t really consider it in very many areas as they build or manage their site. Why?

Security is Scary

You know you want to be secure, so you start to check out this weird security thing. Brute force? You can handle that; good passwords, limit login attempts, maybe even two factor authentication. Then you suddenly become aware of cross-site scripting (XSS), SQL injection (SQLi), cross-site request forgery (CSRF), remote code execution (RCE), and potentially so many more that you’re simply terrified. You begin to buy into “ignorance is bliss”. But website security doesn’t have to be scary.

[bctt tweet=”Website security doesn’t have to be scary” username=”aaroncampbell”]

Security is Something You Can Handle

When you start to research website security it’s easy to become overwhelmed as you’re slowly exposed to all the various forms of attacks. Each can be nuanced, complex, and confusing. The good news is, you don’t need to know how every vulnerability works in order to increase your security. Many of them can be prevented by following some relatively simple best practices. With a little added effort and by making a few smart decisions along the way, you can drastically increase your online security.

[bctt tweet=”A little added effort and a few smart decisions can drastically increase your online security.”]

When most people think about securing their site, the first thing they think of is their password. And passwords are important. They aren’t where you should start though.

Security and Your Host

The security of your site needs to be managed all the way down “the stack”. The stack is all the software that sits on top of each other in layers to become your website. The tip of this is likely all you really interact with – WordPress and your plugins. Below that is your database, PHP, caching tools, web server software like Apache or nGinx, and an operating system. There’s probably also a firewall somewhere either inside that stack or outside as a separate appliance.

Every part of this software stack needs to be properly configured, managed, and continually kept up to date. It’s integral to the security of your website. It’s also a lot of work and quite complex. Thankfully, you don’t have to worry about it if you choose a good quality host and let them worry about it for you.

Consider security when you choose a host. If you haven’t checked to see that your host has good security practices, take the time to do so. If you haven’t yet chosen a host, make sure that security is one of the things you evaluate when you do.

Choose Quality Software

Most of you are here because you use WordPress. I’m obviously biased, but I think that was a good decision for security. The WordPress security team works very hard to make sure that WordPress is as secure as possible. However, WordPress isn’t the only software you’re using to run your site.

You need to make good decisions about what plugins and themes you use as well. Did you consider security as you selected your plugins and themes? Did you look into the security practices of the companies or developers behind them? Don’t expect to find plugins or themes that have never had a security issue, but do look for those that have handled them well and have implemented good security practices into their development processes. You want quality plugins and themes with reputable people or companies that stand behind them.

Take the time to consider other software you’re using as well. Are you using a reliable and reputable SFTP client? Are you running good virus protection software on your computer? With the pervasiveness of the Internet, many modern computer viruses work to harvest login details from websites and send them to someone for later use. Learning to think about security at every step of the way, getting into the “security mindset”, will really help. You’ll start to see places that you can increase your security that you had never before realized even affected your website.

Great Password Practices

Everyone knows that it’s important to have good passwords, but what makes a password good? A good password is long, random, and unique.

How long should a good password be? I tell most people that it should be a minimum of twenty characters. All of mine are at least fifty unless the site or service has a lower limit (which usually leads to me whining lots and often reaching out to them to discuss better password practices).

What do I mean by random? Well…I mean random. Not a snippet from a poem you like, not a favorite verse, not a seemingly random combination of things you know or easily remember, and not a pattern on the keyboard. The best passwords are completely randomly generated.

Unique means that the password is only used in one place. The password to log in to my website is different from the one for my E-Mail, which is different from the one for my computer, which is different from the one for my back, etc, etc. I don’t use the same password in two places and neither should you.

How can I possibly have that many different fifty character passwords that are completely randomly generated? Do I have a super human mind? Not at all. I use a password manager. You can’t have good password practices without a password manager. I use LastPass. Lots of people love 1Password and it’s a great option as well. I don’t care which you use, but you need to use one.

[bctt tweet=”Passwords should be long, random, and unique. You need a password manager to do it right.”]

This is one of those areas where you have to put in that added effort I mentioned. A password manager will take some time and effort to set up and get used to using. Eventually though, you’ll probably find that it makes things easier not harder. It’s a fantastic investment into your online security.

Two Factor Authentication

When you try to log into your site you fill in a username field. On this site for me, that’s either my E-Mail address or “aaroncampbell”. That’s me saying “I’m Aaron”. My site wants proof of that though, as it should. There are three basic ways you can prove you are who you claim to be.

  1. Something you know – A password for example. With your bank this might be a PIN. As a kid with a fort, it was a code word.
  2. Something you have – For your car, house, hotel room, etc this would be your key. “Let me in if I have this.” For your website this is probably your smartphone with an app on it.
  3. Something you are – Many phones are starting to support fingerprint access for example. Some data centers use retina scans.

Two factor authentication (2FA) simply means that in order to verify you are who you claim to be you must supply proof from at least two of these groups. For websites this is almost always something that you know – your password, and something that you have – your phone with an authentication app on it. I use Authy because I think it’s the most user friendly. It allows me to rearrange things to fit my preferences, add it to multiple devices, and even backup and restore everything for when I change devices. You can also use Google Authenticator or LastPass Authenticator.

There are two plugins that make easy to add 2FA to your WordPress website.

  1. iThemes Security Pro is a paid plugin that also does many other great things for your site. If you want to invest a little money in the security of your site, invest in your host and in this plugin.
  2. Two Factor is a free plugin by George Stephanis that adds two factor authentication to your site simply and effectively.

Like your password manager, some additional effort is required for setup and to get used to it. However, the added effort here will continue forever. Every time you log into a site you use two factor authentication on, it will take you an additional fifteen to thirty seconds. It is absolutely worth it though. Using multiple factors for identity verification increases security so much that it’s honestly hard to quantify.

Bonus: Once you get used to using two factor on your WordPress website, start using it everywhere else too. I use it on GMail, Github, Slack, Amazon AWS, Mailchimp, Mandrill and more!

SSL Certificates

Encrypt all data sent between your website and the computer or device that’s accessing it with an SSL certificate. It’s the thing that changes the URL from http:// to https:// and adds a lock and/or a green color to the URL bar of the browser to let the user know they are browsing safely.

SSL Certificates add a visual cue to browser bars, reinforcing a user's security

At this point, there’s no reason for any site to not have an SSL certificate. They used to be quite expensive but cost is no longer an excuse. Many hosts offer them for free and the ones that don’t offer them cheaply. Often you can install them yourself through your control panel, but if you can’t opening a ticket with your host should take care of it.

Is Security Really That Important?

People want to know “why would anyone want to attack my website?” They think that because they don’t process credit cards or store personal information, that no one would care to hack into their site.

It’s not if you get attacked, but rather how you prevent it from being successful.

There are two basic types of attacks that try to compromise sites.

Targeted attacks are the kind that people tend to think of first. A person or persons work to compromise a specific site for some sort of payout. Often they’re trying to get credit card numbers, identities, etc. They want a good payout and put in a concerted effort to get it.

The second, and far more prevalent, are scripted attacks. Programs written to crawl the internet and try to compromise sites. Pushing for sheer numbers they look for simple to break passwords, out of date software with vulnerabilities, and other known weaknesses that can be exploited in an automated way. Instead of a large payout from one targeted site, the script attacks hundreds of thousands or millions of sites, compromises thousands, and makes a little bit from each. These attacks aren’t only more prevalent, but are indiscriminate. Anything attached to the internet will be attacked. It’s not if, but when.

Make it Hard on Them

Attacks on your site will happen. You can drastically improve your security, and thus your ability to fend off these attacks, by following these best practices. They’re not overwhelming. They are all things you can do.

  • Use a Security Conscientious Host – Keeping the stack your site is built on secure helps keep your site secure.
  • Choose Quality Software – Starting with WordPress is great, but also look at your plugins and themes as well as software on the computers you use to build or access your site.
  • Use Great Passwords – Great passwords are long, random, and unique. You can only do this correctly with a password manager.
  • Use Two Factor Authentication – Two factor authentication will use something you know (password) as well as something you have (your smartphone) to verify you are who you claim to be. This is a massive leap forward in the security of your user account.
  • SSL – Every site should have an SSL certificate. Inexpensive or even free, SSL certificates encrypt all data sent between your website and the computer or device accessing it.