Strong passwords and two-factor authentication aren't optional anymore. They're the first line of defense for your business online. Here's what you need to know, and what I'll need from you.
Let me be upfront about something: I'm going to ask you to take a little bit of responsibility for your own account security. Not because it's technically complicated (it isn't), but because the most sophisticated hosting setup in the world can't protect you if someone gets your password.
The good news is that getting this right isn't hard. It just takes doing a couple of things differently than most people currently do them.
The biggest myth about passwords is that complexity is what matters. A password full of capital letters, numbers, and symbols that's twelve characters long is much weaker than a simple phrase like "purple-lamp-runway-toast." Length is what actually protects you, not character variety.
The other thing that matters just as much: don't reuse passwords. If you use the same password across multiple sites and one of those sites gets breached (which happens constantly, to big companies and small ones alike), attackers try that same password everywhere: your email, your hosting login, your banking. It's called credential stuffing, and it works.
If you're currently reusing passwords across sites, that's the most important thing to fix. A password manager (see the next section) makes it straightforward.
A password manager is software that generates and stores strong, unique passwords for every site you use. You remember one master password. The password manager handles everything else. Think of it like a locked safe with a really good memory: it knows the combination to every lock in your life, and you only have to remember the combination to the safe.
I use one every day and genuinely can't imagine doing my job without it. There are two I'd recommend:
The most polished option out there. Easy to set up, works seamlessly across your phone, computer, and browser, and has a great family plan if you want to share it at home. Starts at $2.99/month. This is what I'd recommend if you want something that just works and you don't want to think about it. 1password.com →
Open-source, independently audited, and has a genuinely useful free tier. Not quite as polished as 1Password, but it works great and the free plan covers everything most people need. If budget is a consideration, this is a solid place to start. bitwarden.com →
Two-factor authentication (2FA) means that logging into an account requires two things: something you know (your password) and something you have (usually your phone). Even if someone gets your password (through a data breach, a phishing email, or just guessing), they still can't get in without that second factor.
This is a condition of my managed hosting: all WordPress admin accounts on sites I host must have 2FA enabled. I know that sounds like a policy, and it is, but it's there because it works. I've never had a client site compromised on an account that had 2FA turned on.
Setting up 2FA takes about two minutes, and I'll walk you through it when we get to that point. The most common method is a six-digit code that refreshes on your phone every 30 seconds. Nothing complicated, and you only have to do it once per device.