Phase 9~2 hoursMedium

9.3 Security Basics

Step-by-Step

Enable two-factor authentication (2FA) everywhere

2FA is the single most effective security measure. Enable it on:

Your email account (Google/Microsoft) -- this is the master key to everything
Your domain registrar (VentraIP, GoDaddy, etc.)
Your hosting provider
Cloudflare (or whoever manages your DNS)
Google Business Profile, Google Ads, GA4, Search Console
Meta Business Manager
Your CMS (WordPress admin, etc.)
Use an authenticator app (Authy or Google Authenticator), not SMS. SMS-based 2FA can be intercepted via SIM swapping.

Use a password manager

If you're reusing passwords (most people are), fix this today:

1Password ($3/mo) or Bitwarden (free) -- both excellent
Generate unique, random passwords for every account (20+ characters)
Store all business logins in the password manager with labels and notes
Share credentials with team members via the password manager, never via email or text
Your master password should be a memorable passphrase: "correct-horse-battery-staple" not "P@ssw0rd123"

Keep everything updated

Most breaches exploit known vulnerabilities that have already been patched:

WordPress: Enable auto-updates for core, themes, and plugins. Check weekly that nothing is broken.
Plugins/extensions: Delete any you're not using. Each one is an attack surface.
SSL certificate: Ensure it auto-renews (Cloudflare handles this if you're using them)
PHP version: If on WordPress, ensure your host is running PHP 8.1+ (older versions have known vulnerabilities)

Secure your WordPress site (if applicable)

WordPress powers 43% of the web -- which makes it the biggest target:

Change the default admin username from "admin" to something unique
Install Wordfence (free) or Sucuri for firewall and malware scanning
Limit login attempts (Wordfence does this automatically)
Move the login URL from /wp-admin to a custom URL (reduces bot attacks)
Disable XML-RPC if you don't use it (it's a common attack vector)

Set up monitoring

Know when something goes wrong before your customers do:

Uptime monitoring: UptimeRobot (free, 50 monitors) -- alerts you if your site goes down
SSL expiry monitoring: Check certificate expiry dates monthly (or use a tool that alerts you)
Google Search Console: Check for "Security issues" in the left menu -- Google flags hacked sites here
Email alerts: Set up alerts for new admin users, failed login attempts, and plugin changes

If You're Breached

Don't panic, but act fast: (1) Change all passwords immediately, starting with email. (2) Contact your hosting provider. (3) Restore from a clean backup (section 9.6). (4) Check for data theft and notify affected customers if personal data was exposed (required under the Notifiable Data Breaches scheme -- and from July 2026, the small business exemption is being removed, meaning this applies to ALL businesses collecting personal information).

You're Done When

2FA enabled on all critical accounts
Password manager set up with unique passwords for every account
CMS and all plugins/themes updated to latest versions
WordPress security plugin installed (if applicable)
Uptime monitoring active
Unused plugins and themes deleted

You've read more than most agencies know.

105 hours of knowledge — or let us execute it all.

Get Your Free Audit Book a Call

Next: 9.4 Legal Compliance Checklist→← Back: 9.2 Monthly Reporting View all sections