l +1 262-553-6510

QPC podcasts have moved

Please forgive our old content here while we reorganize and redo our old website.

All new QPC podcasts are hosted on a more convenient platform for all of us.

Please visit where you can use the Podbean mobile app, stream directly from the site, and sign up for the RSS feed.

Breakfast Bytes - Website Security






Website Security, Strategy, and Developer Selection


All about how to secure a website, having a good website security strategy, and how to select developers

MP3 - Website Security, Strategy, and Developer Selection



Actually own your infrastructure

  • Domain/DNS hosting
  • Website hosting
    • You are the website master account holder
    • Website developer is a website hosting account technical contact. They can login and contact tech support.
    • Do not use a website hosting account owned by your web developer. You need to still have full uninterrupted access to your website and its infrastructure when you decide to make a developer change.
  • Owning the website content by contract
  • Email hosting should be completely separate from website hosting


  • Select the correct CMS
  • Select the correct website hosting account
  • Own your infrastructure
  • Only use plugins, extensions, tools, and modules from developers that are maintaining them. Paid versions of tools are always better and have support. Outdated code is a breach vector.
  • Maintain documentation on the website, hosting, tools, plugins, modules, configuration, how-to procedures, troubleshooting steps and problem resolution and make your developer keep that documentation updated anytime they do work on the website.
  • Use GeoIP blocking
  • Use autoblocking for too many unauthorized attempts on the admin page
  • Use a custom admin page
  • Whitelist the IP addresses of website administrators and allow the admin page to ONLY be accessible from those admin IP addresses
  • Use a web application firewall
  • Learn how to use a PHP file scanner

Websites hacked and hardening them

I learned the hard way how to harden websites and secure them from being hacked. It is something that the vast majority of web developers really do not understand. I know they don’t understand it because they aren't using GeoIP blockers, they aren't making site admins MFA, and many other basic security features. Most web developers still use FTP which sends credentials in clear text across the internet. As a result of my experience, I now do all the management for my website because I could not find a web developer that understood security as well as I did. And my website had been hacked previously due to a lack of knowledge of how to protect the site by the person I hired to do so. I also hired another developer to un-hack the website. They were not able to actually fully unhack the website.

Only months of my persistent work was able to resolve the issue. The bad guys had intentionally hacked my website for the purposes of trying to use it to infect my internal systems. But I have so many layers of protection in place that technique was not successful. So ask yourself, what do you have time for? Would you like to spend months and months as well as thousands of dollars getting unhacked, or would you opt to have a slightly longer authentication process?


CMS - Content Management System selection

There really is not much contest here if you have a website budget of under $25,000 per year, but you want it to be secured.

Read an extremely important article by an industry expert on the subject of securing websites - Nicholas K. Dionysopolous

AdminTools available for Joomla but not WordPress - Why?

Joomla - the preferred content management system


Tools for Website Security


Admin Tools

We only recommend Admin Tools Pro. Admin Tools free version is nice to get your feet wet, but for access to the tools you really need, the pro version is required.

Akeeba Backup

It is crucial to have a solid backup and restore tool for your website that has support.

Guide on how to use WinSCP to securely FTP to your website hosting account. Note that this only works with website hosting companies that are actually capable of proper levels of security. Be sure to vet the hosting company before buying.